discovering and exploiting novel security vulnerabilities in apple
TRANSCRIPT
DISCOVERINGANDEXPLOITINGNOVELSECURITYVULNERABILITIESINAPPLEZEROCONF
(Xiaolong Bai, LuyiXing)(co-firstauthors),NanZhang,XiaoFengWang,Xiaojing Liao,Tongxin Li,Shi-MinHu
TsinghuaUniversity,IndianaUniversityBloomingtonGeorgiaInstituteofTechnology,
PekingUniversity 1
Who are we ?
• SystemSecurityLab,IndianaUniversityBloomington– Focus on novel problems in system security– High-impact publications on IEEE S&P, ACM CCS, Usenix Security, NDSS– http://sit.soic.indiana.edu/en/
• Our advisor: Prof. XiaoFeng Wang– Top10authorsonleadingsecurityvenuesforthepast10years– http://www.informatics.indiana.edu/xw7/
2
Who are we ?
• We have two talks on Black Hat USA 2016– Luyi Xing and Xiaolong Bai, DISCOVERINGANDEXPLOITINGNOVELSECURITYVULNERABILITIESINAPPLEZEROCONF, August 4, JasmineBallroom, 12:10- 13:00
– NanZhang, DANGEROUSHARE:HANGINGATTRIBUTEREFERENCESHAZARDSDUETOVENDORCUSTOMIZATION,August 4, SouthSeasGH, 17:00- 17:25
3
4
DISCOVERINGANDEXPLOITINGNOVELSECURITYVULNERABILITIESINAPPLEZEROCONF
ZeroConf
5
• Zero Configuration Networking• Automatically configures a usable computer network– Nomanualconfiguration– Nospecificconfigurationserver
• Designed to reduceusers’ burden– Setting up a new network– Use a new service.
ZeroConf
6
• Bonjourprotocol– zero-configurationnetworkingoverIPthatApplehassubmittedtotheIETF.
• Goals:–Withlittleornoconfiguration– toadddevices/servicestoalocalnetwork– Existingdevicescanautomaticallyfindandconnecttothosenewdevices/services
Bonjour
7
• Administrators– noneedtoassignIP,hostnames,servicenamestonetworkservices(e.g.,printer)
• Whenusingaservice,userssimply– asktoseewhatnetworkservicesareavailable– andchoosefromthelistofautomaticallydiscoveredservices.
Howabouttraditionalconfigurednetwork?
8
9
MustConfigure:– IP– Printername,
• e.g.,lh135-soic.ads.iu.edu– DNSserver
Traditionally
✔
10
Traditionally
MustConfigure:– IP– Printername,
• e.g.,lh135-soic.ads.iu.edu– DNSserver
FeaturesofBonjour
11
1. Serviceconfiguresitself– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices– Nopre-knowledgeoftheservice’sname,hostnameorIP
1.ZeroConf Concept2.So,how?
12
FeaturesofBonjour
13
1. Serviceconfiguresitself– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices– Nopre-knowledgeoftheservice’sname,hostnameorIP
14
Addanewprintertoanetwork
15
IsanybodyusingIPfe80::abcd:1234....?
Aprinterconfiguresitself
16
No?Great,I’lltakeit.
IPfe80::abcd:1234
Aprinterconfiguresitself
17
AnybodyusinghostnameHP9FE5.host.local?
IPfe80::abcd:1234
Aprinterconfiguresitself
18
No?Wonderful,I’lltakeit.
IPfe80::abcd:1234
HostnameHP9FE5.host.local
Aprinterconfiguresitself
19
AnybodyhavingaprintingservicenamedHP-Service-9FE5?
Aprinterconfiguresitself
IPfe80::abcd:1234
HostnameHP9FE5.host.local
ServiceInstanceNameHP-Service-9FE5
20
IPfe80::abcd:1234
HostnameHP9FE5.host.local
ServiceInstanceNameHP-Service-9FE5
Aprinterfinishes configuringitself
21
1. Serviceconfiguresitself– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices– Nopre-knowledgeoftheservice’sname,hostnameorIP
FeaturesofBonjour
Twophases:DiscoveryandResolution
22
Automaticallyfindtheprinter:Discovery
Q1:Anyonehasaprinterservice? A1:
IhaveHP-Service-9FE5
23
Q1:Anyonehasaprinterservice?
Q2:SoonwhichhostisthisHP-Service-9FE5?
A2:It’sonhostHP9fe5.host.local
Automaticallyfindtheprinter:Resolution
A1:IhaveHP-Service-9FE5
24
Q1:Anyonehasaprinterservice?
Q2:SoonwhichhostisthisHP-Service-9FE5?
A2:It’sonhostHP9fe5.host.local
Automaticallyfindtheprinter:Resolution
A1:IhaveHP-Service-9FE5
Q3:WhatistheaddressofNPI9fe5.host.local?
A3:Itsaddress isfe80::abcd:1234
Added/Saved theprintertoyourlist
25
IPfe80::abcd:1234
HostnameHP9FE5.host.local
ServiceInstanceNameHP-Service-9FE5
Added/Saved theprintertoyourlist
26
IPfe80::abcd:1234
HostnameHP9FE5.host.local
ServiceInstanceNameHP-Service-9FE5
Apple:
Applicationsstoreserviceinstancenames,soiftheIP,port, or hostnamechanged,theapplicationcanstillconnect.
ServiceinstancenameHP-Service-9FE5issaved
27
IPfe80::abcd:1234
HostnameHP9FE5.host.local
ServiceInstanceNameHP-Service-9FE5
Savedprinter=AprinterwhoownsservicenameHP-Service-9FE5
Adversary Model
28
• Onadevice(malwareinfected)inyourlocalnetwork• Aimstointerceptsecrets/filestransferredbetweenuninfected devices
Adversary Model
29
• YourMac/printerareun-infected• Stealyourprintingdocuments?
30
1.ZeroConf Concept2.ZeroConf How3. ZeroConf Breaking
Printer
1.ZeroConf Concept2.ZeroConf How3. ZeroConf Breaking
Case1:AttackBonjour
31
AttackBonjour
• Twoexamples• Printer– PrintersusingBonjour
• PhotoSync– SynchronizingphotosbetweenMacandiPhoneusingBonjour
• Notan application-specificorservice-specificproblem– Vulnerabilities in the design of Bonjourprotocol
32
33
Adeviceinfectedbymalware
IPHostnameServiceInstanceName
HP-Service-9FE5
34
Adeviceinfectedbymalware
IhaveaprintingserviceinstancenamedHP-Service-9FE5
IPHostnameServiceInstanceName
HP-Service-9FE5
ServiceInstanceNameHP-Service-9FE5
35
Adeviceinfectedbymalware
xf
IPHostnameServiceInstanceName
HP-Service-9FE5
ServiceInstanceNameHP-Service-9FE5
IhaveaprintingserviceinstancenamedHP-Service-9FE5
36
Savedprinter=AprinterwhoownsservicenameHP-Service-9FE5
NewServiceNameHP-Service-9FE5(2)
xServiceInstanceNameHP-Service-9FE5
37
Three Changing Attributes:– IP– Hostname– ServiceInstanceName
Apple:Applicationsstoreserviceinstancenames,soiftheIP,port, or hostnamechanged,theapplicationcanstillconnect.
Whyithappens?
38
• Anyonecanclaimanyvalueofthethreeattributes• Theprotocolonlyguaranteesnoduplicates.
Lackofauthentication
Three Changing Attributes:– IP– Hostname– ServiceInstanceName
Ifnotsavingserviceinstancenames,isitsecureenough?
39
AttackBonjour
• PhotoSync– SynchronizingphotosbetweenMacandiPhoneusingBonjour
• Notsavingserviceinstancename– Clientdiscoversandresolvestheservereachtime
40
Normally
• Discovery:Clientbrowsesforserver
41
WhohasPhotoSync service
ClientServer
means broadcast
Normally
• Discovery:Serverrespondswithserviceinstancename
42
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
means broadcast
ClientServer
Normally
• Resolution1:Clientqueriesforthehostnameoftheservice
43
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
means broadcast
ClientServer
Normally
• Resolution1:Serverrespondswiththehostname
44
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
means broadcast
ClientServer
Normally
• Resolution2:Clientqueriesfortheaddressofthehost
45
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
Whatistheaddress ofMacbook
means broadcast
ClientServer
Normally
• Resolution2:Serverrespondswithitsaddress
46
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
Whatistheaddress ofMacbook
Itsaddress is 192.168.0.1
means broadcast
ClientServer
WhatCanGoWrong?
• Anothermalware-infecteddevicespoofstheclient– SuccessfulMan-in-the-Middle
• DuringResolution– Serviceinstancenametohostname– Hostnametoaddress
47
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
48
What is the host name ofservice instance abcd
Client
Server
Attacker
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
49
Client
Server
Attacker
The host name of serviceinstance abcd is Macbook
The host name of serviceinstance abcd is Mallory
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
50
Client
Server
AttackerConnect
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
51
Client
Server
AttackerConnect
Connect
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
52
What is the address ofhost Macbook
Client
Server
Attacker
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
53
Client
Server
Attacker
The address of host Macbookis 192.168.0.1
The address of host Macbookis 192.168.0.100
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
54
Client
Server
AttackerConnect
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
55
Client
Server
AttackerConnect
Connect
Demo
56
• https://www.youtube.com/watch?v=WUWusqgqFr0&feature=youtu.be
57
FundamentalProblem
• Lackofauthentication• Anyonecanclaimanyvalueoftheidentificationattributes• Theprotocolonlyguaranteesnoduplicates,butnotsecurity.
Isiteasytoprovideauthentication?
1.ZeroConf Concept2.ZeroConf How3.ZeroConf Breaking
Case2:Airdrop
58
59
AirdropbetweenAppledevices
• WithAirDrop,youcansharephotos,videos,websites,locations,andmorewithpeoplenearbywithanAppledevice.
60
Jeff’sMacbook:Q1:Anyonehasanairdropservice?
Alice’siPhone:
AttackAirdrop
Ihaveaservicenamedabcd.airdrop.service
61
AttackAirdrop
Jeff’sMacbook:Q2:SoonwhichhostisAlice’sservice?
62
AttackAirdrop
Alice’siPhone:A2:It’sonhostAlices.iphone.local
Jeff’sMacbook:Q2:SoonwhichhostisAlice’sservice?
Bob’siMac:A2:It’sonhostBobs.imac.local
63
Alice’siPhonehasservicenamedabcd.airdrop.tcp,whichisonhostBobs.imac.local
Jeff’sMacbook:Q2:SoonwhichhostisAlice’sservice?
Bob’siMac:A2:It’sonhostBobs.imac.local
Alice’siPhone:A2:It’sonhostAlices.iphone.local
64
DoesTLShelp?
Jeff’sMacbook:Connecthttps://Bobs.imac.local
Alice’siPhone:A2:It’sonhostAlices.iphone.local
Bob’siMac:A2:It’sonhostBobs.imac.local
TLSinAirdrop
65
Servercertificateissuedtoappleid.CDEF…
https://Bobs.imac.local
Bob’siMac
Jeff’sMacbook
Servercertificateissuedtoappleid.ABCD…
https://Alices.iphone.local
Alice’siPhone
Sothecertificateinairdropcanhardlybeusedforauthentication.
66
Servercertificateissuedtoappleid.CDEF…
https://Bobs.imac.local
Bob’siMac
Jeff’sMacbook
Servercertificateissuedtoappleid.ABCD…
https://Alices.iphone.local
Alice’siPhone
Domainshouldmatchthecertificate
67
https://google.com
Certificateissuedtogoogle.com
Jeff’sMacbook
Bob’siMac
https://Bobs.imac.local
Servercertificateissuedtoappleid.CDEF…
xf
xf
68
Servercertificateissuedtoappleid.CDEF…
https://Bobs.imac.local
Bob’siMac
Jeff’sMacbook
Servercertificateissuedtoappleid.ABCD…
https://Alices.iphone.local
Alice’siPhone
Domainshouldmatchthecertificate
69
What’swrongwithTLSinAirdrop
• Thecertificateinairdropcannotbeusedforauthentication– E.g,certificateshouldbeissuedtoAlice– butindeedissuedtoappleid.ABCD…
• ThecertificateshouldbeissuedtoWHAT?
What’swrongwithTLSinAirdrop
• Issuethecertificatetothedomain(hostname)?– No.Hostnamemaychange andnotrepresentingauser
• Issuethecertificatetotheuser’sname?– No.Namecanbeduplicated
• Issuethecertificatetotheuser’ssocialsecuritynumber?– No.socialsecuritynumberistooprivate
70
71
What’swrongwithTLSinAirdrop
• Linkingahumantohercertificateiscomplicated– challengeinfindinganyidentifiableinformationthatare• well-known• noprivacyimplication• andunique
Demo
72
• https://www.youtube.com/watch?v=2JEJLpvnRO4
TechnicalDetails
• Airdropservicedaemon:/usr/libexec/sharingd– ResponsibleforBonjourprocessandhttpsconnection
• Notethernet interface,Appleprivateinterface– awdl0:AppleWirelessDirectLink– Device-to-devicedirectlink
73
TechnicalDetails
• Howtoworkonthisinterface?– sharingd usesanApple-privatesocketoptionSO_RECV_ANYIF(0x1104)
74
75
SomecustomizedZeroConf protocols
• FileDrop– TCPpacketsfordiscovery– ellipticcurvecryptographyforsecurity– Failedinauthentication• challengeinlinkingahumantoherpublickey
76
1.ZeroConf Concept2.ZeroConf How3. ZeroConf Breaking
Case3:Apple’sVulnerableframework
Apple’sVulnerableframework
77
• Multipeer Connectivity(MC)– AframeworkforautomaticservicediscoverybetweennearbydevicesacrossWi-FiandBluetoothwithoutconfiguration
• Objecttoidentifyeachapp:peerID– displayName (public)&uniqueID (private)
• AutomaticServiceDiscoveryWithoutConfiguration– ServersadvertisepeerIDs
Normally
78
Server
Server Client
peerIDdisplayName:AliceuniqueID:8573a
peerIDdisplayName:BobuniqueID:6c5b3
• AutomaticServiceDiscoveryWithoutConfiguration– ServersadvertisepeerIDs,ClientbrowsepeerIDs (showdisplayName)
Normally
79
peerIDdisplayName:AliceuniqueID:8573a
peerIDdisplayName:BobuniqueID:6c5b3
Alice
Bob
Server
Server Client
• EvenifservershavethesamedisplayName
Normally
80
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:54321
Server
Server Client
• EvenifservershavethesamedisplayName– uniqueIDs generatedbyMCwillalwaysbedifferent
Normally
81
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:54321
Server
Server Client
• EvenifservershavethesamedisplayName– uniqueIDs generatedbyMCwillalwaysbedifferent
Normally
82
Alice
Alice
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:54321
Server
Server Client
• Attackeractsasbothclientandserver– BrowseandacquirepeerID objectfromvictimserver
WhatCanGoWrong?
83
peerIDdisplayName:AliceuniqueID:abcde
Server
Client&Server Client
• Attackeractsasbothclientandserver– AdvertiseusingthesamepeerID object
WhatCanGoWrong?
84
Alice
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:abcde
Server
Client&Server Client
• ClientcannotdistinguishbecauseofsameuniqueID
WhatCanGoWrong?
85
Alice
AnUpdate?
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:abcde
Server
Client&Server Client
• ClientcannotdistinguishbecauseofsameuniqueID• Clientmapstheonlypeertoattacker’saddress(MitM)
WhatCanGoWrong?
86
Alice
peerIDdisplayName:AliceuniqueID:abcde
peerIDdisplayName:AliceuniqueID:abcde
Server
Client&Server Client
• MitM attacker– First acts as client browsing for advertising servers– Once found a server, advertise using the same peerID
Technical Details
87
IfnotusingpeerID toforidentification,isitsecureenough?
88
89
1.ZeroConf Concept2.ZeroConf How3. ZeroConf Breaking
Case4:MCinQQ
MCinQQ
• PopularinstantmessagingsoftwareinCN– 829millionactiveaccounts (Wikipedia)
• Face-To-FaceTransfer– TransferfilesbetweennearbypeersbyusingMultipeer Connectivity
• NotusingpeerID foridentification– CustomizeduniqueQQID
90
FacetoFaceTransfer
SendFile
Recv File
• ReceiveradvertisesitsQQID
Normally
91
Receiver
ReceiverSender
Lookingforreceiver
MyQQIDis1234
MyQQIDis4321
• SenderbrowsesforreceiversandfoundtheirQQIDs
Normally
92
Receiver
ReceiverSender
FoundReceivers:QQID:1234QQID:4321
MyQQIDis1234
MyQQIDis4321
• SenderconnectstoreceiverandgivesitsQQID
Normally
93
Receiver
ReceiverSender
FoundReceivers:QQID:1234QQID:4321
MyQQIDis5678
MyQQIDis5678
Connect
Connect
• SenderconnectstoreceiverandgivesitsQQID
Normally
94
Receiver
ReceiverSender
FoundReceivers:QQID:1234QQID:4321
MyQQIDis5678
MyQQIDis5678
Connect
Connect
SenderConnected:QQID:5678
SenderConnected:QQID:5678
• ReceiveradvertisesitsQQID
WhatCanGoWrong?
95
ReceiverSender
Lookingforreceiver
MyQQIDis1234
Attacker
Lookingforreceiver
• Attackerfoundvictimreceiver’sQQID
WhatCanGoWrong?
96
ReceiverSender
Lookingforreceiver
MyQQIDis1234
Attacker
FoundReceiver:QQID:1234
• AttackeradvertiseusingthesameQQID
WhatCanGoWrong?
97
ReceiverSender
Lookingforreceiver
MyQQIDis1234
Attacker
AdvertisingQQID:1234
• SenderfoundonlyoneQQID
WhatCanGoWrong?
98
ReceiverSender
MyQQIDis1234
Attacker
FoundReceiver:QQID:1234
• SenderconnectstoAttacker
WhatCanGoWrong?
99
ReceiverSender Attacker
FoundReceiver:QQID:1234
Connect
QQID:5678
• AttackerconnectstoReceiverusingtheSender’sQQID
WhatCanGoWrong?
100
ReceiverSender Attacker
Connect
QQID:5678
Demo
101
• https://www.youtube.com/watch?v=B71FlD3_vrc
102
1.ZeroConf Concept2.ZeroConf How3. ZeroConf Breaking
Case5:Bluetooth
AllyouriOS notificationsbelongtome
103
• ZeroConf onBluetooth:AppleHandoff– AservicethatletsiOSandOSXsynchronizedatathroughBluetoothwithoutconfiguration
Normally
104
• HandoffcreatesBluetoothChannelwithoutconfiguration– DevicesloggedinwiththesameiCloudaccount– PairingautomaticallythroughiCloudaccount
Bluetooth
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication• AppleNotificationCenterService(ANCS)– designedforBluetoothaccessoriestoaccessnotificationsoniOSdevices
105
Bluetooth
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication• AppleNotificationCenterService(ANCS)• ThroughBluetoothchannelcreatedbyHandoff
106
Bluetooth
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication• AppleNotificationCenterService(ANCS)• ThroughBluetoothchannelcreatedbyHandoff
107
Bluetooth
Demo
108
• https://www.youtube.com/watch?v=c5viAzAs0Uo
Summaryofattacks
• AttacksonAppleZeroConf channels– Bonjour (Printer,PhotoSync)– Airdrop– CustomizedZeroConf protocols (Filedrop)– Multipeer Connectivity(MCBrowserViewController,QQ)– Handoff
• Allvulnerabilitieswerereportedtovendors,acknowledgedbymostvendors
109
110
1.ZeroConf Concept2.ZeroConf How3.ZeroConf Breaking4.Impact
Impact
111
• Measurement–Weanalyzed61popularMacandiOSappsworkingwithZeroConf– 88.5%arevulnerabletoman-in-the-middleorimpersonationattacks
ZeroConfChannels
Vulnerable/Sampled SensitiveInformationLeaked
Bonjour 18/22 files,directoriesandclipboardsynced,documentsprinted,instantmessage
MC 24/24 filesandphotostransferred,instantmessage
BLE 10/13 Usernameandpassword forOSX
Customizedprotocols 2/2 remote keyboardinputandfilestransferred
112
1.ZeroConf Concept2.ZeroConf How3.ZeroConf Breaking4.Impact5.ProtectingZeroConf
ProtectingZeroConf
113
• Problem:linkahumantohercertificateiscomplicated• SpeakingoutYourCertificate(SPYC)– Voicebiometricstiescertificatetoidentity
SpeakingOutYourCertificate
114
Hashh
Partitiontokn-bitsegments
Δ1||Δ2||…||Δk
nk mostsignificantbits
<w1, w2, …, wk>Wordslistlinkingtothecertificate
ProtectingZeroConf
115
• Challenge:linkahumantohercertificate• SpeakingoutYourCertificate(SPYC)– Voicebiometricstiescertificatetoidentity– HumanSubjectStudy:convenientandeffective
Conclusion
116
• Apple’sZeroConf techniquesarenotsecureasexpected– Theusability-orienteddesignaffectssecurity
• Addressingsuchsecurityrisksisnontrivial– Challengeinbindingahumantohercertificate
• OurDefense:SPYC– Voicebiometricstiescertificatetoidentity