ih8sn0w-jailbreakcon_2014

7/21/2019 iH8sn0w-Jailbreakcon_2014

1/32

Exploring Apples iCloud

Activation Lock

By: iH8sn0wJailbreakcon 2014

April 13, 2014

(and some other stuff)

1


2/32

Who Am I?

Steven (iH8sn0w)

From Toronto, Ontario (Canada)

19 years old Involved in the iOS Jailbreak community

since 2009

Known for r0bf0rdsn0w, sn0wbreeze, iREB,iFaith, and f0recast.

2

sn0wbreeze --> Custom IPSW creator for windows via xpwn. p0sixspwn > iOS 6.1.3/6.1.4/6.1.5/6.1.6 untether/jailbreak. iREB --> Entering a Pwned DFU on select devices and exiting recovery mode. iFaith --> Dump SHSH blobs for the active running iOS on the device. f0recast --> Lets the user know whether or not they can jailbreak, unlock (and soon itll let users know if theyre phone is factory unlocked [due to new factory unlock servicesbranching up all over the web].


3/32

Previous Talks

3

Downloadable at: http://iH8sn0w.com/jbcon2012
http://ih8sn0w.com/jbcon2012


4/32

Previous Talks

4

Downloadable soon.


5/32

iOS 3 to iOS 4.2.1/4.3.x

Find My iPhone was included with ayearly subscription to mobileMe.

mobileMe was retired with iCloud.

Thieves can DFU restore and resell device.5


6/32

iOS 5 to iOS 6.1.6

Find My iPhone was now free formajority of devices.

Still useless if thieves DFU restored.

6


7/32

iOS 7

iCloud Activation Lock

Restorer could not activatephone until AppleID+Password

previously paired to the iDevice

is entered and verified.

7


8/32

iCloud Activation Lock

[PRO] Thieves cannot use the device. [CON] Used as reseller scam. [CON] Apple cannot reset the lock. wat?

8


9/32

Albert

Apples activation server.

Sends down signed activation tickets inresponse to what it was sent.

Responsible for unlocks. Responsible for locks. Responsible for iCloud locks. Responsible for Push, iMessage.

9

* Not a person *


10/32

How IMEI locks work

All iPhones are built the same.

Phones are programmed/locked at Apple

Store or Retail.

All future activations must satisfyprogrammed requirements.

If one requirement fails, activation isrefused.

10

* Only di#erence between handsets is the regions theyre designated to go to. * Upon the purchase of the phone from an Apple Store, depending if you paid for a fully unlocked model or locked, genius submits lock information to albert. * All future activations must fulfill those requirements that were set.


11/32

SIMs ICCID

SIMs IMSI

SerialNumber

Model

How Activations work

iDevice Albert

Activation

Ticket

11

Activation

Request

* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc). * Albert verifies conditions of lock on file for the imei matches what it got. * Submits with Activation Ticket.


12/32

SIMs ICCID

SIMs IMSI

SerialNumber

Model

How Hactivations work

iDevice Albert

Activation

Ticket

12

Activation

Request

* Device is short circuited to already be activated on boot * Known to cause battery issues in various builds due to memory leaks.


13/32

SIMs ICCID

SIMs IMSI

SerialNumber

Model

How iOS 7 Activationswork

iDevice AlbertActivation

Ticket

13

Activation

Request

Is Locked to

FindMyiPhone?

HTML Page

* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc). * Albert looks up to see if device asking for an activation ticket is locked via Find My iPhone.

* If it is, an HTML page is sent down instead of an Activation Ticket. * This is the Enter your AppleID/Pass page.

* Albert verifies conditions of lock on file for the imei matches what it got. * Submits with Activation Ticket.


14/32

Client Side Attacks (DFU)

iPhone 4 susceptible to limera1n.

Allows execution of custom ramdisk.

Hard-patch of /usr/libexec/lockdownd

Removal of /Applications/Setup.app

14


15/32

Client Side attacks

Phone did not get a valid activation ticket. Has no clue what carrier its locked to.

(no service).

Phone basically functions as an iPod oriPad.

15


16/32

Client Side Attacks (cont.d)

Setup.app Crashes:

Refuses to run any apps. Services that jailbreaks exploit are not

running (installd & mobilebackup2).

Worth noting AFC is active regardlessof activation state.

16

* People that managed to crash Setup.app via complicated procedures (e.g Get to Phone.app from emergency call and adding contacts) would notice springboard apps fail torun.


17/32

Userland Jailbreaks

Modern userland jailbreaks exploit servicesthat only spawn on ActivatediDevices.

e.g installd and mobilebackup2 Same reason AppleTV 3 jb isnt out (nito ;P) AppleTV has limited services running.

17


18/32

Server Side Attacks

Submit malformed requests to server thatwould cause server side code to takealternative paths.

e.g SAM unlock, GSX sessID, TSS bug

18

* Goal for a server-side iCloud Activation Lock bypass would be to convince the server to not check to see if the device is linked to an AppleID.


19/32

Server Side Attacks (SAM)

SAM developed by sbingner (awesome dude).

Able to manipulate Activation requests onjailbroken phones to achieve /proper/hactivations.

Community user used SAM to generate anactivation request with mixed components

from an AT&T SIM and a T-Mobile SIM.

19


20/32

Server Side Attacks (GSX)

Create GSX Account with leaked GSX code.

GSX Accounts require approval by admin.

Able to access various components by copyingsessionID when visiting root of GSX.

Submit requests to GSX via JavaScriptconsole.

Several IMEI checkers used this technique tillit was patched months later.

20


21/32

Server Side Attacks (TSS)

Found by iNeal and I randomly while Skyping. Allowed TSS to reply back with blobs for iOS

that were no longer being signed. (essentially

allowed downgrades).21

* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com) * While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server. * He tried it and it actually worked. * We were trying to get it to sign anything we gave it.

* Only managed to get TSS to sign previously signed/trusted images. * Essentially allowed downgrades.

* Got closed randomly days later. * We blame my homework and the internal errors we caused. * Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.


22/32


22

Goal was to get TSS to sign anything.

Was closed days later! :( [March 30, 2014].

* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com) * While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server. * He tried it and it actually worked. * We were trying to get it to sign anything we gave it.

* Only managed to get TSS to sign previously signed/trusted images. * Essentially allowed downgrades.

* Got closed randomly days later. * We blame my homework and the internal errors we caused. * Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.


23/32


23


24/32

Hardware Attacks (wat?)

Wheres geohot at? iPhone 4 GSM baseband has not been

unlockable since 04.10.01 via Gevey.

Chinese took it into their own hands. Got tired of waiting for new sw unlock? Developed hardware technique to

unlock the iPhone 4.

24


25/32

Hardware Attacks (wat?)

Desolder original factory iPhone 4 GSM bb.

Replace with a similar chip sold by Infineon.

Chip has the same chipset as the factory bb. Flash latest baseband+IMEI via Phone Tool. Change SN accordingly in NAND_SYSCFG

(otherwise albert request will mismatch).

25

** ADD PICTURES HERE **

* Change IMEI/SN to a factory unlocked (iCloud-free) handset. * Illegal in majority of countries.

* The result of the change will be a factory unlocked iPhone 4 with service. * To the server, it will look like a completely di#erent device.


26/32

Noteworthy Flaws

iOS 7.0.x iCloud removal/disable of FindMy iPhone.

iOS 7.1 iCloud removal/disable of Find MyiPhone.

Thieves might be able to reset the iCloudpassword before restoring [if not locked].

(tons of users have iCloud email setup in

Mail.app).

26

B f A l ID ?!


27/32

Bruteforce Apple IDs?!

Apple IDs can be bruteforced with adictionary.

Some old Apple IDs do not have strongpasswords conditions.

WHY IS THERE NO CAPTCHA AFTER100 FAILED ATTEMPTS?

Supposedly has a 43%-ish success rate.

27

Wh h ld b d ?


28/32

What should be done?

CAPTCHA after failed password attempts.

Not echo so much personal info oversyslog.

Better Apple support to reset iCloudActivation Locks.

Wh t i h i ?


29/32

What is happening?

iCloud locked devices are usually eitherbeing sold as a scam or for parts only.

Marketing? If you purchased an iPhone on eBay that

is iCloud locked, check listing and

possibly file a PayPal dispute.

0bf0 d 0 ?


30/32

r0bf0rdsn0w?

30

do u believe?

Cracked only by one person so far. Speak to me privately if you would like to

know more how this /concept/ works.

0 b f iOS 7?!


31/32

sn0wbreeze for iOS 7?!

31

Hacktivation in sn0wbreeze would triggerissues with the DMCA since it wouldunknowingly also bypass the iCloud

Activation Lock.

An iFaith update will probably happen forthe iPhone 4 and AppleTV 2.


32/32

Q&A

32

(for this talk :P)

ih8sn0w-jailbreakcon_2014

Documents