ih8sn0w-jailbreakcon_2014
TRANSCRIPT
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
1/32
Exploring Apples iCloud
Activation Lock
By: iH8sn0wJailbreakcon 2014
April 13, 2014
(and some other stuff)
1
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
2/32
Who Am I?
Steven (iH8sn0w)
From Toronto, Ontario (Canada)
19 years old Involved in the iOS Jailbreak community
since 2009
Known for r0bf0rdsn0w, sn0wbreeze, iREB,iFaith, and f0recast.
2
sn0wbreeze --> Custom IPSW creator for windows via xpwn. p0sixspwn > iOS 6.1.3/6.1.4/6.1.5/6.1.6 untether/jailbreak. iREB --> Entering a Pwned DFU on select devices and exiting recovery mode. iFaith --> Dump SHSH blobs for the active running iOS on the device. f0recast --> Lets the user know whether or not they can jailbreak, unlock (and soon itll let users know if theyre phone is factory unlocked [due to new factory unlock servicesbranching up all over the web].
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
3/32
Previous Talks
3
Downloadable at: http://iH8sn0w.com/jbcon2012
http://ih8sn0w.com/jbcon2012 -
7/21/2019 iH8sn0w-Jailbreakcon_2014
4/32
Previous Talks
4
Downloadable soon.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
5/32
iOS 3 to iOS 4.2.1/4.3.x
Find My iPhone was included with ayearly subscription to mobileMe.
mobileMe was retired with iCloud.
Thieves can DFU restore and resell device.5
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
6/32
iOS 5 to iOS 6.1.6
Find My iPhone was now free formajority of devices.
Still useless if thieves DFU restored.
6
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
7/32
iOS 7
iCloud Activation Lock
Restorer could not activatephone until AppleID+Password
previously paired to the iDevice
is entered and verified.
7
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
8/32
iCloud Activation Lock
[PRO] Thieves cannot use the device. [CON] Used as reseller scam. [CON] Apple cannot reset the lock. wat?
8
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
9/32
Albert
Apples activation server.
Sends down signed activation tickets inresponse to what it was sent.
Responsible for unlocks. Responsible for locks. Responsible for iCloud locks. Responsible for Push, iMessage.
9
* Not a person *
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
10/32
How IMEI locks work
All iPhones are built the same.
Phones are programmed/locked at Apple
Store or Retail.
All future activations must satisfyprogrammed requirements.
If one requirement fails, activation isrefused.
10
* Only di#erence between handsets is the regions theyre designated to go to. * Upon the purchase of the phone from an Apple Store, depending if you paid for a fully unlocked model or locked, genius submits lock information to albert. * All future activations must fulfill those requirements that were set.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
11/32
SIMs ICCID
SIMs IMSI
SerialNumber
Model
How Activations work
iDevice Albert
Activation
Ticket
11
Activation
Request
* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc). * Albert verifies conditions of lock on file for the imei matches what it got. * Submits with Activation Ticket.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
12/32
SIMs ICCID
SIMs IMSI
SerialNumber
Model
How Hactivations work
iDevice Albert
Activation
Ticket
12
Activation
Request
* Device is short circuited to already be activated on boot * Known to cause battery issues in various builds due to memory leaks.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
13/32
SIMs ICCID
SIMs IMSI
SerialNumber
Model
How iOS 7 Activationswork
iDevice AlbertActivation
Ticket
13
Activation
Request
Is Locked to
FindMyiPhone?
HTML Page
* iDevice generates a unique activation request for Albert (contains info like SIM ICCID, IMSI, Serial Number, etc). * Albert looks up to see if device asking for an activation ticket is locked via Find My iPhone.
* If it is, an HTML page is sent down instead of an Activation Ticket. * This is the Enter your AppleID/Pass page.
* Albert verifies conditions of lock on file for the imei matches what it got. * Submits with Activation Ticket.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
14/32
Client Side Attacks (DFU)
iPhone 4 susceptible to limera1n.
Allows execution of custom ramdisk.
Hard-patch of /usr/libexec/lockdownd
Removal of /Applications/Setup.app
14
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
15/32
Client Side attacks
Phone did not get a valid activation ticket. Has no clue what carrier its locked to.
(no service).
Phone basically functions as an iPod oriPad.
15
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
16/32
Client Side Attacks (cont.d)
Setup.app Crashes:
Refuses to run any apps. Services that jailbreaks exploit are not
running (installd & mobilebackup2).
Worth noting AFC is active regardlessof activation state.
16
* People that managed to crash Setup.app via complicated procedures (e.g Get to Phone.app from emergency call and adding contacts) would notice springboard apps fail torun.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
17/32
Userland Jailbreaks
Modern userland jailbreaks exploit servicesthat only spawn on ActivatediDevices.
e.g installd and mobilebackup2 Same reason AppleTV 3 jb isnt out (nito ;P) AppleTV has limited services running.
17
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
18/32
Server Side Attacks
Submit malformed requests to server thatwould cause server side code to takealternative paths.
e.g SAM unlock, GSX sessID, TSS bug
18
* Goal for a server-side iCloud Activation Lock bypass would be to convince the server to not check to see if the device is linked to an AppleID.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
19/32
Server Side Attacks (SAM)
SAM developed by sbingner (awesome dude).
Able to manipulate Activation requests onjailbroken phones to achieve /proper/hactivations.
Community user used SAM to generate anactivation request with mixed components
from an AT&T SIM and a T-Mobile SIM.
19
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
20/32
Server Side Attacks (GSX)
Create GSX Account with leaked GSX code.
GSX Accounts require approval by admin.
Able to access various components by copyingsessionID when visiting root of GSX.
Submit requests to GSX via JavaScriptconsole.
Several IMEI checkers used this technique tillit was patched months later.
20
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
21/32
Server Side Attacks (TSS)
Found by iNeal and I randomly while Skyping. Allowed TSS to reply back with blobs for iOS
that were no longer being signed. (essentially
allowed downgrades).21
* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com) * While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server. * He tried it and it actually worked. * We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images. * Essentially allowed downgrades.
* Got closed randomly days later. * We blame my homework and the internal errors we caused. * Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
22/32
Server Side Attacks (TSS)
22
Goal was to get TSS to sign anything.
Was closed days later! :( [March 30, 2014].
* TSS server is what replies back with SHSH blobs and aptickets. (gs.apple.com) * While speaking with iNeal on Skype, I told him an idea I had with attacking the TSS server. * He tried it and it actually worked. * We were trying to get it to sign anything we gave it.
* Only managed to get TSS to sign previously signed/trusted images. * Essentially allowed downgrades.
* Got closed randomly days later. * We blame my homework and the internal errors we caused. * Apple most likely saves the requests we send to the server upon internal errors to an isolated location for future analysis.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
23/32
Server Side Attacks (TSS)
23
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
24/32
Hardware Attacks (wat?)
Wheres geohot at? iPhone 4 GSM baseband has not been
unlockable since 04.10.01 via Gevey.
Chinese took it into their own hands. Got tired of waiting for new sw unlock? Developed hardware technique to
unlock the iPhone 4.
24
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
25/32
Hardware Attacks (wat?)
Desolder original factory iPhone 4 GSM bb.
Replace with a similar chip sold by Infineon.
Chip has the same chipset as the factory bb. Flash latest baseband+IMEI via Phone Tool. Change SN accordingly in NAND_SYSCFG
(otherwise albert request will mismatch).
25
** ADD PICTURES HERE **
* Change IMEI/SN to a factory unlocked (iCloud-free) handset. * Illegal in majority of countries.
* The result of the change will be a factory unlocked iPhone 4 with service. * To the server, it will look like a completely di#erent device.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
26/32
Noteworthy Flaws
iOS 7.0.x iCloud removal/disable of FindMy iPhone.
iOS 7.1 iCloud removal/disable of Find MyiPhone.
Thieves might be able to reset the iCloudpassword before restoring [if not locked].
(tons of users have iCloud email setup in
Mail.app).
26
B f A l ID ?!
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
27/32
Bruteforce Apple IDs?!
Apple IDs can be bruteforced with adictionary.
Some old Apple IDs do not have strongpasswords conditions.
WHY IS THERE NO CAPTCHA AFTER100 FAILED ATTEMPTS?
Supposedly has a 43%-ish success rate.
27
Wh h ld b d ?
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
28/32
What should be done?
CAPTCHA after failed password attempts.
Not echo so much personal info oversyslog.
Better Apple support to reset iCloudActivation Locks.
Wh t i h i ?
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
29/32
What is happening?
iCloud locked devices are usually eitherbeing sold as a scam or for parts only.
Marketing? If you purchased an iPhone on eBay that
is iCloud locked, check listing and
possibly file a PayPal dispute.
0bf0 d 0 ?
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
30/32
r0bf0rdsn0w?
30
do u believe?
Cracked only by one person so far. Speak to me privately if you would like to
know more how this /concept/ works.
0 b f iOS 7?!
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
31/32
sn0wbreeze for iOS 7?!
31
Hacktivation in sn0wbreeze would triggerissues with the DMCA since it wouldunknowingly also bypass the iCloud
Activation Lock.
An iFaith update will probably happen forthe iPhone 4 and AppleTV 2.
-
7/21/2019 iH8sn0w-Jailbreakcon_2014
32/32
Q&A
32
(for this talk :P)