or Connect
AppleInsider › Forums › Mobile › iPhone › Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
New Posts  All Forums:Forum Nav:

Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock - Page 2

post #41 of 60
Quote:
Originally Posted by neosum View Post

From what I can gather from the limited information that's presented, it looks to me like someone would need to snoop around a public wifi for unsuspecting iphone victims. Capture their Apple ID and PW (which is yet to be proven, it's only "claimed"), then steal that person's iphone.

What happens if the device was stolen first, and remote wiped? How would they get the user's Apple ID and PW then?
They wouldn't need to. The hackers claim to be able to unlock the phone by fooling the phone that their fake server is iCloud, taking advantage of a issue in the server verification. They say more than 30000 stolen iPhones have been unlocked this way and sold for profit (as they are more valuable unlocked than locked of course). For now there is no evidence that this hack also gives access to user data.
The credentials (password and AppleID) intercept through iTunes for Windows (which of course is a risk for user data) is separate from the unlocking hack. Although both seem to use the verification issue to their advantage. The risk with unencrypted WiFi seems to be both the ability to act as iCloud, man-in-the-middle attack (which all devices all vulnerable to) and the fact the passwords aren't hashed locally (which is specific for iTunes for Windows).
Edited by Chipsy - 5/21/14 at 9:14pm
post #42 of 60
The articles I've seen claim they can get past Activation Lock to get access to the phone, but the SIM still doesn't work. The reason the SIM doesn't work is because their fake servers don't have the ability to activate a device. Which means the phone is useless as it doesn't really work.

If course they're claiming they'll have a fix for the SIM issue, but I have to wonder: what are all those people doing with iPhones that can't make phone calls or connect to any cellular network? That's not much more useful than a bricked iPhone. They love to brag about how many people have used their hack, but since none of them actually have fully functioning iPhones I don't see why it's being portrayed as a benefit.

Unless I completely missed something and they got past the SIM issue.

Author of The Fuel Injection Bible

Reply

Author of The Fuel Injection Bible

Reply
post #43 of 60

Amazing what people can do with Fiddler!

post #44 of 60
Quote:
Originally Posted by iNosey View Post

Who uses windows anymore anyway?
a very large percentage of Apple's customer base.
post #45 of 60
Quote:
Originally Posted by SolipsismX View Post


In other words don't use a public WiFI network because iCloud services are constantly working in the background.

The list of services tied to your iCloud ID is much more extensive than people realize. I don't know of any public WiFi networks that use encryption. Even when you need to enter a passcode into a splash screen to get access to the internet it's still an unencrypted WiFi network.


Encyption over the air does nothing on public wifi because its so easy to arp poison and reroute traffic via a hostile host (playing default gateway) connected to the same encrypted wifi. If you can not control what clients are connected anyway, then ssl and other vpn techniques are your only choice for secure communication over "public" wifi. This has always been the case and still is!!!

post #46 of 60
The Microsoft and google teams have been hard at work to exploit such things. Exploiting and leaking to upset the apple name. But if it can be done.....it can be done, reguardless of the rigmarole. I'd still rather my 5s/OSX over any android RAT infested handset or windoze machine.
post #47 of 60
Quote:
Originally Posted by togan View Post

The Microsoft and google teams have been hard at work to exploit such things. Exploiting and leaking to upset the apple name. But if it can be done.....it can be done, reguardless of the rigmarole. I'd still rather my 5s/OSX over any android RAT infested handset or windoze machine.
I see your rationale for your choice on platform is based on total la la land conspiracy ideas rather than how good it is
post #48 of 60
Quote:
Originally Posted by Chipsy View Post


They say more than 30000 stolen iPhones have been unlocked this way and sold for profit (as they are more valuable unlocked than locked of course). 

How would they know how many stolen iPhones have been unlocked that way?

post #49 of 60
Quote:
Originally Posted by habi View Post
 
Encyption over the air does nothing on public wifi because its so easy to arp poison and reroute traffic via a hostile host (playing default gateway) connected to the same encrypted wifi. If you can not control what clients are connected anyway, then ssl and other vpn techniques are your only choice for secure communication over "public" wifi. This has always been the case and still is!!!

Most newer WiFi is using WPA2, which I thought had corrected the issue with ARP injection. But to your point I still don't understand how the hackers intercept the Apple ID which you would think would be over SSL, but perhaps not.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #50 of 60
Quote:
Originally Posted by zoetmb View Post

How would they know how many stolen iPhones have been unlocked that way?
Probably because that is the amount that have been unlocked using their fake server. Of course they can't know about other people who might exploit this.
These phones don't need to be in the direct possession of the hackers. They are able to open the server up to people all over the world who then use it to unlock the phones in their possession. Which apparently is a lot of demand for... :s
P.s. That all those 30000 phones were sold for profit was a misinterpretation on my part, but 30000 have been unlocked using that server. The article stated that the selling for profit is among the motives for unlocking a phone.
Edited by Chipsy - 5/22/14 at 2:23pm
post #51 of 60
Quote:
Originally Posted by mstone View Post

Most newer WiFi is using WPA2, which I thought had corrected the issue with ARP injection. But to your point I still don't understand how the hackers intercept the Apple ID which you would think would be over SSL, but perhaps not.

Jailbreak your iphone and install Pirni on it. Then connect to your favorate wpa2 encrypted AP and play default router and capture all passwords in cleartext that are going to the router. Eazy like hell. Even a 7 year old can do it!

Was the whole problem that there was no ssl session on Windows iTunes?
post #52 of 60
Quote:
Originally Posted by habi View Post

Jailbreak your iphone and install Pirni on it. 

Wow that is a serious issue. I guess we better be careful even on our own WiFi at the office.

 

Quote: Found at: http://www.reddit.com/r/netsec/comments/al5nz/have_a_jailbroken_iphone_or_ipod_touch_check_out/
 

Pirni is a jailbreak app. Jailbreak apps are apps that can only be installed on jailbroken iPhones/itouches.

The iphone's wifi card is extremely limited (It can't go into promiscuous mode, unable to monitor packets, etc). From a network security standpoint, it's basically useless. That's where Pirni comes in. Pirni "arpspoofs" the router - i.e. Makes other devices think the iPhone is the router/gateway. This causes all network traffic to flow through the iPhone. The data is then forwarded to the correct device (laptop, router, desktop) so that all packets are delivered - this makes it so no one notices any difference in their speed/surfing/etc. As the data passes through the iphone, Pirni captures the packets and dumps them into a file.

That is how Pirni "sniffs" packets.

The "parser" ('derv') simply reads that packet dump-file every 5 seconds, looking for passwords, URLs, or cookies. Derv then displays this information as it is found. It basically reads the packets, Filters out the uninteresting stuff, and displays what you want.

A really cool feature is the Cookie Injection. If the sniffer grabs cookies for a certain site, it will inject them into Safari (the default browser for iPhone/iPod). With this, you can exit out of the scripts (they'll still run in the background), load safari, and go to the cookie's homepage, mimicing the intercepted cookie/session data. It works with a lot of popular pages (facebook, Twitter, amazon).

The cookie-injection had been done before in WifiZoo, but this is the first time I've seen it on an iPhone/iPod.

 

It will only sniff packets sent over networks that you are connected to.
Also, as a heads up, some routers (universities, corporate) have security measures in place to detect and avoid arpspoofers.

 

Bonus: the scripts work on every type of encrypted wifi network (Open, WEP, WPA, WPA2).

I hope this was informative!

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #53 of 60
Quote:
Originally Posted by habi View Post

Jailbreak your iphone and install Pirni on it. Then connect to your favorate wpa2 encrypted AP and play default router and capture all passwords in cleartext that are going to the router. Eazy like hell. Even a 7 year old can do it!

Was the whole problem that there was no ssl session on Windows iTunes?
One of them, iTunes for Windows doesn't hash the passwords before sending them to the server.

But the biggest problem does seem to be the issue in the server verification. I.e. allowing fake servers to act like iCloud. And thus allowing for man-in-the-middle attacks.
In the case of the unlocking the hackers open up the fake server to people all over the world who then use it to unlock their (probably often stolen) devices.
Edited by Chipsy - 5/22/14 at 2:41pm
post #54 of 60

A bit late to this discussion and having only skimmed the past 20 or so responses after reading up to that point. There are a few points that should probably be made (or not, but I'm going to anyway :) ):

 

1. A man in the middle attack (MiTM) on a session works by the attacker pretending to be the server to  the victim, and the victim to the server. It is effective only when the attacker can spoof identity. Therefore an MiTM attack on an SSL connection *can* happen when the victim cannot establish with certainty the identity of the server. This is exactly the effect of a client not verifying certificates correctly (as described in the article, and as caused by the 'goto: fail' bug). 

 

An MiTM attack also requires the attacker to be "between" the server and victim. For most of us, that is most easily accomplished in a public wifi space. For service providers and governments it's much easier to subvert connections within or between large network transit providers. 

 

Choose your comfortable level of paranoia, but SSL is *not* a sure-fire protection agains MiTM if you're not careful. 

 

2. Shared password encrypted wifi networks: On all encrypted wifi networks, the bulk encryption is done via symmetric encryption (AES) with a shared (between client and provider endpoints) key. On all of those networks, the key is unique to each session so different users cannot decrypt one another's network traffic. This is true even on shared password networks, because the session encryption key is derived for each session in a manner that only the provider and user endpoints know what it is. 

 

*However* on a shared password encrypted network, the password itself is used to verify the identity of the provider and client to one another. That means that while it's not practically possible to snoop on existing sessions, it *is* easily possible to effect an MiTM attack when a session is started by spoofing the provider (and it's pretty easy to force a session restart for those around  you on a wifi network).

 

This is true for pretty much any service for which the sole barrier to entry is a shared secret. 

 

3. On enterprise encrypted wifi networks (the ones where everyone has their own username and password), techniques similar to those used by SSL are employed to prevent MiTM attacks. 

 

One final note: ARP spoofing (what Pirni can do) will often allow you to intercept network traffic (on your local wired segment, or on a wifi network), even encrypted traffic, but it does *not* automatically permit the *decryption* of that traffic.

post #55 of 60
Quote:
Originally Posted by habi View Post

Quote:
Originally Posted by mstone View Post

Most newer WiFi is using WPA2, which I thought had corrected the issue with ARP injection. But to your point I still don't understand how the hackers intercept the Apple ID which you would think would be over SSL, but perhaps not.

Jailbreak your iphone and install Pirni on it. Then connect to your favorate wpa2 encrypted AP and play default router and capture all passwords in cleartext that are going to the router. Eazy like hell. Even a 7 year old can do it!

Was the whole problem that there was no ssl session on Windows iTunes?

Happily, you can't jailbreak the latest version of iOS.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #56 of 60
Quote:
Originally Posted by Benjamin Frost View Post

Quote:
Originally Posted by habi View Post

Quote:
Originally Posted by mstone View Post

Most newer WiFi is using WPA2, which I thought had corrected the issue with ARP injection. But to your point I still don't understand how the hackers intercept the Apple ID which you would think would be over SSL, but perhaps not.

Jailbreak your iphone and install Pirni on it. Then connect to your favorate wpa2 encrypted AP and play default router and capture all passwords in cleartext that are going to the router. Eazy like hell. Even a 7 year old can do it!

Was the whole problem that there was no ssl session on Windows iTunes?

Happily, you can't jailbreak the latest version of iOS.
Seems a new jb will be out very soon
http://www.forbes.com/sites/antonyleather/2014/05/22/apple-ios-7-1-1-jailbreak-shown-to-work/
post #57 of 60
Quote:
Originally Posted by singularity View Post

Quote:
Originally Posted by Benjamin Frost View Post

Quote:
Originally Posted by habi View Post

Quote:
Originally Posted by mstone View Post

Most newer WiFi is using WPA2, which I thought had corrected the issue with ARP injection. But to your point I still don't understand how the hackers intercept the Apple ID which you would think would be over SSL, but perhaps not.

Jailbreak your iphone and install Pirni on it. Then connect to your favorate wpa2 encrypted AP and play default router and capture all passwords in cleartext that are going to the router. Eazy like hell. Even a 7 year old can do it!

Was the whole problem that there was no ssl session on Windows iTunes?

Happily, you can't jailbreak the latest version of iOS.
Seems a new jb will be out very soon
http://www.forbes.com/sites/antonyleather/2014/05/22/apple-ios-7-1-1-jailbreak-shown-to-work/

There has been no jailbreak for the iPhone 5, iPhone 5s or iPhone 5c since iOS 7.1 which came out in March 2014 over two months ago.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #58 of 60
Quote:
Originally Posted by Benjamin Frost View Post


There has been no jailbreak for the iPhone 5, iPhone 5s or iPhone 5c since iOS 7.1 which came out in March 2014 over two months ago.


http://www.evad3rs.net/search/label/Jailbreak%207.1

Quote:
 Evasi0n7 1.0.8 works for iPhone 5S/5C/5/4S/4 iPad Mini/5/4/3/2 and iPod Touch 5/4/3! Evasi0n7 1.0.8 is untethered jailbreak for iOS 7.1 to iOS 7

but no "formal" release yet for 7.1.1

post #59 of 60
I've read all comments and still can't answer question?what does don't use icloud on public wifi mean? Is it safe to use my ios device to access icloud on public wifi networks??? Please answer in context of hacks identified for icloud.
post #60 of 60
Quote:
Originally Posted by Benjamin Frost View Post

There has been no jailbreak for the iPhone 5, iPhone 5s or iPhone 5c since iOS 7.1 which came out in March 2014 over two months ago.
http://bit.ly/1wo2lnH
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock
AppleInsider › Forums › Mobile › iPhone › Hackers claim to have exploit for iCloud, use vulnerability to disable Activation Lock