Vulnerability Management

Create iPhone Rootkits Like You’re the NSA

In a recently leaked document it was revealed that the NSA had a project called “Dropout Jeep”. The purpose of the program was to install a rootkit on an iPhone that would allow calls and other information to be intercepted, as well as enable the device as a microphone, track location and other activities. A similar program by Britain’s GCHQ has had similar tools with various components.

Recreating Dropout Jeep

Some security/privacy experts went so far as to claim that Apple was involved in helping the NSA develop such a tool by providing a backdoor, without any actual proof to back up their statements. Many media outlets had misleading headlines about the NSA having full access to the iPhone. In reality Apple would not need to be involved at all for such an exploit, any more than they would be involved in the jailbreaking process of iOS. All that is needed is physical access to the device and a bit of voyeuristic intent.

The “Dropout Jeep” slide was dated October of 2008. The first iPhone was jailbroken (rooted) within a few days of release in June of 2007. With these existing processes of rooting an iPhone available to anyone, circumventing security controls on the device doesn’t require NSA level security clearance, or a back door from Apple.

Jailbreaking for Spies

iPhone Rootkit

The primary purpose of jailbreaking an iPhone has been to give device owners more control over their device. It is a means to empower the technically savvy with a means to install customized applications and expand the device’s functionality.

However, when it comes to surveillance. jailbreaking can provide an organization, country or company the ability an easy way into an unsuspecting targets phone and communications. I worked with my friends at DEP who have developed a proof-of-concept with several components to illustrate this very point.

The proof-of-concept not only illustrates how one can jailbreak a phone simply by plugging it into the wrong device, but also how to install stealthy apps with hooks to intercept phone calls and applications such as Skype:

Payload Deployment & Persistence

Once the jailbreak process is automatically initiated, the malicious payload drops our controller application  “RedEye.app”:

To help ensure persistence and to evade detection, additional simple functionality is implemented at startup to hide that the device is jailbroken. I found it interesting that one of the main methods to detect if an iPhone is jailbroken relies on simply checking to see if the Cydia application is installed.

In addition to disable the the software update, the automatic process updates the System Version values (/system/library/coreservices/SystemVersion.plist) to disable the software update process:

Call, Microphone and App Hooks

To record voice data a hook in the “RedEye.app” a hook is implemented to detect audio.

To turn the iPhone into a remote microphone, the application is setup to listen from calls from a specific number and enable the microphone of the device covertly through another hook.

Hook for Enabling iPhone Microphone

Additional hooks can be implemented for specific applications such as Skype or other messaging applications. Pretty much any data on the phone can easily be intercepted and sent to our remote data collection server.

Mitigation

As you can see, the NSA is not the only entity capable of covertly intercepting communications on a device, particularly when the attacker has physical access to it. Government spying, corporate espionage, stalkers and other entities all can have similar motivations for turning someone’s phone into a spy phone.

One thing that can be done that can mitigate the risk of some of these automatic jailbreaking methods is to set a passcode on your device. However, there are methos being developed that will also circumvent those controls.

It is important when traveling to keep your phone with you at all times, never leave your phone in a hotel room, it only takes 20 seconds to compromise a device. Be careful what devices you plug your phone into when charging or synching data, plug into the wrong system and you may be getting more than just a charge.

 

Previous post

New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

Next post

When Security Tools Cry Wolf

Ken Westin

Ken Westin

Your Pundit of Paranoia