Hacking iOS Game Center and Passbook with Proxies October 3, 2013

Hacking iOS Game Center and Passbook with Proxies
Louisville Metro Infosec Conference:
October 3, 2013
Who am I?
• Karl Fosaaen
Senior Security Consultant
At NetSPI
Twitter: @kfosaaen
Presentation Overview
• Intercepting iOS Traffic
• Why and How
• Tools
• Certificates
• Identifying Pinning
• Attack Examples
• GameCenter Scores
• GameCenter Hashes
• Passbook files
• Conclusions
Intercepting traffic: Why
• iOS traffic can be interesting
‒ Most apps use web service calls
‒ Most apps are web browsers
• Traffic tampering
‒ Can you name your own price?
‒ Submit a higher score?
• Server responses can be interesting
‒ Modify what the server says to trick your app
‒ Intercepting files (ie: Passbook Passes)
Intercepting traffic: How
• Use an intercepting proxy
‒ Set it up to capture your traffic
‒ Store and forward allows for tampering
• SSL Interception
‒ Requires a trusted certificate
‒ Some apps don’t trust iOS
•
This is a good thing, just a pain for interception
• Traffic sniffing
‒ Some apps send requests in the clear
‒ Packet sniffing can be useful
Intercepting traffic: Tools
• Burp
• iOS simulator
• Other Proxies
Intercepting Traffic: Certs
• Exporting the Burp Root CA
Intercepting Traffic: Certs
• Exporting the Burp Root CA
Intercepting Traffic: Certs
• Exporting the Burp Root CA
• Save the root cert as
PortSwiggerCA.crt
• Send the cert to yourself via email
and add it to your iOS device
• Instructions from Portswigger:
http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
Intercepting Traffic: Certs
• Exporting the Burp Root CA
• Certificate installed on iPhone
Intercepting Traffic: Burp
• Burp Set Up
Intercepting Traffic: Burp
• iOS Proxy Set Up
Intercepting Traffic: Burp
• Intercepted iOS traffic
• HTTPS request to Google from iPhone
Intercepting Traffic: Burp
• A quick warning…
‒ Watch your credentials
•
•
Exchange ActiveSync sends encoded passwords
Your login creds for other apps and sites will get
stored in your proxy
‒ Mostly watch the data getting stored in your
proxy
•
You never know when you will need to send your
Burp session to someone else
Intercepting Traffic: Certs
• Identifying pinned apps
• Able to intercept normal browser SSL
traffic
• Can’t get app specific data
• Pinning might be in use
• The app may also be looking for specific
cert parameters
•
This is not pinning
• It’s cert checking
Attack Examples
• GameCenter High Scores
• GameCenter Email Hashes
• Passbook files
‒Boarding Passes
‒Coupons
‒Gift Cards
Attack Examples: GameCenter
• Attacking High Scores
‒GameCenter scores update with
HTTPS POST requests
‒No input validation on “score-value”
parameter
• Max score of
9,223,372,036,844,775,807
Attack Examples: GameCenter
Attack Examples: GameCenter
• Attack Process
‒Set up intercepting proxy
‒Play a game
•
Beat the first level
or
•
Trigger a score update
‒ Intercept the score update
•
Look for “submitScores” page
‒ Replace score value with
9,223,372,036,844,775,807
Attack Examples: GameCenter
Attack Examples: GameCenter
Attack Examples: GameCenter
‒ Bad News
•
•
This was fixed in iOS 7
There’s a token now
=
Attack Examples: GameCenter
Capturing GameCenter Email Hashes
Attack Examples: GameCenter
• Capturing Email Hashes
• SHA1 email hashes can be leaked by
requesting player information
• This can be done for current friends
and accounts of “friends of friends”
• What can we do with these?
• Why would anyone want those?
Attack Examples: GameCenter
• Capturing Email Hashes
• Step One: Add a bunch of friends
•
Current recommendations,
leaderboards, friends of your friends
Attack Examples: GameCenter
• Capturing Email Hashes
• Step Two: Get a list of all of their friends
•
•
So “friends of friends”
Use Burp for this
Attack Examples: GameCenter
• Capturing Email Hashes
• Results!
Attack Examples: GameCenter
• Capturing Email Hashes
• Step Three: Friend request all of them
Attack Examples: GameCenter
• Capturing Email Hashes
• RETURN to Step One multiple times
• Step Four: Query the email hashes for
all of your friends and all of their friends
too
•
•
This will be done with intruder in Burp
Much like step three – Send the request on the
next slide to intruder
Attack Examples: GameCenter
Attack Examples: GameCenter
• Next Steps
‒ So you have some hashes, so what…
•
You have their handle, first and last names too
‒ What’s your email address?
•
Common email user names
•
•
•
•
First.last
FirstinitialLast
Handle/username
NameBirthYear (or other “significant” number)
‒ Who’s your email provider?
•
Gmail, yahoo, hotmail, AOL
Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to Guess Email user names
• [email protected][email protected][email protected][email protected][email protected][email protected]
‒ Append the top 500 email domains to the
end and SHA1 the whole thing
Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to SHA1 hash the guessed
emails
•
This was basic, but worked well
‒ Use the email guesses as a dictionary for
Hashcat
•
The rule set can be customized to make cracking
easier
Attack Examples: GameCenter
• Final Numbers:
‒222 friends added* (as of 9/9/13)
*Records collection stopped after 45 friends
‒1,635 records gathered
•
1,534 after Unicode removal
‒300 email hashes cracked (19.5%)
Records Example:
591542B50A99EAA8E41136305075F9FF708F1992 bubblefishgumpop Deb Morgan
Attack Examples: Passbook
Passbook
Attack Examples: Passbook
• Multiple Apps are now available with Passbook
• Mostly used to store loyalty cards, coupons, and
boarding passes
‒ Gift cards are now getting adopted
• Can actually be pretty convenient to use
Attack Examples: Passbook
• Common Application Issues:
• Failure to securely deliver .pkpass files
• No HTTPs or certificate pinning
• Failure to validate pass information on
backend systems
•
Do you really have $1,000 on that gift
card?
Attack Examples: Passbook
• Passes are sent as .pkpass files
‒.pkpass is just a renamed .zip file
‒Required contents:
• manifest.json
• pass.json
• Signature
•
•
A signature file for integrity
Prevents file replacement and a re-zip
Attack Examples: Passbook
• Creating your own
‒ Join the Apple Developer Program ($99)
‒ Modify the pass.json to match your needs
• The teamIdentifier and passTypeIdentifier
fields need to be modified to match your
Apple cert
• Modify the pass details that you want to
‒ Use the signpass application (from Apple) to
generate the new .pkpass file
‒ Can be done in Windows
•
Apple Developer cert is still needed
Attack Examples: Passbook
• Deployment
‒ Can be done via email or web server
Attack Examples: Passbook
• Attack overview
‒ Set up your intercepting proxy
‒ Request a Passbook pass from the app
•
Look for the “Add to Passbook” button
‒ Intercept the request for the pass
•
Usually to a third party site
‒ Request and save the pass in your browser
‒ Modify your pass
‒ Resign and use your new and improved pass
Attack Examples: Passbook
• Avoiding issues with cert pinned apps
•
•
•
•
Open the app without the proxy enabled
Get up to the page where you request the
pass
Switch over to your preferences
• Turn on the Proxy
Request the pass
Attack Examples: Passbook
Example Time!
Attack Examples: Passbook
• Delta Boarding Passes
‒ One of many Passbook apps, but it’s the one
that I use the most
‒ Main Delta App does not do certificate
pinning
Attack Examples: Passbook
• Delta Boarding Passes
‒ Request for Passbook pass
Attack Examples: Passbook
• Delta Boarding Passes
‒ Extracted pkpass file
‒ Extracted Sky Priority pkpass file
Attack Examples: Passbook
• Delta Boarding Passes
‒ Modify the pass.json file
‒ And include the footer images in the directory
Attack Examples: Passbook
• Delta Boarding Passes
‒ Run the Signpass utility and email yourself the
pass
Attack Examples: Passbook
• Original/Modified Delta Boarding Pass
Conclusions
•Fixes
•
•
•
Certificate pinning
Better input validation
Limiting data leakage from apps
• Questions?
Hacking iOS Game Center and Passbook
• Karl Fosaaen
‒ Security Consultant at NetSPI
‒ Twitter: @kfosaaen
`