Monday, March 7, 2011

About iPhone iOS 4.3 Personal Hotspot

During the latest Apple Special Event of March 2011, Apple CEO Steve Jobs announced new features and products. One of those masterpieces is a new option called “Personal Hotspot”. This new functionality transforms your iPhone into a Wireless Access Point, so that you can share your 3G connections. This will be released in few days with the next iPhone update (iOS 4.3). So now let's share few words about this new (awesome) Apple add-on, with geeky and security eyes. The question asked: is that secure to turn your iPhone into a Wireless Access Point?

As you can see, once you’ll have downloaded the future iOS 4.3 on your iPhone 4, the improved “Settings” panel will propose a “Personal Hotspot” sub-menu. Then if you enable Wifi, this option will allow you to connect multiple devices to a single iPhone, which will become a Wireless Access Point. Like that, you should be able to share your cellular data connection with up to five devices at once (up to three devices over Bluetooth, one device over USB, and three devices over Wifi, knowing that hotspot tethering plans might have to be subscribed with your carrier).

On Apple web site, it's written that every connection is password protected and secure, so we wanted to have a quick check of those new options.



Here are interesting things we wanted to share here.

About the ESSID

Your ESSID will be the name of your iPhone device (the one that you can see in iTunes for example and that identifies your iPhone). For those of you who had a name like “iPhone of Firstname Name”, maybe you’ll want to change this name, as it will be seen as the ESSID for your iPhone hotspot. Or you can accept this tiny issue, as you already did because this name was already shared on any IP networks, through UDP packets broadcasted (and the only way to avoid that, was to hack your phone and tweak some plist files).

Is there an option to change the ESSID? No. You’ll definitely have to change this name through the official ways, so that configd and mDNSResponder might update the hostname prefs, and that a new ESSID arrives.


About the wireless channels

From our quick tests, it seems that the iPhone will have a smart behavior, trying to use the first empty channel (automatic mode), which is quite interesting. The maximum rate proposed is 54 Mb/s with a nice 802.11b/g that sounds great for tiny 3G sessions shared beyond. Beacon intervals seems to be set to 100ms.


About the BSSID

The BSSID will not exactly be the MAC Address of your iPhone Wireless card. Here is what we saw during our quick tests: if the MAC Address of your Wireless interface is in the form of E0:F8:47:C0:FF:F3, then the BSSID of the created Access Point will be E2:F8:47:C0:FF:F3. Checking the IEEE OUI list, will likely reveal that we have an Apple Wireless hotspot (http://standards.ieee.org/develop/regauth/oui/oui.txt ). 

For example, here in our example we get E0:F8:47:

E0-F8-47   (hex)                        Apple Inc
E0F847     (base 16)                    Apple Inc
                                                1 Infinite Loop
                                                Cupertino CA 95014
                                                UNITED STATES

From our knowledge, others Apple Wireless devices didn’t use this derivation of the MAC Address (fingerprinting). This work is done by the kernel, through a function called AppleBCMWLANIO80211APSTAInterface::createChipInterface() with the special MAC address. 

On the same kind of things, notice that Apple iOS 4.3 devices recognize themselves when there is such a personal hotspot and will show it to you in the list of wireless networks available.


About the spawned WLAN

Technical data related to the WLAN configuration:

Interface
Interface: ap0
IP address: 172.20.10.1
Netmask: 255.255.255.240

DHCP server (check local process “misd”):
Subnets:net_address [172.20.10.0]
Subnets:net_mask [255.255.255.240]
Subnets:dhcp_router [172.20.10.1]
Subnets:lease_{min,max} [86400]
Subnets:net_range_min [172.20.10.2]
Subnets:net_range_max [172.20.10.14]

Internet Sharing:
com.apple.MobileInternetSharing.broadcast-1 started: [DHCP subnet=172.20.10.1/28 on ap0 mtu=1500 <---> pdp_ip1 mtu=1450] max-mss=1410

Though the DHCP range looks like to be between 172.20.10.2 to 14, the maximum number of wireless tethered hosts is 5 (process misd).


About Wifi Security parameters

The iPhone iOS 4.3 creates WPA2 Personal hotspots by default (PSK AES-CCM). Is there a stupid option to downgrade to WEP or less? No, hopefully. It means that some old devices (like some gaming consoles, etc) won’t be able to connect. But to be honest, it’s not a big deal, and it was quite a good idea from Apple to propose something a little bit more secure by default.


About the WPA2 passphrase


By default, the iPhone seems to generate password (used for the PSK) for the WPA2 Personal hotspot. You can either use that password or customize this password yourself. The only restriction is that it should be at least 8 characters. 

For the automatically generated password, during our tests, we got passwords of 10 characters composed like that : 6 minus characters + 4 numbers. We suppose that some folks might (soon) propose WPA2 personal dictionary attack against iPhone hotspots...



 
About Restrictions

For now, we don’t know if some of those parameters can be tweaked through a next version of the Iphone Configuration Utility. This could be interesting in a corporate environment to avoid that end-users use this functionality, or use weak passwords, etc.




About Vulnerabilities ?

From the quick overview we made, it seems that Apple made a clean job. The only vulnerability we found so far, is related to the password used to protect the WPA2 hotspot. Here is a humble security advisory, shared publicly here because we don't see direct easy impact against the Apple customers (no exploit shared, etc).


Security Advisory: TEHTRI-SA-2010-036

Platform: iPhone 4

Operating System: iOS 4.3 (8F190)

Application: com.apple.wifi.hostapd

Impact for customers: Low (?)

Description:

The new iPhone option called “Personal Hotspot” uses a passphrase to protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived from this passphrase. 

While processing those functions, the iPhone writes the passphrase in clear text in the console of the iPhone device. 

This area is readable by all local processes through the official Apple API. Here is the list of things written in clear text through the console: the Group Master Key, the Group Transient Key, the PSK, the passphrase.

Example of clear text keys and passwords caught from on an iOS 4.3 device:


Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484: PSK (ASCII passphrase) - hexdump_ascii(len=10):

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] :      66 61 63 65 74 73 31 34 36 37                     facets1467     

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.733079: PSK (from passphrase) - hexdump(len=32): cf f6 0d 2a 1a a2 d8 29 6d 58 cc 6f 49 55 34 47 22 b7 9c 5c 76 86 be 17 57 b0 d3 5c 6e ad 2a 65

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870472: WPA: group state machine entering state GTK_INIT (VLAN-ID 0)

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870522: GMK - hexdump(len=32): f9 69 7e c4 d1 fa 41 10 e2 b9 a1 78 0e 50 fa 47 5b 18 4a 86 75 8d a1 64 c7 c9 fc 7d b2 98 d5 b3

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870580: GTK - hexdump(len=16): 8d 3f 27 be 0c 21 e2 5e fb 92 fb 15 b2 69 eb cd

Note: This can easily be patched, by putting hostapd in a silent mode, avoiding this security issue. We evaluated the risk to be low (?), but a combined remote attack against an iPhone device could help a nearby attacker at targeting the devices hidden behind the iPhone on the 3G link (and most of the time, people don't want their passwords to be written in clear text somewhere). There are more relevant data on those devices, compared to the iPhone itself.


GOING FURTHER...

If you're interested about our findings, our techniques and our tools (*), feel free to join us during our next sessions of trainings, so that we can have direct interactions and sharing with 0days, exploits, attack/defense concepts, so that you can fight the bad guys beyond the Matrix:

- Asia / April 2011: during next SyScan Singapore Conference, Training Advanced PHP Hacking
 
- Europe / May 2011: during next HITB Amsterdam Conference, Training Hunting Web Attackers


(*) Examples of vulnerabilities found by TEHTRI-Security in 2010:

    We wish you happy updates of your devices this week…

    @tehtris
    http://www.tehtri-security.com/