Monday, April 25, 2011

Disabling iPhone Tracking ? Do it Yourself (DiT?DiY)


Situation

An iPhone iOS4 built-in tracking feature was recently discussed publicly as sharp people, Alasdair Allan and Pete Warden, created an opensource application called iPhone Tracker.

A file called "consolidated.db", that exists on iPhones and 3G iPads, contains enough information to map users movements thanks to tracking capabilities containing interesting stuff, like MAC Addresses of Access Points, GSM details, etc.

Since it became more public (and beyond the fact that it was already known..), tons of people are thinking that it could be a malicious feature from Apple. Here in this blog, we won't focus on political or strategic answers.

We just want to play our role: looking at technical security issues in this world of never-ending growing dependancies between humans and technologies. By the way, we don't want to repeat excellent analysis that already exist on many places over the web.

So, let's try to think about a solution for owners of iPhones who need strong privacy.

Disabling the threat on Jailbroken iDevices

There are multiple tiny technical problems discussed on the Net with this file "consolidated.db". This happens to be an Sqlite file, like many other files of the iPhone and the iPad.

A solution has been proposed to the owners of jailbroken iPhones, through a nice tool called "Untrackerd".

Once installed, a standard Unix process called "/usr/bin/untrackerd" runs in the background, and tries to regularly destroy parts of the consolidated.db file. More exactly, it will try to focus on SQL actions like:
DELETE FROM CellLocation WHERE Timestamp ..
DELETE FROM WifiLocation WHERE Timestamp ..

The problem is that most iPhone owners don't jailbreak their fetish device. So, this solution would not help in that case. Of course, having a jailbroken iPhone device is really powerful and you have many ways to disable those location tracking issues, as it's just a Unix fight between you (root) and some processes and files, with nothing hidden or complex.

Could we have something for standard end-users with no jailbreak ?


Trying to disable the threats on non-jailbroken iPhones

A nice proposition was published by Dominic White on his blog ( http://singe.za.net/blog/archives/1029-Quick-note-on-the-iPhone-Location-Tracking-Disclosure.html ). Basically, he explains that you can take the latest backup of your iPhone, open this file to extract the unwanted "consolidated.db" file. Then if you modify it, re-insert it in the backup, and ask iTunes to do a recovery of your iPhone on this latest (modified) backup, you'll have fake data on a non jailbroken iPhone !

This is a quite good article, with technical details about how to play with the backup issues and files extractions, etc.

To quote this blog again, one limitation would then be that you would have to do all those steps regularly, in order to clean the new location data that gets written on the iPhone. What a pain..


Disabling iPhone Tracking, Do it Yourself :-)

Here is our humble solution for non-jailbroken iPhones. On such a device, we can't delete/shred the consolidated.db file. We can't add programs on the iPhone (for classical end-users) that would add security. We can't modify permissions on the file system. We can't do so many things, as it's a non-jailbroken iPhone.

So, for those who are forced to live with the file "consolidated.db" itself, TEHTRI-Security proposes to patch this Apple file, and to add some lines of hacking inside it. We found that by adding SQL TRIGGERS inside the file itself, we can totally get rid of the tracking issues.

Our technique is quite simple: each time the iPhone tries to insert data into this (malicious?) database, "consolidated.db", we delete any entries of the tables. How can we do that, as we have no evil process running on a non-jailbroken iPhone ? As we wrote previsouly, there is a SQL Feature, well known by hackers, which is called TRIGGERS. It's a way to have an automatic action played each time a specific database event is seen.

At TEHTRI-Security, we used TRIGGERS tons of time for our penetration tests in highly sensitive environment with customers who wanted to see if automatic evil things could happen in their databases, ERP, etc. Here it's cool to see that TRIGGERS can also be used for positive things, as it might help those of you who really need to avoid privacy issues.

SQLite3 TRIGGER Patch examples:
create trigger privacy_in_WifiLocationHarvest after insert on WifiLocationHarvest begin delete from WifiLocationHarvest; end;

create trigger privacy_in_LocationHarvest after insert on LocationHarvest begin delete from LocationHarvest; end;

Of course, you could also wait the future Apple feature that will propose you to delete the cache of locations of your iPhone. But if you don't want to wait, and if you want to destroy those lines of data each time the iPhone tries to write them, then you can try our solution.

Of course, TEHTRI-Security cannot be taken responsible for anything bad that would happen because of false manipulations on your devices. Do things carefully and of course follow the laws & licences issues in your countries.

Here are the steps that can be followed:

1- Download http://www.tehtri-security.com/tehtris-iphone-privacy.sql

2- Rebuild your own consolidated.db file by applying our previous SQL file
Example:

sqlite3 consolidated.db '.read /Users/idev/iphone/tehtris-iphone-privacy.sql'

3- Deploy this new patched "consolidated.db" file containing our TRIGGER tricks that will delete anything from this database, each time the iPhone moves even the smaller finger..

Non-Jailbroken devices: use iTunes recovery as explained before (check the blog of Dominic White for the whole process).

Jailbroken devices: if you prefer our solution, that does not run a new process in the background (compared to the "untrackerd" solution) with live automatic deletion, you just have to copy the new patched consolidated.db

$ scp consolidated.db root@your-jailbroken-iphone:/private/var/root/Library/Cache/locationd/consolidated.db

We hope this tiny article will help some people seeeking for native easy solutions with standard tools, who would need a stronger level of privacy. Of course, this is just a quick article with most pointers to the needed concepts. You'll have to dig yourself if you want to build your own stuff based on our TRIGGER Patch solution.

Notice that TEHTRI-Security has landed in Singapore this week, to join the awesome SyScan 2011 event leaded by Thomas Lim in his team. Last year, at SyScan 2010, we published 13 0days, with ways to counter-attack exploit-kits (tools like Eleonore, Zeus, SpyEye..). This year, we will focus on tricks and attacks related to web clients, etc (http://www.syscan.org), smartphones, etc. There will be many other tremendous talks given by sharp speakers dealing with IT Security and smartphones (like S.Esser!).

Should be a hot week here. Do not hesitate to join us here in Singapore, especially if you want more information about privacy issues on phones, attack/defense issues, etc.

Have fun(phone).

TEHTRI-Security - "This is not a Game"
Twitter: @tehtris
Web:     http://www.tehtri-security.com
Agenda:  http://www.tehtri-security.com/en/agenda.php