Home > iPhone Espionage > iPhone Espionage

iPhone Espionage

Slashdot published this article “iPhone’s PIN-Based Security Transparent To Ubuntu” in May 2010.   This shouldn’t work on Jailbroken iPhone 4 as the vulnerability is reported so long ago.

Using the below tool, you are able to access SMS database and other confidential information which are supposed to be protected on a passcode protected jailbroken iPhone.  Well, if you have a non jailbroken iPhone, you are safe!

In order to recreate the demo that I did in HackInTheBox, you will need to run the below on your Ubuntu/Debian system or you can download the shell script from https://github.com/milo2012/iPhone-Espionage/raw/master/evil_gf_attack/setupPrerequisites.sh

  • apt-get install libusb-dev usbmuxd libimobiledevice-dev libplist-dev libgnutls-dev build-essential libgnutls-dev libxml2-dev libreadline5-dev libgcrypt-dev libglib2.0-dev libplist-dev libusbmuxd-dev usbmuxd make automake autoconf libtool gcc python-dev git libfuse-dev libimobiledevice-utils -y
  • mkdir /tmp1 && cd /tmp1
  • git clone https://github.com/mcolyer/libiphone.git
  • cd libiphone && ./autogen.sh && ./configure && make && make install
  • cd /tmp1
  • git clone https://github.com/mcolyer/ifuse.git
  • cd ifuse && ./autogen.sh && ./configure -prefix=/ && make && make install
  • cd /tmp1
  • wget http://www.libimobiledevice.org/downloads/ideviceinstaller-1.0.0.tar.bz2
  • bunzip2 -d ideviceinstaller-1.0.0.tar.bz2 && tar xvf ideviceinstaller-1.0.0.tar && cd ideviceinstaller-1.0.0 && ./configure && make && make install
  • cd /tmp1
  • apt-get install libgtk2.0-dev libnautilus-extension-dev intltool libzip-dev -y
  • wget http://www.libimobiledevice.org/downloads/nautilus-ideviceinfo-0.1.0.tar.bz2
  • bunzip2 -d nautilus-ideviceinfo-0.1.0.tar.bz2 && tar xvf nautilus-ideviceinfo-0.1.0.tar && cd nautilus-ideviceinfo-0.1.0 && ./configure && make && make install

After installing the prerequisites, create a folder called /tmp1 and download the file com.apple.CrashHousekeeping.plist and put it inside /tmp1

Since we are unable to use launchctl command to allow our binaries to run during setup, we need to find an alternative means.

It seems possible to overwrite the plist file for any iOS service and iOS doesnt do any verification at all.  We have identified a list of launch daemons which can be safely replaced to execute our own executable instead.  http://modmyi.com/forums/file-mods/682255-speed-up-your-iphone-ipod-removing-launch-daemons.html

You might want to modify the plist file with the time and executable that you want it to execute.

Next, you will download scanUSB.sh (from https://github.com/milo2012/iPhone-Espionage/blob/master/evil_gf_attack/scanUSB.sh) and put it inside /tmp1/ as well.

Run scanUSB.sh and then connect your iPhone to one of the USB ports on your computer.

It should rip out a couple of databases like google maps cached location, call history database, SMS database and cell tower location database.

It should not take more than 3 seconds if you connect it locally instead of via a VM.

Edit and compile https://github.com/milo2012/iPhone-Espionage/tree/master/sql2 and then save it in /tmp1/Transfer/sql12.

sql2 is a iPhone tool which is a POC code which extracts your Facebook caches/database as well as Dropbox offline files.
You can find more tools which you can deploy via scanUSB from here https://github.com/milo2012/iPhone-Espionage

You might want to recompile this with your own email address and password so that it delivers the information to your email.

Run /tmp/scanUSB.sh and then connect your iPhone.

Let me know if you face any issues or have any suggestions on how I can improve the tools.  Enjoy!

About these ads
Categories: iPhone Espionage
  1. TT
    October 16, 2011 at 6:57 am

    I liked your presentation and ideas in HITB.
    kbhook2, whatsapp1, location1 etc, are basically small (standalone) applications that uses the normal iPhone API?

    Are you planning to extend the script to upload and execute those applications too?

    Are you planning to extend the script so it will jailbreak un-jailbroken iphones and steal the data?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: