Author

Hacking, Icloud

IPhone is consider a pain in a***  for thieves to hide  it’s easily traceable through Find my IPhone. “Find my Phone”  got alot of attention recently, it’s  like a Gladiator who is there to fight if in any case, your phone is lost or stolen . The interesting  fact is – theft  will always find way to trick this guard and walk freely.

Few months back, a bug was discovered which would let users disable “Find my Phone” without proper authentication, and Apple patched it in subsequent version of updates.

Today, in this article, I will discuss a way to disable “Find my Phone” in all versions of iPhone, including upcoming ones.

Let first explain how find my phone works ,

Let’s first explain how Find my Phone works;

The user (presumably one who has lost his/her iPhone) logs into his/her iCloud account and puts the phone in lost mode, with passcode if not already set. The phone, as soon as it is connected to the Internet, will sync iCloud and get locked or even wipe everything to factory default.

More details can be found at Apple Website

1-1

 

The picture below describes a situation where an iPhone user is able to trace his/her phone via Find my Phone.

2-2

These are few approaches that can make your Apple devices untraceable (Failing the Find my Phone)

1) Creating a Private DNS Server

This is a very easy approach and works cent per cent of time. What one can do is- setup a custom DNS Server and redirect all iCloud (Or Find my Phone) traffic to itself or somewhere else making *icloud.com unreachable. Once configured, the server’s IP can be assigned to iPhone or the Gateway (Router).

One can assign the DNS Server IP to his/her Gateway router and connect the iPhone. This way, s/he can use the phone without being worried about getting the phone locked or wiped out or being traced remotely.

In Jailbroken iPhones, hosts file can be modified to block communications from or to iCloud- without the use of private DNS Server. For Cellular usage, a VPN can be configured to use this DNS instead of default ones.

3-1

                Fig:Method of Communication between ICloud and Lost IPhone

4

             Fig: Using private DNS  to prevent any communication between Icloud and phone .

Demo

This is a hard to patch bug for everyone, and Apple is no exception. Hard-coding IP will also not work, we can blacklist the hard-coded IP in our gateway to bypass it. If there’s any way to patch it, please feel free to mention me at @N_Cnew

2) Setting up a proxy and passing all traffic through it, but dropping iCloud traffic will make your phone offline for iCloud.

Here, I intercept iCloud traffic using BurpSuite; however, it requires installing a CA Certificate to be able to intercept HTTPS traffic.

I tried to put my iPhone in Lost Mode from iCloud- placing a new passcode along with a warning message and phone number to show in the message box. iCloud sends all these information when syncing with my iPhone, which I was able to intercept as shown in figure below.

Even worse is that many of us use same pin code for our other devices  , if the pass-code is same for other devices that lucky day for theft. Many further information can be gain from the traffic which owner is send from Icloud and theft is reading it .

6

Apple’s protection to stop this all

PassCode Lock & Finger Print Lock

PassCode lock can be considered a good method to protect from all these to some extent. Fingerprint Lock is considered more secure but it requires a backup pin/passcode. Still, there exists some probability of getting the fingerprint of the owner from his/her iPhone. Jan Krissler old cliché of security researchers copy finger print of a minister from a photo.  According to his research, it was found that a lot of people use commonly used passcodes, which are very easy to guess. Devices like IP Box are available in market which can be used to crack iPhone passcode.

maxresdefault

 

 

Mistakes people make that lead to iCloud account take over;

1) iCloud email is setup in MAILBox of iPhone or iPad. Often, people don’t change their email’s password as soon as it is lost. In such cases, the email can be used to reset their iCloud password.


2) Many people don’t set passcode in their iPhone, and those who does mostly choose common passcode (eg. 0852,12345,147258,2580 etc.).


3)Many do not turn ON Find my Phone.(Case: I asked one of my friends why he doesn’t turn Find my Phone on, he replied that it consumes his cellular data, so he turned it off. I had nothing to reply.)]

If iCloud associated email has been added in MailBox, and if thieves can get access to that email box than they can request password reset for iCloud in that mail box and get into your iCloud account. Once they are in, there’s a lot one can do, such as turning OFF Find my Phone.
Also they can lock all your other Apple devices having the same apple id, the most scary case.

router, Vulnerability

rouge-router-firmware                             200 K Online Home Routers Affected Worldwide (approximately)

There are more than 3 Billion internet users worldwide. With the growth of internet users, home router sales also have increased. But sadly the security risk in home routers has been raised rapidly.

There is an ongoing war between Red Team and Black team. They both are trying to find the security issues of the home router. Previously, different security issues have been identified in home router by security researchers and nobody seems to be concerned about these issues. Default credentials in online devices already are playground for ‘crackers’.

Before revealing our research, let’s see how this security issue can be used by an attacker.

cenriohack

The picture Above IS the typical home router Attack Scenario where an attacker CAN hack the router and CAN Hijack the DNS session. So if A home router IS hacked then the PC’s or Devices Connected to the router Could BE compromised Easily. Our Security Researcher Nabin KC  ( AttoN_Cnew ) HAS published his white paper Regarding this Issue . Here IS A demonstration That How A hacked router CAN BE USED to compromised PCs inside NAT.

The Story of a Discovery

Let’s begin with Our Story of discovery. It WAS A usual Day in Our Office and my COLLEAGUE Nabackdoorbin KC WAS busy with his Research. But he HAD problems to Connect to Internet. One of the routers That we USED for lab purpose WAS A home router and was giving severe pain for us. Every time we use nmap for scanning purpose, that router faced a bottleneck issue.

So Nabin with Motive to Eliminate the Issue, he tried to upload Another Open source router firmware but he failed. And he Thought of an idea to reverse ENGINEER the router firmware USED in Our lab. But Surprisingly he Discovered A hard-coded backdoor username and password and it’s ” super

Hard-coded Backdoor

After getting this backdoor information, we got mixed feelings. Either we might have been pwned or there was something wrong with the firmware. The latter was highly likely in this case. So I started my research and tried to find the root cause. I never I found the answer that how this firmware came to existence but discovered many hidden things revolving around this firmware.

During our research, we tried to find the similar security issues in another model. And surprisingly what we found was that the same firmware have been implemented by the other routers vendors, too. More than 10 major router vendors have been using this same backdoor affected firmware.

major_vendor_backdoor

. We also found several unregistered and unknown router vendors that have been using this same firmware Here is the list of affected router vendor and their router model name:

Digicom
DAPR 150RN
DAPR 300RN

Alpha Network
AIP-W525H
AWAP806N

Pro-Link
PRN3001
WNR1008

Planet Networks
WNRT-300G

Trendnet
TEW-638APB
TEW-639GR
TWE-736RE

Realtek
RTL8181
RTL8186
RTL8186P

Bless
Zio-3300N
Zio-4400N
Zio-3200N
Zio-3300N

SmartGate
SG3300N
SG3100N

Blue Link
BL-R30G

We also found many forged routers that have been using the same affected firmware.

digicom1-265x300 digicom-2-298x300 digicom-1-300x295 realtek-1-300x225 realtek-300x240

So after three months of extensive research, we found out that more 200,000 home routers (online) have been affected by this same router firmware all over the world. So from this calculation we can say approximately half a million devices (combining offline and online) It is affected.

Moral of the Story

Every user need to know Their Devices and vendor before Purchasing.
Creating A hard time for an attacker IS Always A win win situation. Use as much defense as you CAN.
As an end user, the best way to BE Protect your home router IS to disable the Remote Web Management console if you do not need it. There’s no way you can change the backdoor-ed username and passoword.

And the last options is to use Open Source firmware if your device supports (eg. OpenWrt)

Public Disclosure

Above the Research Have Been recently Presented in International Conference on Cyber Security and Cyber Law 2015 (Feb 21) by Nabin KC and Bijay Limbu Senihang Held at Hotel Yak and Yeti, Kathmandu Nepal. Please View the Slide here .

PS Router Vendors Have Been informed about this Issue. Only TREDNET HAS replied till Date.

Hacking

I am  Nabin KC  very fond of researching about the embedded devices. One day I  decide to test  Security  my home Digicom router , to check if i can run this  Is You PC Safe Inside NAT  attack.  After finding simple Store XSS bug I started digging more deep , if  I could find any serious bug in it . Then I started analysing  the session which is generated every  time I log in . After few minutes I discovered that the session value  has increase by 1

If Previous Session id was = n , then next time session id will be “n+1”

Session : n ( where is n is any number )

Session : n+1            ( this process will continue until router is reboot)

After analysing  the session generation logic of the router, I sent  the admin login traffic to the burp to  find any running session . I started brute forcing the session  and found one session which has not expired. Now with the session anyone can get full administrative right. You can create a new SSID, you can change WiFi password, or if you want to hack PC then you can change DNS and further hack their other devices with in that network.

This hack can be easily done from remote location if anyone can find  IP of the infected router. When it come to online devices then Shodan will help you. I am really sorry that I can’t provide you the shodan link  for this device due to legal issues.

The  POC of the above mention bug is below .(CVE-2014-8496)

 

This bug has been assigned as the CVE-2014-8496 and this  POC is just for the educational purpose. So as an author I will not be responsible for any of your illegal actions . After  publishing this bug , there was no excitement at all in my face  but when MITRE guys told me that it is the  first CVE from Nepal, my face was similar to this 😀

Soon I am going to write an article

A tale Rogue Router Firmware Chaos #Backdoor

So keep in touch ….. @N_Cnew (mt88fo8)