In a recently leaked document it was revealed that the NSA had a project called “Dropout Jeep”. The purpose of the program was to install a rootkit on an iPhone that would allow calls and other information to be intercepted, as well as enable the device as a microphone, track location and other activities. A similar program by Britain’s GCHQ has had similar tools with various components.
Some security/privacy experts went so far as to claim that Apple was involved in helping the NSA develop such a tool by providing a backdoor, without any actual proof to back up their statements. Many media outlets had misleading headlines about the NSA having full access to the iPhone. In reality Apple would not need to be involved at all for such an exploit, any more than they would be involved in the jailbreaking process of iOS. All that is needed is physical access to the device and a bit of voyeuristic intent.
The “Dropout Jeep” slide was dated October of 2008. The first iPhone was jailbroken (rooted) within a few days of release in June of 2007. With these existing processes of rooting an iPhone available to anyone, circumventing security controls on the device doesn’t require NSA level security clearance, or a back door from Apple.
Jailbreaking for Spies
The primary purpose of jailbreaking an iPhone has been to give device owners more control over their device. It is a means to empower the technically savvy with a means to install customized applications and expand the device’s functionality.
However, when it comes to surveillance. jailbreaking can provide an organization, country or company the ability an easy way into an unsuspecting targets phone and communications. I worked with my friends at DEP who have developed a proof-of-concept with several components to illustrate this very point.
The proof-of-concept not only illustrates how one can jailbreak a phone simply by plugging it into the wrong device, but also how to install stealthy apps with hooks to intercept phone calls and applications such as Skype:
Payload Deployment & Persistence
Once the jailbreak process is automatically initiated, the malicious payload drops our controller application “RedEye.app”:
To help ensure persistence and to evade detection, additional simple functionality is implemented at startup to hide that the device is jailbroken. I found it interesting that one of the main methods to detect if an iPhone is jailbroken relies on simply checking to see if the Cydia application is installed.
In addition to disable the the software update, the automatic process updates the System Version values (/system/library/coreservices/SystemVersion.plist) to disable the software update process:
Call, Microphone and App Hooks
To record voice data a hook in the “RedEye.app” a hook is implemented to detect audio.
To turn the iPhone into a remote microphone, the application is setup to listen from calls from a specific number and enable the microphone of the device covertly through another hook.
Additional hooks can be implemented for specific applications such as Skype or other messaging applications. Pretty much any data on the phone can easily be intercepted and sent to our remote data collection server.
As you can see, the NSA is not the only entity capable of covertly intercepting communications on a device, particularly when the attacker has physical access to it. Government spying, corporate espionage, stalkers and other entities all can have similar motivations for turning someone’s phone into a spy phone.
One thing that can be done that can mitigate the risk of some of these automatic jailbreaking methods is to set a passcode on your device. However, there are methos being developed that will also circumvent those controls.
It is important when traveling to keep your phone with you at all times, never leave your phone in a hotel room, it only takes 20 seconds to compromise a device. Be careful what devices you plug your phone into when charging or synching data, plug into the wrong system and you may be getting more than just a charge.
And be sure to join us at Tripwire’s Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass, see more details here.
- Chromejacking – Or How I Learned to Stop Worrying and Love Chromium Sync
- OpenX Ad Server and Remote Code Execution Vulnerability
- Distributed Nmap Port Scanning with a DNmap Megacluster
- Vulnerabilities: It’s Time to Review Your ReviewBoard
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock