Skip to content ↓ | Skip to navigation ↓

In a recently leaked document it was revealed that the NSA had a project called “Dropout Jeep”. The purpose of the program was to install a rootkit on an iPhone that would allow calls and other information to be intercepted, as well as enable the device as a microphone, track location and other activities. A similar program by Britain’s GCHQ has had similar tools with various components.

Recreating Dropout Jeep

Some security/privacy experts went so far as to claim that Apple was involved in helping the NSA develop such a tool by providing a backdoor, without any actual proof to back up their statements. Many media outlets had misleading headlines about the NSA having full access to the iPhone. In reality Apple would not need to be involved at all for such an exploit, any more than they would be involved in the jailbreaking process of iOS. All that is needed is physical access to the device and a bit of voyeuristic intent.

The “Dropout Jeep” slide was dated October of 2008. The first iPhone was jailbroken (rooted) within a few days of release in June of 2007. With these existing processes of rooting an iPhone available to anyone, circumventing security controls on the device doesn’t require NSA level security clearance, or a back door from Apple.

Jailbreaking for Spies

iPhone Rootkit

The primary purpose of jailbreaking an iPhone has been to give device owners more control over their device. It is a means to empower the technically savvy with a means to install customized applications and expand the device’s functionality.

However, when it comes to surveillance. jailbreaking can provide an organization, country or company the ability an easy way into an unsuspecting targets phone and communications. I worked with my friends at DEP who have developed a proof-of-concept with several components to illustrate this very point.

The proof-of-concept not only illustrates how one can jailbreak a phone simply by plugging it into the wrong device, but also how to install stealthy apps with hooks to intercept phone calls and applications such as Skype:

Payload Deployment & Persistence

Once the jailbreak process is automatically initiated, the malicious payload drops our controller application  “RedEye.app”:

To help ensure persistence and to evade detection, additional simple functionality is implemented at startup to hide that the device is jailbroken. I found it interesting that one of the main methods to detect if an iPhone is jailbroken relies on simply checking to see if the Cydia application is installed.

In addition to disable the the software update, the automatic process updates the System Version values (/system/library/coreservices/SystemVersion.plist) to disable the software update process:

Call, Microphone and App Hooks

To record voice data a hook in the “RedEye.app” a hook is implemented to detect audio.

To turn the iPhone into a remote microphone, the application is setup to listen from calls from a specific number and enable the microphone of the device covertly through another hook.

Hook for Enabling iPhone Microphone

Additional hooks can be implemented for specific applications such as Skype or other messaging applications. Pretty much any data on the phone can easily be intercepted and sent to our remote data collection server.

Mitigation

As you can see, the NSA is not the only entity capable of covertly intercepting communications on a device, particularly when the attacker has physical access to it. Government spying, corporate espionage, stalkers and other entities all can have similar motivations for turning someone’s phone into a spy phone.

One thing that can be done that can mitigate the risk of some of these automatic jailbreaking methods is to set a passcode on your device. However, there are methos being developed that will also circumvent those controls.

It is important when traveling to keep your phone with you at all times, never leave your phone in a hotel room, it only takes 20 seconds to compromise a device. Be careful what devices you plug your phone into when charging or synching data, plug into the wrong system and you may be getting more than just a charge.

picAnd be sure to join us at Tripwire’s Booth (3501) to get your free customized t-shirt printed on the spot, and listen to an array of in-booth guest speakers we have lined up. For the speaking schedule and information on how to obtain a free RSA Expo pass, see more details here.

 

Related Articles:

 

Resources:

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

picDefinitive Guide to Attack Surface Analytics

Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.

 

Title image courtesy of ShutterStock

Hacking Point of Sale
  • Emmy

    very nice tutorial for beginners. very useful.

  • Natalie Diaz

    This really looks like an important development I would say. This is really good thing for the agencies like NSA or some time this might create some big threats as well.

  • The good app review , I m taking into deep sight in this software and belive that Its a good build of its nature. I like it

  • Carlos alcaizer

    Un gran artículo y tutorial. Gracias por tu tiempo

  • Diane C. Alonzo

    From your writing I’ve come to know a vital knowledge about the Iphone Rooktits. Which is very enjoyable one look in my view. I hope most of the Iphone user also love this guide like me.

  • Dominick Giammarino

    I would love to be able to hack phones like that. Unfortunately I’m only good at using the internet to do research. I build websites, it’s nice to work without a bunch of people running around, getting in your way.

  • Mati Magallanes

    This really appears like an essential development I’d say. This is actually positive thing for that agencies like NSA or a while this may create some large risks too.

  • Thanks…

  • Nitesh

    awesome… :)

  • Eng

    Nice article. I am really thankful to you for such a informative site. It really proves helpful for all of us.

  • mobilepundits

    Installing a root kits in iPhone is seems to be difficult task for anyone. i hope your article give an easy way to install rootkits in my iPhone.
    Thanks for sharing!

  • Bangalore mania

    This truly shows up like a vital improvement I'd say. This is really positive thing for that organizations like NSA or a while this may make some vast dangers as well.

  • Jakob

    How do I download this to my iPhone and hack remotely? If possible