Black Box Version 1.0 Bedienungsanleitung

Inside Apple’s MDM Black BoxDavid Schuetz, Senior Consultant aka Darth [email protected]@schuetzdjWhy am I here?• Have customers

Authenticate Response• Server can decline enrollment• A blank plist is a valid “ok” response<?xml version="1.0" encoding="UTF-8"

Commands and ResponsesCommand List• Configuration–Install and Remove Configuration Profiles–Install and Remove Provisioning Profiles• Status–Device In

New in iOS 5• Configuration–Install, update, remove applications–Apply Configuration Settings–Apply Redemption Code• Status–List Managed Applications•

Client Initial Connection• Simple “status” message• Identifies self via UDID• Triggers server to provide command<plist version="1.0">

Generic Response• Returned for many commands–Basically, anything other than a query cmd• If not Acknowledged, likely will get error msg<plist versi

DIY MDM ServerDIY Server• Fewer than 500 lines of python• Uses standard libraries, plus:–web.py –APNSWrapper.py–OpenSSL (command-line)• Simple command

DIY Server• Very rough:–Implements all commands–But not all responses–Only one device at a time -- “last in wins”• No guarantees• Good starting point

MDM Limitations• User can terminate MDM relationship–Will lose whatever MDM installed–Corporate profile settings, etc.–But now the device tells MDM wh

Interesting Bugs?• Clearing passcode delay bug –Doesn’t immediately interrupt delay–Doesn’t clear failure count• Don’t mistype your new passcode the f

Security Concerns• No command authentication–“Sign message” option not enforced• SSL authentication–Appears to accept any cert with ‘trusted’ root–MIT

iOS ConfigurationEnd User Controls• Basic stuff• Passcodes, restrictions, etc.• Entered by user, can be removed by user• May password protect settings

Good Security Findings• Things you can’t do:–Install profile on locked device–Read installed profile details • List profiles gives meta-data only–Unlo

Overwrite MDM Profile• Can’t install profile on locked device• Can install when device unlocked• If you reinstall the MDM profile...• ...it re-enrol

Man in the Middle• Use standard MITM techniques–Wi-Fi trickery, forge SSL cert, etc.• Or, since you have physical access to device:–Get onto device –A

Push Profile to Device• Can’t send the push message• But can instruct device to poll–MDMOutstandingActivities.plist• The “Status: Idle” message–Place

Send Clear Passcode• Wait for another chance at device• DFU boot, force MDM poll• Evil server sends ClearPasscode• Now device fully unlocked–Browse ev

Isn’t this a bit crazy?• Yes. Yes, it is.• For a high-value target, not unheard of.• Levels of difficulty:–Access via DFU: Pretty difficult–Putting se

Evil Lackey• Change:–“Hotel” to “Office”–“Maid” to “Passed-over Deputy to the Deputy”–“Hotel Bar” to “Office Gym”• Advantages:–Longer time-frame for a

But that’s not all...• Remember I said:–“Can’t install a profile to a locked device”That’s not entirely true

Keybags• Literally a container of encryption keys• Used to decrypt protected data• (Also used for syncing and for remote unlock)• Lock: delete in-memo

Implications• Device appears locked to user• Processes “privileged” MDM commands–Can Install Profile, and re-enroll in MDM• Access protected files via

Configuration Profiles• Good for IT management• Install standard profile on many devices• Can be locked with password–But won’t preclude other persona

To Sum Up...So... “How secure is it?”• Actually, not too bad.• Some limitations and some holes–No serious conceptual flaws–Issues should be reasonably

Bibliography / Links• Apple docs:–Troubleshooting Push Notifications–Local and Push Notification Programming Guide–Over-the-Air Profile Delivery and C

New in iOS 5• Restrictions:–Force password for all iTunes purchases–Restrict Siri, iCloud backup / sync / photo stream–Restrict diagnostic data, rejec

Mobile Device ManagementMDM Basics• OTA + Push Notifications• Sends profiles directly to device• Can update enterprise in minutes• No reliance on end-

Overview• Enroll device–Installs profile linking device to MDM• MDM server pushes message–“Hey, call me” • Device connects to server–“You rang?”• Serv

Notifications - Server• Short message –Payload <= 256 bytes• Sent in JSON format • Addressed by the DeviceToken• Signed by originator and sent to A

EnrollmentEnrollment Profile• Easily created in IPCU• URLs for enrollment and server–iOS 5 requires SSL, iOS4 works with just http://• Associate with

Enrollment - Network• Authenticate–Identifies device to server–MDM server may decline• TokenUpdate–Sends tokens to server–Enables push notification–Ke