1 out of 20 iPhones/iPads can be hacked in less than a minute – what about yours?

 Cyber security  Comments Off on 1 out of 20 iPhones/iPads can be hacked in less than a minute – what about yours?
Dec 132011
 

The Hebrew version of this article was published in the digital version of Haaretz newspaper.

You just got your new and shiny iPhone and you are ready to load it with the coolest apps. A minute before you use iTunes store to buy some apps, your friend is calling you.

You: “Hey dude, I’ve just got my iPhone and I’m on my way to iTunes to do some shopping”.
He: “Are you nuts??? Paying for apps???”
You: “Is there any other option?”
He: “Of course there is. You just have to jailbreak your iPhone”
You: “Jail? Break? What do you mean?”
He: “You let your iPhone out of Apple’s jail and then you can do whatever you like. Everything is accessible – the coolest games, the best apps, the most amazing wallpapers and themes – and you don’t have to go through iTunes anymore!”
You: “Wow, I’m going to jailbreak my iPhone!!!”

Credit: Vicky Woodward

What is jailbreak?
In the default configuration of every iPhone, a user can install apps (games, utilities, applications) only from Apple’s official app stores (like iTunes store).
Every app in iTunes store is reviewed and approved by Apple. This way, Apple can make sure that all the installed apps on iPhones (and iPods, iPads, Apple TVs) are harmless. They can make sure that no app in iTunes contains viruses, Trojans or other malware, for example. This is a strong security mechanism that protects the iPhone users.

However, it means that you can’t install apps that are not in Apple’s app store. Many apps are reviewed by Apple and disapproved for different reasons. Basically, every app that does not follow the policy of Apple is banned. For example, apps for donation of money to non-profit organizations are forbidden.
But still, how can you install such apps?
The answer is jailbreaking.

Jailbreak is the process of removing the builtin restrictions in iPhone that were imposed by Apple and giving a full control to the user. For example, the user can download and install any app, extension or theme he wants from non-Apple stores like Cydia store.
Developers of apps can bypass the policy of Apple for the development of apps, they can create almost any app they want and then distribute it through non-Apple stores, like Cydia.

We guess you got the idea – Apple puts restrictions on you iPhone, you can’t install whatever you want from wherever you want. Jailbreaking will set you free and now there are no restrictions on your iPhone anymore and you are free to install and run whatever you like.

What about unlocking your SIM-locked iPhone to use with another provider? Unlock software allow you to to use a SIM card from any provider but sometimes the unlock and jailbreak are bundled together so when you unlock your iPhone you also jailbreak it.

Is jailbreaking good or bad?
Actually we are not going to answer this question. It used to be illegal but not anymore (at least in the USA). Some are saying that after jailbreaking the iPhone, everything went much slower, the battery was exhausted quickly, the system became unstable and they could hardly operate it. Others say that it changed their life and now their iPhone can do amazing things.

So jailbreaking is legal, I can get tons of apps, I am the master of my iPhone – where is the problem?
The problem is, as usually in security issues, you – the human factor.
It is very easy to jailbreak an iPhone and you don’t really need to understand much about this process. Anyone can do it and it takes only couple of minutes. There are several methods for jailbreaking and you can find the popular ones easily.
And here is the catch – some methods for jailbreaking install a small software on your iPhone that is called SSH Service. This software gives you a way to communicate with your iPhone remotely and with full access to any part of the system. You don’t have to know what is SSH and what is a service and actually most of the jailbroken iPhone users never heard about it before.

However, this SSH service also opens a small window to the world…

Let’s try to simplify it by using an analogy – suppose you have a nice and well-protected house. You have doors, windows, steel grates and an alarm system that protects all the entries to the house. Now someone tells you that you if you remove the windows, doors and grates and disconnect the alarm system in the first floor, you will be able to walk freely into your house, you will see the view clearly and your cat will come and go as he likes.
Unless you live in an Israeli Kibbutz, your response will be – “are you nuts? everyone will be able to come inside, steal whatever they want, see everything I’m doing, eat my food and sleep in my bed.”

Did you ask the same question before you jailbroke your iPhone?
Probably not. Let’s see what can be the result of opening this small window in your iPhone.

When you connect your iPhone to the Internet via WiFi, for example using the Internet access in the airport, restaurant, train, coffee shop, hotel or university, every other user in this place can try to hack your iPhone remotely. When your iPhone is protected, it will be almost impossible to hack into it.
The SSH service on your jailbroken iPhone opens a small window to the world and now the nice guy in the first floor in your hotel can hack into your iPhone through the SSH service.

What can such hacker do? Everything!!!
He can read your documents, steal your bank/facebook/gmail passwords, see the pics and watch the naughty movies that you took with your iPhone…
He can read your sms messages and emails, eavesdrops your phone calls and track your GPS locations. He can install in less than a minute a tiny software that will send him every day all of the above and much more. And everything will be very stealthy – you won’t even know about it.

OK, relax, it is not so simple. Every SSH service has a password. So unless the hacker knows the password, you are protected.
Are you relived now? You shouldn’t be.
Every SSH service comes with a default password. For jailbroken iPhones with SSH service installed, the default password is usually ‘alpine’. When you jailbroke your iPhone, it was written somewhere in small letters that for security reasons you better change the SSH service password. Since most of the users don’t know what is SSH and why they even need it, they won’t bother to do it. And actually, even if they want, they probably don’t know how to do it.

To make a long story short, if you jailbroke your iPhone and SSH was installed and you didn’t change the default password – you can be hacked in seconds almost everywhere you go.
The funny thing is that it is very easy to hack into jailbroken iPhones using non-jailbroken iPhones and you don’t even have to be a computer geek to do it – we’ll see how to do it shortly.

What is the percentage of jailbroken iPhones?
The numbers are not absolute – there are different statistics from different sources.
According to Pich Media (2009), the percentage of iPhone users running their phones jailbroken is 8.43%.

More recent numbers are talking about 10-15%.
According to Chinese market research company Umeng (2011), 35% of iOS devices in China are jailbroken.

The distribution of the  jailbroken iOS devices in China is as follows:


Our field experiment
In order to understand better this phenomenon, we did an experiment in a small airport in Europe. It was a midweek day, around noon, where the airport was very quiet and not so busy.
We connected our non-jailbroken iPhone to the Internet via the free WiFi service and scanned the network. We found out that about 6% of the Apple devices had SSH service installed and waiting for remote connections. We tried to hack into them using the default password (in our experiment, once the default password was accepted, we logged out and disconnected immediately without violating the privacy of the user).
The result was amazing: about 80% of them where hacked immediately!!!
It means that about 5% of the iPhones in the airport were jailbroken with SSH service installed and a default password that was never changed.
We repeated this experiment in a small university and the results where about the same – 4-5% of the iPhones were jailbroken with SSH service installed and a default password.

It means that about 1 of 20 iPhones/iPads in use can be easily hacked and the most sensitive and confidential data can be stolen.

How to hack into iPhones?
In order to show how easy it is for every non-technical user to hack into iPhones around him (as long as they are connected to the Internet through WiFi), we will demonstrate this process using two free iPhone apps. It is important to mention that during the hacking procedure, the victim (the jailbroken iPhone user) is not aware to the hacking, he doesn’t see anything special on his screen and the whole process is stealthy and transparent. Our goal is to increase the awareness of the iPhone users to their security and privacy, and not to encourage hacking of iPhones, which is definitely illegal.

The first free app, Fing, can be downloaded through iTunes store. This app is used to scan a network and look for connected devices.
As you can see in the following picture, the app shows a list of devices that were found, and the name of their vendor.

List of connected devices

Every device in the list also has a number. For example, the last device in the above list has the number 192.11.228.154. This is its IP address. You don’t have to know what is an IP address. You just have to remember this number for the next step (for privacy reasons, all the real IP addresses that were used in this demo were changed to fake ones).

As you can imagine, all the Apple devices are good candidates for our demo.
Then, we use the same app to check whether these Apple devices have  SSH service installed. Basically you just have to click on each Apple device in the above list and you get the following screen:

Scan the device

Then you have to click on “Scan services” at the bottom and after couple of seconds you will get a list of all the open “windows” in this device (they are called ports). If you see an entry that says “22 SSH”, as shown in the next picture, it means that this device has an SSH service installed and ready for accepting remote communication.

SSH is open

You can repeat this process for every Apple device in the list and at the end you’ll have a list of devices, where each device has its own IP address (in our example, 192.11.228.154 was the IP of the last device).

Now we are going to use the second free app, Mobile Admin, which can also be downloaded from iTunes store.
This app lets you communicate with the remote SSH service.
Once you start it you get this screen.

Mobile Admin

Click on SSH and then click on “New Connection”.

Add a new SSH connection

In the next screen, in the Host box you should enter the IP address of the Apple device that you found (192.11.228.154 in our demo), in the User Name you should enter ‘root’ and in the Password you should enter ‘alpine’.

SSH connection details

Then you just have to hit Connect at the bottom of the screen.

A new SSH connection

On the next screen you should click “Accept Once”.

Accept the SSH connection to the iPhone

If this iPhone was configured with the default password, you should get the a black screen, where you see some text and a blinking prompt, like here.

It means that now you are the master of this device and you have full control over every part of its system. You can browse all the stored data in this iPhone. You can even change its default password…

How to protect your jailbroken iPhone?
If you have a jailbroken iPhone, you can use Fing to find your IP address. Just start Fing, let is scan (hit the refresh button at the top-right) and look in the list for the entry that says “You”. This is your IP address. In the following screen, our IP is 192.11.136.224:

Now use Mobile Admin as described above but enter your IP address in the Host box. Enter the User Name (root) and Password (alpine) as before and hit Connect.
If you get a screen similar to the following one, it means that your iPhone is not using SSH service. You are done here – you are protected.

No SSH service

If you get a screen similar to the following one, it means that your iPhone is using SSH service. But you still have to check that you are not using the default password. Click “Accept Once”.

If you get a screen similar to the following one, it means that your SSH service is not using the default password. You are done here – you are protected (as long as the password that you configured in the past is not weak).

If you get a screen similar to the following one, where you see some text and a blinking prompt, it means that your iPhone is using SSH service with the default password. Your iPhone can be hacked in seconds!

Now let’s change your default password.
Where you see the blinking prompt, type the following word and then click enter:
passwd

You’ll get a screen similar to the following one – you will be asked to enter your new password. Choose a strong password, write it, click enter. You will be asked to re-type your password. Type it again and click enter.

Then you should get a screen similar to the following one:

It means that your password was changed successfully – your iPhone is protected now!

 Posted by at 11:03 am
Nov 222011
 

The Hebrew version of this article was published in the digital version of Haaretz newspaper.

 

You have a fast 100 MB Internet connection and a brand new laptop but still, from time to time, your Internet experience is lousy – the Internet crawls like an old 9,600 kbps modem from the 90’s.
Well, the reason for that behavior might be very surprising – Skype…

How does Skype work?
In some scenarios, Skype is using a special mechanism to enable calls between users that are, for example, behind a proxy or a firewall. Let’s say that we have two Skype users: Alice and Bob.
Both of them are behind firewalls that block incoming connections. Hence, Alice can make outgoing connections to the Internet, but nobody can connect to Alice from the Internet. The same goes for Bob.
Now, Alice wants to make a Skype call to Bob. Alice is trying to setup a network connection to Bob – she can make the outgoing connection but since Bob’s firewall blocks all incoming connections, the connection will fail. The same goes for Bob.
This scenario is very common since most of the machines today are behind firewalls.

So how can Alice and Bob make a Skype call between each other?
One of the solutions of Skype for this problem is to use a middleman (super node). A middleman is another Skype user, Charlie, that can make outgoing network connections but can also accept incoming connections. The middleman also has a public IP address, which makes him accessible by any other Skype user.
Now, when Alice wants to call Bob, she will connect Charlie (she can do that because she can make outgoing connections and he can accept incoming connections) and tell him that she wants to call Bob.
Since Bob can also make outgoing connections, he can also connect to Charlie. And now Charlie is used as a relay station between Alice and Bob – both of them established outgoing connections to Charlie and he can relay the Skype call between them although they are behind firewalls.
In reality, the architecture is a bit more complicated and middlemen also talk to each other but for the sake of this discussion let’s stay with this simplified version.

Who are these middlemen?
Basically, if you have Skype installed on your machine, a fast Internet connection and a public IP, you are probably going to be a middleman.
Middlemen usually accept, maintain and relay couple of network connections to/from Skype users.
Since there is some overhead for every relayed connection, Skype keeps the number of relays per middleman quite low – around 30, give or take.

When Skype is getting out of control…
Sometimes Skype is getting out of control and  instead of relaying 30 Skype connections per middleman, it is relaying much more. An by much more we mean much much more…
Here is an example of this behavior.
We set up a Windows machine with a public IP and we installed Skype.
After one day, our Internet connection became a bit slower.
After two days, it became much slower and all websites were uploaded very slowly.
After four days, we couldn’t surf to any website or use our e-mail client – the machine was hogged to death!
The following graph of the number of Internet connections that Skype used in our machine during a period of nine days illustrates the problem:

 

Imagine that your beloved machine is relaying 300, 400 and even 700 Skype connections simultaneously – well, ain’t it  a good reason for the slowness of your Internet connection?

How to solve this problem?

On Windows machines, you can disable Skype super node mode by adding a value to the Registry. This will prevent your machine from being a middleman.

1. Copy the following text and save it as “DisableSkypeSupernode.reg” :

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Skype\Phone]
“DisableSupernode”=dword:00000001

2. Double-click on the saved file. You should get a message box that is similar to this one:

Choose “Yes”

3. You are done. You should get a message box that is similar to this one:

4. Reboot your machine

 

On MAC OSX machines, you can usually disable Skype supernode mode by blocking incoming connections to Skype.

1. Open your “System Preferences”.

2. Under Personal, click on “Security & Privacy”.

3. Click on the “Firewall” tab and then on the “Advanced” button. You might need to click on the lock icon to enable the “Advanced” button.

4. On the next screen, click on “Skype”, then choose “Block incoming connections” and click on “OK”.

5. From now on, your firewall will block incoming connections to Skype. Hence, Skype will not be able to move into supernode mode.

 Posted by at 3:54 pm