It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban

Size: px

Start display at page:

Download "It Just (Net)works. The Truth About ios' Multipeer Connectivity Framework. Alban"

Caroline Foster
6 years ago
Views:

1 It Just (Net)works The Truth About ios' Multipeer Connectivity Framework Alban

2 About me ios Security Researcher at Data Theorem Before: Principal Security Consultant at isec Partners Tools: SSLyze, Introspy, ios SSL Kill Switch 2

3 Agenda What is Multipeer Connectivity? Reversing the MC protocol(s) Security analysis of MC 3

4 What is Multipeer Connectivity? 4

5 Multipeer Connectivity 5

6 Demo 6

7 Motivation 7

8 Reversing the MC protocol(s) 8

9 MC API - Encryption The App can specify an encryptionpreference Three encryption levels: No further explanation in the documentation 9

MC API - Authentication The App can specify a securityidentity A "security identity" is an X509 certificate and the corresponding private key The

10 MC API - Authentication The App can specify a securityidentity A "security identity" is an X509 certificate and the corresponding private key The peer s identify when pairing with other peers A callback has to be implemented for validating other peers certificates/identities during pairing: 10

11 Test Setup Macbook in WiFi Access Point mode + Wireshark Sample MC App with default MC settings Two devices: ipad Air with Bluetooth disabled ios Simulator 11

12 12

13 13

14 A B 14

15 Bonjour!! A??? over TCP!! STUN / ICE! B??? over UDP!! 15

16 Bonjour!! A??? over TCP!! STUN / ICE! B??? over UDP!! 16

17 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A??? over TCP!! STUN / ICE! B??? over UDP!! 17

18 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A??? over TCP!! STUN / ICE! B??? over UDP!! 18

19 19

20 20

21 Mystery Protocol #1 Peer connects to the other peer over TCP Each peer sends their PeerID first (random) idstring + device name For example: ory2g6r8fkq+iphone Simulator Three plists are then exchanged 21

22 A B 22

23 A B 23

24 A B 24

25 A 25

26 A B 26

27 A B 27

28 A B 28

29 A B 29

30 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation 30

31 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation The peer s security settings as bit fields: Encryption level (optional = X00, none = X10, required = X01 ) Whether authentication is enabled (yes = 1XX, no = 0XX) No X509 certificate/identity yet 31

32 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation Then a list of local "candidate" IP addresses!! 32

33 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation Then a list of local "candidate" IP addresses ! 33

34 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation Then a list of local "candidate" IP addresses Etc 34

35 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation Then some kind of IDs (according to debug logs)?! 35

36 Mystery Protocol #1 Each peer exchanges their MCNearbyConnectionDataKey Main "payload" of the protocol; briefly mentioned as connection data in the documentation Then some kind of IDs (according to debug logs)? 6F7D4FE3, etc 36

37 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! B??? over UDP!! 37

38 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! B??? over UDP!! 38

39 Interactive Connectivy Establishement 39

40 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! Perform connectivity checks and find the best network path to the other peer B??? over UDP!! 40

41 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! Perform connectivity checks and find the best network path to the other peer B??? over UDP!! 41

42 Mystery Protocol #2 42

43 Mystery Protocol #2 43

44 Mystery Protocol #2 It s the protocol used when App data is being exchanged Not plaintext but Wireshark doesn t know what it is Clues: Authentication in the MC API relies on X509 certificates 44

45 Mystery Protocol #2 It s the protocol used when App data is being exchanged Not plaintext but Wireshark doesn t know what it is Clues: Authentication in the MC API relies on X509 certificates When setting a breakpoint on SSLHandshake(), it does get triggered 45

46 Mystery Protocol #2 It s the protocol used when App data is being exchanged Not plaintext but Wireshark doesn t know what it is Clues: Authentication in the MC API relies on X509 certificates When setting a breakpoint on SSLHandshake(), it does get triggered 46

47 Mystery Protocol #2 openssl s_client -dtls1 -connect someserver:443 47

48 Mystery Protocol #2 openssl s_client -dtls1 -connect someserver:443 48

49 Mystery Protocol #2 openssl s_client -dtls1 -connect someserver:443 49

50 Pro Packet Trace Editing 50

51 Pro Packet Trace Editing Success! 51

52 Mystery Protocol #2 DTLS 1.0 with the byte 0xd0 appended to every DTLS record _gcksessionrecvmessage() Inside the DTLS stream Simple plaintext protocol The other peer s PeerID + App data/messages 52

53 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! Perform connectivity checks and find the best network path to the other peer B GCK2 over UDP! Perform DTLS handshake, check the other peer s identity, exchange data 53

54 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service A GCK1 over TCP! Discovery Phase Exchange peer names, security options and network information STUN / ICE! Perform connectivity checks and find the best network path to the other peer B GCK2 over UDP! Session Phase Perform DTLS handshake, check the other peer s identity, exchange data 54

55 Security Analysis of Multipeer Connectivity 55

56 MC Security Analysis None Optional Required Without! Authentication With Authentication 56

57 MC Security Analysis None Optional Required Without! Authentication With Authentication 57

58 MC Security Analysis Required With Authentication: DTLS with mutual authentication Each peer sends their certificate and validate the other side s certificate RSA & EC-DSA TLS Cipher Suites 30 cipher suites supported in total including PFS cipher suites.! In practice, TLS_RSA_WITH_AES_256_CBC_SHA256 is always negotiated, which doesn t provide PFS 58

59 MC Security Analysis None Optional Required Without! Authentication With Authentication No PFS 59

60 MC Security Analysis None Optional Required Without! Authentication With Authentication No PFS 60

61 MC Security Analysis Required Without Authentication: DTLS with Anonymous TLS Cipher Suites No certificates exchanged Anon" AES TLS cipher suites: TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256 61

62 MC Security Analysis None Optional Required Without! Authentication With Authentication MiTM No PFS 62

63 MC Security Analysis None Optional Required Without! Authentication With Authentication MiTM No PFS 63

64 MC Security Analysis None Without Authentication: No DTLS - Plaintext GCK2 protocol 64

65 MC Security Analysis None Optional Required Without! Authentication With Authentication Plaintext MiTM No PFS 65

66 MC Security Analysis None Optional Required Without! Authentication With Authentication Plaintext MiTM No PFS 66

67 MC Security Analysis None With Authentication: DTLS with mutual authentication Each peer send their certificate and validate the other side s certificate Plaintext / No Encryption TLS Cipher Suites! TLS_RSA_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256 67

68 MC Security Analysis None Optional Required Without! Authentication With Authentication Plaintext Plaintext MiTM No PFS 68

69 MC Security Analysis None Optional Required Without! Authentication With Authentication Plaintext Plaintext MiTM No PFS 69

70 MC Security Analysis Optional With Authentication! The session prefers to use encryption, but will accept unencrypted connections 70

71 Conclusion None Optional Required Without! Authentication Plaintext MitM MitM With Authentication Plaintext No PFS 71

72 Conclusion None Optional Required Without! Authentication Plaintext MitM MitM With Authentication Plaintext No PFS 72

73 MC Security Analysis Optional With Authentication! The session prefers to use encryption, but will accept unencrypted connections Two peers using Optional with Authentication should get the same security as Required (ie. use DTLS) Authentication should prevent a man-in-themiddle from tampering with the network traffic 73

74 Bonjour! Advertise local MC service, discover nearby devices advertising the MC service GCK1 over TCP! Exchange peer names, security options and "candidate" UDP sockets STUN / ICE! Perform connectivity checks and find the best network path to the other peer GCK2 over UDP! Perform DTLS handshake, check the other peer s identity, exchange data 74

75 Bonjour Optional! Authentication Enabled Optional! Authentication Enabled ICE / STUN DTLS with RSA / AES cipher suite Encrypted & authenticated traffic Same security as Required 75

76 Bonjour 76

77 Bonjour Optional! Authentication Enabled 77

78 Bonjour Optional! Authentication Enabled None! Authentication Enabled 78

79 Bonjour Optional! Authentication Enabled None! Authentication Enabled None! Authentication Enabled Optional! Authentication Enabled 79

80 Bonjour Optional! Authentication Enabled None! Authentication Enabled None! Authentication Enabled Optional! Authentication Enabled ICE / STUN 80

81 Bonjour Optional! Authentication Enabled None! Authentication Enabled None! Authentication Enabled Optional! Authentication Enabled ICE / STUN DTLS with NULL cipher suite Plaintext traffic (authenticated)! No post-auth checks on the parameters exchanged! Same security as None 81

82 Optional Downgrade Attack 82

83 MC Security Analysis None Optional Required Without! Authentication Plaintext MitM MitM With Authentication Plaintext MitM (Downgrade) No PFS 83

84 Conclusion 84

85 Conclusion Most security settings work as advertised by the MC API Except for Optional with Authentication Some combinations should never be used Optional None with Authentication Only Required with Authentication is secure 85

86 Conclusion None Optional Required Without! Authentication Plaintext MitM MitM With Authentication Plaintext MitM (Downgrade) No PFS 86

87 Conclusion None Optional Required Without! Authentication Plaintext MitM MitM With Authentication Plaintext MitM (Downgrade) No PFS 87

88 Conclusion Possible improvements to the MC Framework: Required with Authentication: Prioritize PFS TLS Cipher Suites Optional with Authentication: Peers should validate security parameters postauthentication to prevent downgrade attacks Better: remove Optional and make Required the default setting? 88

89 Thanks! More at 89

Transport Level Security

2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,