abcde - Black Hat

DISCOVERINGANDEXPLOITINGNOVELSECURITY
VULNERABILITIESINAPPLEZEROCONF
(Xiaolong Bai, LuyiXing)(co-firstauthors),
NanZhang,XiaoFeng Wang,Xiaojing Liao,Tongxin Li,Shi-MinHu
TsinghuaUniversity,
IndianaUniversityBloomington
GeorgiaInstituteofTechnology,
PekingUniversity
1
Who are we ?
• SystemSecurityLab,IndianaUniversityBloomington
– Focus on novel problems in system security
– High-impact publications on IEEE S&P, ACM CCS, Usenix Security, NDSS
– http://sit.soic.indiana.edu/en/
• Our advisor: Prof. XiaoFeng Wang
– Top10authorsonleadingsecurityvenuesforthepast10years
– http://www.informatics.indiana.edu/xw7/
2
Who are we ?
• We have two talks on Black Hat USA 2016
– Luyi Xing and Xiaolong Bai, DISCOVERINGANDEXPLOITINGNOVEL
SECURITYVULNERABILITIESINAPPLEZEROCONF, August 4, Jasmine
Ballroom, 12:10- 13:00
– NanZhang, DANGEROUSHARE:HANGINGATTRIBUTEREFERENCES
HAZARDSDUETOVENDORCUSTOMIZATION, August 4, SouthSeas
GH, 17:00- 17:25
3
DISCOVERINGANDEXPLOITINGNOVELSECURITY
VULNERABILITIESINAPPLEZEROCONF
4
ZeroConf
• Zero Configuration Networking
• Automatically configures a usable computer network
– Nomanualconfiguration
– Nospecificconfigurationserver
• Designed to reduceusers’ burden
– Setting up a new network
– Use a new service.
5
ZeroConf
• Bonjourprotocol
– zero-configurationnetworkingoverIPthatApplehas
submittedtotheIETF.
• Goals:
– Withlittleornoconfiguration
– toadddevices/servicestoalocalnetwork
– Existingdevicescanautomaticallyfindandconnectto
thosenewdevices/services
6
Bonjour
• Administrators
– noneedtoassignIP,hostnames,servicenamestonetworkservices
(e.g.,printer)
• Whenusingaservice,userssimply
– asktoseewhatnetworkservicesareavailable
– andchoosefromthelistofautomaticallydiscoveredservices.
7
Howabouttraditional
configurednetwork?
8
Traditionally
✔
MustConfigure:
– IP
– Printername,
• e.g.,lh135-soic.ads.iu.edu
– DNSserver
9
Traditionally
MustConfigure:
– IP
– Printername,
• e.g.,lh135-soic.ads.iu.edu
– DNSserver
10
FeaturesofBonjour
1. Serviceconfiguresitself
– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices
– Nopre-knowledgeoftheservice’sname,hostnameorIP
11
1.ZeroConf Concept
2.So,how?
12
FeaturesofBonjour
1. Serviceconfiguresitself
– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices
– Nopre-knowledgeoftheservice’sname,hostnameorIP
13
Addanewprintertoanetwork
14
Aprinterconfiguresitself
IsanybodyusingIP
fe80::abcd:1234....?
15
Aprinterconfiguresitself
IP
fe80::abcd:1234
No?
Great,I’lltakeit.
16
Aprinterconfiguresitself
IP
fe80::abcd:1234
Anybodyusinghostname
HP9FE5.host.local?
17
Aprinterconfiguresitself
IP
fe80::abcd:1234
Hostname
HP9FE5.host.local
No?
Wonderful,I’lltakeit.
18
Aprinterconfiguresitself
IP
Anybodyhavingaprinting
servicenamedHP-Service9FE5?
fe80::abcd:1234
Hostname
HP9FE5.host.local
ServiceInstanceName
HP-Service-9FE5
19
Aprinterfinishes configuringitself
IP
fe80::abcd:1234
Hostname
HP9FE5.host.local
ServiceInstanceName
HP-Service-9FE5
20
FeaturesofBonjour
1. Serviceconfiguresitself
– IP,hostname,serviceinstancename
2. Clientsautomaticallydiscoveravailableservices
– Nopre-knowledgeoftheservice’sname,hostnameorIP
Twophases:DiscoveryandResolution
21
Automaticallyfindtheprinter:Discovery
Q1:
Anyonehasaprinterservice?
A1:
IhaveHP-Service-9FE5
22
Automaticallyfindtheprinter:Resolution
Q1:
Anyonehasaprinterservice?
Q2:
SoonwhichhostisthisHP-Service9FE5?
A1:
IhaveHP-Service-9FE5
A2:
It’sonhost
HP9fe5.host.local
23
Automaticallyfindtheprinter:Resolution
Q1:
Anyonehasaprinterservice?
Q2:
SoonwhichhostisthisHP-Service9FE5?
Q3:
Whatistheaddressof
NPI9fe5.host.local?
A1:
IhaveHP-Service-9FE5
A2:
It’sonhost
HP9fe5.host.local
A3:
Itsaddress is
fe80::abcd:1234
24
Added/Saved theprintertoyourlist
IP
fe80::abcd:1234
Hostname
HP9FE5.host.local
ServiceInstanceName
HP-Service-9FE5
25
Added/Saved theprintertoyourlist
IP
Apple:
Applicationsstoreserviceinstancenames,
soiftheIP,port, or hostnamechanged,the
applicationcanstillconnect.
fe80::abcd:1234
Hostname
HP9FE5.host.local
ServiceInstanceName
HP-Service-9FE5
26
ServiceinstancenameHP-Service-9FE5
issaved
IP
fe80::abcd:1234
Hostname
HP9FE5.host.local
ServiceInstanceName
HP-Service-9FE5
Savedprinter=
AprinterwhoownsservicenameHP-Service-9FE5
27
Adversary Model
• Onadevice(malwareinfected)inyourlocalnetwork
• Aimstointerceptsecrets/filestransferredbetween
uninfected devices
28
Adversary Model
• YourMac/printerareun-infected
• Stealyourprintingdocuments?
29
1.ZeroConf Concept
2.ZeroConf How
3. ZeroConf Breaking
Printer
30
1.ZeroConf Concept
2.ZeroConf How
3. ZeroConf Breaking
Case1:AttackBonjour
31
AttackBonjour
• Twoexamples
• Printer
– PrintersusingBonjour
• PhotoSync
– SynchronizingphotosbetweenMacandiPhoneusingBonjour
• Notan application-specificorservice-specificproblem
– Vulnerabilities in the design of Bonjourprotocol
32
Adeviceinfectedbymalware
IP
Hostname
ServiceInstanceName
HP-Service-9FE5
33
Adeviceinfectedbymalware
IP
Hostname
ServiceInstanceName
HP-Service-9FE5
Ihaveaprintingservice
instancenamed
HP-Service-9FE5
ServiceInstanceName
HP-Service-9FE5
34
Adeviceinfectedbymalware
IP
Hostname
ServiceInstanceName
HP-Service-9FE5
Ihaveaprintingservice
instancenamed
HP-Service-9FE5
xf
ServiceInstanceName
HP-Service-9FE5
35
Savedprinter=
AprinterwhoownsservicenameHP-Service-9FE5
NewServiceName
HP-Service-9FE5(2)
xServiceInstanceName
HP-Service-9FE5
36
Whyithappens?
Three Changing Attributes:
– IP
– Hostname
– ServiceInstanceName
Apple:
Applicationsstoreserviceinstancenames,
soiftheIP,port, or hostnamechanged,the
applicationcanstillconnect.
37
Lackofauthentication
Three Changing Attributes:
– IP
– Hostname
– ServiceInstanceName
• Anyonecanclaimanyvalueofthethreeattributes
• Theprotocolonlyguaranteesnoduplicates.
38
Ifnotsavingserviceinstancenames,
isitsecureenough?
39
AttackBonjour
• PhotoSync
– SynchronizingphotosbetweenMacandiPhoneusingBonjour
• Notsavingserviceinstancename
– Clientdiscoversandresolvestheservereachtime
40
Normally
• Discovery:Clientbrowsesforserver
WhohasPhotoSync service
Server
Client
means broadcast
41
Normally
• Discovery:Serverrespondswithserviceinstancename
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Server
Client
means broadcast
42
Normally
• Resolution1:Clientqueriesforthehostnameoftheservice
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Server
Client
means broadcast
43
Normally
• Resolution1:Serverrespondswiththehostname
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
Server
Client
means broadcast
44
Normally
• Resolution2:Clientqueriesfortheaddressofthehost
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
Whatistheaddress ofMacbook
Server
Client
means broadcast
45
Normally
• Resolution2:Serverrespondswithitsaddress
WhohasPhotoSync service
Ihave.serviceinstancename:abcd
Whatisthehostname ofabcd
Its hostname isMacbook
Whatistheaddress ofMacbook
Client
Server
Itsaddress is 192.168.0.1
means broadcast
46
WhatCanGoWrong?
• Anothermalware-infecteddevicespoofstheclient
– SuccessfulMan-in-the-Middle
• DuringResolution
– Serviceinstancenametohostname
– Hostnametoaddress
47
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
What is the host name of
service instance abcd
Server
Client
Attacker
48
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
The host name of service
instance abcd is Macbook
Server
Client
The host name of service
instance abcd is Mallory
Attacker
49
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
Server
Client
Connect
Attacker
50
WhatCanGoWrong?
• Attack1:serviceinstancenametohostname
Server
Connect
Client
Connect
Attacker
51
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
What is the address of
host Macbook
Server
Client
Attacker
52
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
The address of host Macbook
is 192.168.0.1
Server
Client
The address of host Macbook
is 192.168.0.100
Attacker
53
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
Server
Client
Connect
Attacker
54
WhatCanGoWrong?
• Attack2:serviceinstancenametohostname
Server
Connect
Client
Connect
Attacker
55
Demo
• https://www.youtube.com/watch?v=WUWusqgqFr0&feature=
youtu.be
56
FundamentalProblem
•
•
•
Lackofauthentication
Anyonecanclaimanyvalueoftheidentificationattributes
Theprotocolonlyguaranteesnoduplicates,butnotsecurity.
Isiteasytoprovideauthentication?
57
1.ZeroConf Concept
2.ZeroConf How
3.ZeroConf Breaking
Case2:Airdrop
58
AirdropbetweenAppledevices
• WithAirDrop,youcansharephotos,videos,websites,
locations,andmorewithpeoplenearbywithanAppledevice.
59
AttackAirdrop
Jeff’sMacbook:
Q1:Anyonehasan
airdropservice?
Alice’siPhone:
Ihaveaservicenamed
abcd.airdrop.service
60
AttackAirdrop
Jeff’sMacbook:
Q2:Soonwhichhostis
Alice’sservice?
61
AttackAirdrop
Jeff’sMacbook:
Q2:Soonwhichhostis
Alice’sservice?
Alice’siPhone:
A2:It’sonhost
Alices.iphone.local
Bob’siMac:
A2:It’sonhostBobs.imac.local
62
Alice’siPhonehasservicenamedabcd.airdrop.tcp,
whichisonhostBobs.imac.local
Jeff’sMacbook:
Q2:Soonwhichhostis
Alice’sservice?
Alice’siPhone:
A2:It’sonhost
Alices.iphone.local
Bob’siMac:
A2:It’sonhostBobs.imac.local
63
DoesTLShelp?
Jeff’sMacbook:
Connect
https://Bobs.imac.local
Alice’siPhone:
A2:It’sonhost
Alices.iphone.local
Bob’siMac:
A2:It’sonhostBobs.imac.local
64
TLSinAirdrop
https://Bobs.imac.local
Servercertificateissuedtoappleid.CDEF…
Bob’siMac
Jeff’sMacbook
https://Alices.iphone.local
Servercertificateissuedtoappleid.ABCD…
Alice’siPhone
65
Sothecertificateinairdrop
canhardlybeusedforauthentication.
https://Bobs.imac.local
Servercertificateissuedtoappleid.CDEF…
Bob’siMac
Jeff’sMacbook
https://Alices.iphone.local
Servercertificateissuedtoappleid.ABCD…
Alice’siPhone
66
Domainshouldmatchthecertificate
https://Bobs.imac.local
Servercertificateissuedtoappleid.CDEF…
Bob’siMac
Jeff’sMacbook
https://google.com
xf
Certificateissuedtogoogle.com
xf
67
Domainshouldmatchthecertificate
https://Bobs.imac.local
Servercertificateissuedtoappleid.CDEF…
Bob’siMac
Jeff’sMacbook
https://Alices.iphone.local
Servercertificateissuedtoappleid.ABCD …
Alice’siPhone
68
What’swrongwithTLSinAirdrop
• Thecertificateinairdropcannotbeusedforauthentication
– E.g,certificateshouldbeissuedtoAlice
– butindeedissuedtoappleid.ABCD…
• ThecertificateshouldbeissuedtoWHAT?
69
What’swrongwithTLSinAirdrop
• Issuethecertificatetothedomain(hostname)?
– No.Hostnamemaychange andnotrepresentingauser
• Issuethecertificatetotheuser’sname?
– No.Namecanbeduplicated
• Issuethecertificatetotheuser’ssocialsecuritynumber?
– No.socialsecuritynumberistooprivate
70
What’swrongwithTLSinAirdrop
• Linkingahumantohercertificateiscomplicated
– challengeinfindinganyidentifiableinformationthatare
• well-known
• noprivacyimplication
• andunique
71
Demo
• https://www.youtube.com/watch?v=2JEJLpvnRO4
72
TechnicalDetails
• Airdropservicedaemon:/usr/libexec/sharingd
– ResponsibleforBonjourprocessandhttpsconnection
• Notethernet interface,Appleprivateinterface
– awdl0:AppleWirelessDirectLink
– Device-to-devicedirectlink
73
TechnicalDetails
• Howtoworkonthisinterface?
– sharingd usesanApple-privatesocketoptionSO_RECV_ANYIF
(0x1104)
74
SomecustomizedZeroConf protocols
• FileDrop
– TCPpacketsfordiscovery
– ellipticcurvecryptographyforsecurity
– Failedinauthentication
• challengeinlinkingahumantoherpublickey
75
1.ZeroConf Concept
2.ZeroConf How
3. ZeroConf Breaking
Case3:Apple’sVulnerableframework
76
Apple’sVulnerableframework
• Multipeer Connectivity(MC)
– Aframeworkforautomaticservicediscoverybetweennearbydevices
acrossWi-FiandBluetoothwithoutconfiguration
• Objecttoidentifyeachapp:peerID
– displayName (public)&uniqueID (private)
77
Normally
• AutomaticServiceDiscoveryWithoutConfiguration
– ServersadvertisepeerIDs
Server
peerID
displayName:Alice
uniqueID:8573a
peerID
displayName:Bob
uniqueID:6c5b3
Server
Client
78
Normally
• AutomaticServiceDiscoveryWithoutConfiguration
– ServersadvertisepeerIDs,ClientbrowsepeerIDs (showdisplayName)
Server
peerID
displayName:Alice
uniqueID:8573a
Alice
Bob
peerID
displayName:Bob
uniqueID:6c5b3
Server
Client
79
Normally
• EvenifservershavethesamedisplayName
Server
peerID
displayName:Alice
uniqueID:abcde
peerID
displayName:Alice
uniqueID:54321
Server
Client
80
Normally
• EvenifservershavethesamedisplayName
– uniqueIDs generatedbyMCwillalwaysbedifferent
Server
peerID
displayName:Alice
uniqueID:abcde
peerID
displayName:Alice
uniqueID:54321
Server
Client
81
Normally
• EvenifservershavethesamedisplayName
– uniqueIDs generatedbyMCwillalwaysbedifferent
Server
peerID
displayName:Alice
uniqueID:abcde
Alice
Alice
peerID
displayName:Alice
uniqueID:54321
Server
Client
82
WhatCanGoWrong?
• Attackeractsasbothclientandserver
– BrowseandacquirepeerID objectfromvictimserver
Server
peerID
displayName:Alice
uniqueID:abcde
Client&Server
Client
83
WhatCanGoWrong?
• Attackeractsasbothclientandserver
– AdvertiseusingthesamepeerID object
Server
peerID
displayName:Alice
uniqueID:abcde
Alice
peerID
displayName:Alice
uniqueID:abcde
Client&Server
Client
84
WhatCanGoWrong?
• ClientcannotdistinguishbecauseofsameuniqueID
Server
peerID
displayName:Alice
uniqueID:abcde
Alice
peerID
displayName:Alice
uniqueID:abcde
AnUpdate?
Client&Server
Client
85
WhatCanGoWrong?
• ClientcannotdistinguishbecauseofsameuniqueID
• Clientmapstheonlypeertoattacker’saddress(MitM)
Server
peerID
displayName:Alice
uniqueID:abcde
Alice
peerID
displayName:Alice
uniqueID:abcde
Client&Server
Client
86
Technical Details
• MitM attacker
– First acts as client browsing for advertising servers
– Once found a server, advertise using the same peerID
87
IfnotusingpeerID toforidentification,
isitsecureenough?
88
1.ZeroConf Concept
2.ZeroConf How
3. ZeroConf Breaking
Case4:MCinQQ
89
MCinQQ
FacetoFaceTransfer
• PopularinstantmessagingsoftwareinCN
– 829millionactiveaccounts (Wikipedia)
• Face-To-FaceTransfer
– Transferfilesbetweennearbypeersbyusing
Multipeer Connectivity
• NotusingpeerID foridentification
– CustomizeduniqueQQID
SendFile
Recv File
90
Normally
• ReceiveradvertisesitsQQID
MyQQIDis1234
Receiver
Lookingforreceiver
Sender
Receiver
MyQQIDis4321
91
Normally
• SenderbrowsesforreceiversandfoundtheirQQIDs
MyQQIDis1234
Receiver
FoundReceivers:
QQID:1234
QQID:4321
Sender
Receiver
MyQQIDis4321
92
Normally
• SenderconnectstoreceiverandgivesitsQQID
Receiver
Connect
FoundReceivers:
QQID:1234
QQID:4321
MyQQIDis5678
MyQQIDis5678
Connect
Sender
Receiver
93
Normally
• SenderconnectstoreceiverandgivesitsQQID
Receiver
Connect
FoundReceivers:
QQID:1234
QQID:4321
MyQQIDis5678
MyQQIDis5678
Connect
Sender
SenderConnected:
QQID:5678
SenderConnected:
QQID:5678
Receiver
94
WhatCanGoWrong?
• ReceiveradvertisesitsQQID
MyQQID
is1234
Lookingforreceiver
Sender
Lookingforreceiver
Attacker
Receiver
95
WhatCanGoWrong?
• Attackerfoundvictimreceiver’sQQID
MyQQID
is1234
Lookingforreceiver
Sender
FoundReceiver:
QQID:1234
Attacker
Receiver
96
WhatCanGoWrong?
• AttackeradvertiseusingthesameQQID
MyQQID
is1234
Lookingforreceiver
Sender
Advertising
QQID:1234
Attacker
Receiver
97
WhatCanGoWrong?
• SenderfoundonlyoneQQID
MyQQID
is1234
FoundReceiver:
QQID:1234
Sender
Attacker
Receiver
98
WhatCanGoWrong?
• SenderconnectstoAttacker
FoundReceiver:
QQID:1234
Sender
Connect
QQID:5678
Attacker
Receiver
99
WhatCanGoWrong?
• AttackerconnectstoReceiverusingtheSender’sQQID
Connect
QQID:5678
Sender
Attacker
Receiver
100
Demo
• https://www.youtube.com/watch?v=B71FlD3_vrc
101
1.ZeroConf Concept
2.ZeroConf How
3. ZeroConf Breaking
Case5:Bluetooth
102
AllyouriOS notificationsbelongtome
• ZeroConf onBluetooth:AppleHandoff
– AservicethatletsiOSandOSXsynchronizedatathroughBluetooth
withoutconfiguration
103
Normally
• HandoffcreatesBluetoothChannelwithoutconfiguration
– DevicesloggedinwiththesameiCloudaccount
– PairingautomaticallythroughiCloudaccount
Bluetooth
104
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication
• AppleNotificationCenterService(ANCS)
– designedforBluetoothaccessoriestoaccessnotificationsoniOSdevices
Bluetooth
105
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication
• AppleNotificationCenterService(ANCS)
• ThroughBluetoothchannelcreatedbyHandoff
Bluetooth
106
WhatCanGoWrong?
• BluetoothZeroConf:Noapp-levelauthentication
• AppleNotificationCenterService(ANCS)
• ThroughBluetoothchannelcreatedbyHandoff
Bluetooth
107
Demo
• https://www.youtube.com/watch?v=c5viAzAs0Uo
108
Summaryofattacks
• AttacksonAppleZeroConf channels
– Bonjour (Printer,PhotoSync)
– Airdrop
– CustomizedZeroConf protocols (Filedrop)
– Multipeer Connectivity(MCBrowserViewController,QQ)
– Handoff
• Allvulnerabilitieswerereportedtovendors,acknowledgedby
mostvendors
109
1.ZeroConf Concept
2.ZeroConf How
3.ZeroConf Breaking
4.Impact
110
Impact
• Measurement
– Weanalyzed61popularMacandiOSappsworkingwithZeroConf
– 88.5%arevulnerabletoman-in-the-middleorimpersonationattacks
ZeroConf
Channels
Vulnerable/
Sampled
Bonjour
18/22
files,directoriesandclipboardsynced,documentsprinted,
instantmessage
MC
24/24
filesandphotostransferred,instantmessage
BLE
10/13
Usernameandpassword forOSX
Customized
protocols
2/2
SensitiveInformationLeaked
remote keyboardinputandfilestransferred
111
1.ZeroConf Concept
2.ZeroConf How
3.ZeroConf Breaking
4.Impact
5.ProtectingZeroConf
112
ProtectingZeroConf
• Problem:linkahumantohercertificateiscomplicated
• SpeakingoutYourCertificate(SPYC)
– Voicebiometricstiescertificatetoidentity
113
SpeakingOutYourCertificate
Hashh
Partitionto
kn-bitsegments
Δ1||Δ2||…||Δk
nk mostsignificantbits
<w1, w2, …, wk>
Wordslistlinkingtothecertificate
114
ProtectingZeroConf
• Challenge:linkahumantohercertificate
• SpeakingoutYourCertificate(SPYC)
– Voicebiometricstiescertificatetoidentity
– HumanSubjectStudy:convenientandeffective
115
Conclusion
• Apple’sZeroConf techniquesarenotsecureasexpected
– Theusability-orienteddesignaffectssecurity
• Addressingsuchsecurityrisksisnontrivial
– Challengeinbindingahumantohercertificate
• OurDefense:SPYC
– Voicebiometricstiescertificatetoidentity
116