Platform: iPhone 4

Operating System: iOS 4.3 (8F190)

Application: com.apple.wifi.hostapd

Impact for customers: Low (?)

Description:

The new iPhone option called “Personal Hotspot” uses a passphrase to protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived from this passphrase. 

While processing those functions, the iPhone writes the passphrase in clear text in the console of the iPhone device. 

This area is readable by all local processes through the official Apple API. Here is the list of things written in clear text through the console: the Group Master Key, the Group Transient Key, the PSK, the passphrase.

Example of clear text keys and passwords caught from on an iOS 4.3 device:


Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484: PSK (ASCII passphrase) - hexdump_ascii(len=10):

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] :      66 61 63 65 74 73 31 34 36 37                     facets1467     

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.733079: PSK (from passphrase) - hexdump(len=32): cf f6 0d 2a 1a a2 d8 29 6d 58 cc 6f 49 55 34 47 22 b7 9c 5c 76 86 be 17 57 b0 d3 5c 6e ad 2a 65

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870472: WPA: group state machine entering state GTK_INIT (VLAN-ID 0)

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870522: GMK - hexdump(len=32): f9 69 7e c4 d1 fa 41 10 e2 b9 a1 78 0e 50 fa 47 5b 18 4a 86 75 8d a1 64 c7 c9 fc 7d b2 98 d5 b3

Mar  5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.870580: GTK - hexdump(len=16): 8d 3f 27 be 0c 21 e2 5e fb 92 fb 15 b2 69 eb cd

Note: This can easily be patched, by putting hostapd in a silent mode, avoiding this security issue. We evaluated the risk to be low (?), but a combined remote attack against an iPhone device could help a nearby attacker at targeting the devices hidden behind the iPhone on the 3G link (and most of the time, people don't want their passwords to be written in clear text somewhere). There are more relevant data on those devices, compared to the iPhone itself.


GOING FURTHER...

If you're interested about our findings, our techniques and our tools (*), feel free to join us during our next sessions of trainings, so that we can have direct interactions and sharing with 0days, exploits, attack/defense concepts, so that you can fight the bad guys beyond the Matrix:

- Asia / April 2011: during next SyScan Singapore Conference, Training Advanced PHP Hacking
 
- Europe / May 2011: during next HITB Amsterdam Conference, Training Hunting Web Attackers


(*) Examples of vulnerabilities found by TEHTRI-Security in 2010:

    * Vulnerability in iPhone: CVE-2010-1752 
    * Vulnerability in BlackBerry: CVE-2010-2599 
    * Vulnerabilities in PHP tools used by attackers


We wish you happy updates of your devices this week…

@tehtris
http://www.tehtri-security.com/