Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jailbreaking Apple Watch

Max Bazaliy
December 07, 2017

Jailbreaking Apple Watch

BlackHat Europe 2017 Edition

Max Bazaliy

December 07, 2017
Tweet

More Decks by Max Bazaliy

Other Decks in Programming

Transcript

  1. December 4-7, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Max Bazaliy Jailbreaking Apple Watch
  2. December 4-7, 2017 whoami 1 2 3 4 5 6

    7 8 9 10 11 12 o  Security researcher at Lookout o  iOS/tvOS/WatchOS jailbreak author o  Lead researcher on Pegasus exploit chain o  Focused on software and hardware exploitation
  3. December 4-7, 2017 o  Released in 2015 o  Apple S1/S2/S3

    processor o  ARMv7k 32 bit architecture o  512/768 MB RAM o  One/Dual-core processor o  WatchOS 1 2 3 4 5 6 7 8 9 10 11 12 What is Apple Watch ?
  4. December 4-7, 2017 o  Fetch data from a phone o 

    Data transfer over Bluetooth o  Sync over Bluetooth and WiFi 1 2 3 4 5 6 7 8 9 10 11 12 How does it work ?
  5. December 4-7, 2017 o  Access to file system (messages, emails..)

    o  Run debug tools on a watch (radare, frida) o  iPhone attack vector J Why to jailbreak a watch ? 1 2 3 4 5 6 7 8 9 10 11 12
  6. December 4-7, 2017 Apple Watch security o  Secure boot chain

    o  Mandatory Code Signing o  Sandbox o  Exploit Mitigations o  Data Protection o  Secure Enclave Processor 1 2 3 4 5 6 7 8 9 10 11 12
  7. December 4-7, 2017 1 2 3 4 5 6 7

    8 9 10 11 12 Possible attack vectors o  Memory corruption over Webkit o  Boot chain attack over usb (diags port J)
  8. December 4-7, 2017 Possible attack vectors o  Memory corruption over

    Webkit o  Boot chain attack over usb (diags port J) o  Application extension based 1 2 3 4 5 6 7 8 9 10 11 12
  9. December 4-7, 2017 Jailbreak step by step o  Get initial

    code execution o  Leak kernel base o  Dump whole kernel (for encrypted kernels) o  Find gadgets and setup primitives o  Disable security restrictions o  Run ssh client on a watch 1 2 3 4 5 6 7 8 9 10 11 12
  10. December 4-7, 2017 Bugs of interest o  WatchOS 2.x -

    CVE-2016-4656 & CVE-2016-4680 o  WatchOS 3.1.2 - CVE-2017-2370 o  WatchOS 4.0.1 - CVE-2017-13861 ? J 1 2 3 4 5 6 7 8 9 10 11 12
  11. December 4-7, 2017 Leaking kernel base – WatchOS 2.x o 

    CVE-2016-4680 o  Object constructor missing bounds checking o  OSNumber object with high number of bits o  Object length used to copy value from stack o  Kernel stack memory leaked o  Can be triggered from an app’s sandbox 1 2 3 4 5 6 7 8 9 10 11 12
  12. December 4-7, 2017 CVE-2016-4656 exploitation o  Kernel mode UAF in

    OSUnserializeBinary o  OSString object deallocated o  retain() called on deallocated object o  Fake object with fake vtable –> code exec o  Can be triggered from an app’s sandbox 13 14 15 16 17 18 19 20 21 22 23 24
  13. December 4-7, 2017 o  Problem: No WatchOS 2.x kernel dumps

    o  No decryption keys for WatchOS kernels o  Idea: read kernel as OSString chunks o  vtable offset required to fake OSString o  vtable stored in __DATA.__const in kernel Dumping WatchOS 2.x kernel 13 14 15 16 17 18 19 20 21 22 23 24
  14. December 4-7, 2017 Getting OSString vtable o  OSString vtable reference

    in OSUnserializeBinary! o  OSUnserializeBinary reference in OSUnserializeXML 13 14 15 16 17 18 19 20 21 22 23 24
  15. December 4-7, 2017 Dumping kernel by panic logs o  We

    can control pointer to vtable o  Use address to leak as vtable address o  vtable will be dereferenced by retain() call o  Kernel will crash, but save panic log o  Address content appear in register state 13 14 15 16 17 18 19 20 21 22 23 24
  16. December 4-7, 2017 Dumping kernel by 4 bytes o  Use

    address to leak as fake vtable address o  Watch will crash, wait until it restore o  ssh to a iPhone and run synchronization service o  Copy panic from Watch to iPhone and to Mac o  Parse panic, read 4 bytes and disassemble ! o  Update address with 4 bytes delta and upload app o  Repeat 13 14 15 16 17 18 19 20 21 22 23 24
  17. December 4-7, 2017 Next step – full kernel dump o 

    Now use fake OSString obj to read kernel o  Read data via IORegistryEntryGetProperty o  Leak kernel header, calculate kernel size o  Dump full kernel to userland by chunks 13 14 15 16 17 18 19 20 21 22 23 24
  18. December 4-7, 2017 Next step – kernel symbolication o  Find

    and list all kexts o  Find sysent and resolve syscalls o  Find and resolve mach traps o  Resolve IOKit objects vtable 13 14 15 16 17 18 19 20 21 22 23 24
  19. December 4-7, 2017 Next step – setting up primitives o 

    Scan kernel dump for gadgets o  Set up exec primitive o  Set up kernel read & write primitives 13 14 15 16 17 18 19 20 21 22 23 24
  20. December 4-7, 2017 Jailbreaking Watch OS 3.x o  Kernels are

    not encrypted now o  No need to dump and symbolicate anymore o  New heap layout, some AMFI fixes o  More sandbox restrictions o  Vurnerable to CVE-2017-2370 13 14 15 16 17 18 19 20 21 22 23 24
  21. December 4-7, 2017 CVE-2017-2370 o  Kernel heap overflow o  mach_voucher_extract_attr_recipe

    o  Usermode pointer is used as copyin size arg o  We can corrupt mach message to get kernel RW o  Allocate userclient and read obj vtable -> KASLR o  Can be triggered from an app’s sandbox 25 26 27 28 29 30 31 32 33 34 35 36
  22. December 4-7, 2017 Next step – patchfinder o  String \

    byte pattern + xref + analysis o  Simple arm emulator is helpful o  Resolve syscalls table, mach traps table 25 26 27 28 29 30 31 32 33 34 35 36
  23. December 4-7, 2017 Getting root and sandbox bypass o  Patch

    setreuid (no KPP) o  patch ucred in proc structure in kernel o  patch sandbox label value in ucred 25 26 27 28 29 30 31 32 33 34 35 36
  24. December 4-7, 2017 Getting kernel task o  Patch task_for_pid() o 

    Or save kernel sself in task bootstrap port o  Read it back via task_get_special_port() o  Restore original bootstrap port value 25 26 27 28 29 30 31 32 33 34 35 36
  25. December 4-7, 2017 Disable codesign checks o  Patch _debug to

    1 o  patch _nl_symbol_ptr (got) entries o  Patch amfi variables - cs_enforcement_disable - allow_invalid_signatures 25 26 27 28 29 30 31 32 33 34 35 36
  26. December 4-7, 2017 Remount rootfs o  Patch __mac_mount o  Change

    mount flags in rootfs vnode o  Patch lwvm is_write_protected check o  Patch PE_i_can_has_debugger in lwvm 25 26 27 28 29 30 31 32 33 34 35 36
  27. December 4-7, 2017 Spawning ssh client o  Compile dropbear ssh

    client for ARMv7k o  Compile basic tools package for ARMv7k o  More restricted sandbox than iOS o  Null out WatchOS specific sandbox ops 25 26 27 28 29 30 31 32 33 34 35 36
  28. December 4-7, 2017 ssh connection problem… "awdl0/ipv6" = "fe80::c837:8аff:fe60:90c2"; "lo0/ipv4”

    = "127.0.0.1"; "lo0/ipv6" = "fe80::1"; "utun0/ipv6" = "fe80::face:5e30:271e:3cd3"; o  WatchOS interfaces 25 26 27 28 29 30 31 32 33 34 35 36
  29. December 4-7, 2017 Watch <-> iPhone port forwarding NSDictionary *comm

    = @{! @"Command" :@"StartForwardingServicePort", @"ForwardedServiceName" :@"com.apple.syslog_relay",! @"GizmoRemotePortNumber" :[NSNumber numberWithUnsignedShort: pt],! @"IsServiceLowPriority" :@0,};! ! AMDServiceConnectionSendMessage(serviceConnection,! (__bridge CFPropertyListRef)(comm), kCFPropertyListXMLFormat_v1_0);! ! AMDServiceConnectionReceiveMessage(serviceConnection, &response, (CFPropertyListFormat*)&format);! ! NSNumber *iphone_port = response[@"CompanionProxyServicePort"];! 25 26 27 28 29 30 31 32 33 34 35 36
  30. December 4-7, 2017 SSH over WiFi o  Watch can be

    connected to 2.4Hz WiFi o  Can be a little bit tricky but it works o  iPhone is not involved at all J o  Just leak address and connect 25 26 27 28 29 30 31 32 33 34 35 36
  31. December 4-7, 2017 Apple Watch usage o  Watch has access

    to SMS, Calls, Health o  Photos and emails synced to Watch o  Access to GPS location o  Microphone usage o  Apple Pay 37 38 39 40 41 42 43 44 45 46 47 48
  32. December 4-7, 2017 Post jailbreak o  Full access to jailbroken

    watch file system - Messages - Call history - Contacts - Emails - GPS loacation 37 38 39 40 41 42 43 44 45 46 47 48
  33. December 4-7, 2017 What's next ? o  Interpose or trampoline

    system functions o  Catch data on sync with a iPhone o  Call recordings o  Create tweaks for a watch o  Run frida and radare 37 38 39 40 41 42 43 44 45 46 47 48
  34. December 4-7, 2017 Black Hat sound bytes o  WatchOS security

    is mostly equal to iOS o  Easier data forensics on a Watch o  Exploits became more valuable 37 38 39 40 41 42 43 44 45 46 47 48