By Xeno Kovah Created: 6/29/07 Updated: 7/4/07 Here are the answers to some of the questions which I personally have been dying to know. If you have any additional questions you would like me to look into email my first name at cmu.edu. This is my quick and dirty first run just to get the info out there for curious people like myself. Updates 7/4/07: The iPhone Dev Wiki people are working hard and fast. They obviously have far more time than me and are finding things faster, so I will just contribute to their efforts The new page is here. Updates 7/1/07: Now it's time to just poke at it Apple has posted the full manual here: iPhone User's Guide (Manual) (but it doesn't cover much security related) Specific clarification on which VPN technologies it works with is here: Supported Protocols for VPN late-breaking news: Apple data leak, possibly including firmware: http://www.hackint0sh.org/forum/showthread.php?t=1316 Ahhh, but you gotta love the good old fashioned Mac "underground" with their public forums... "John the ripper costs $40, I will go pirate it! ", "Just use rainbow tables to crack AES-128!" (paraphrased). This page will be interesting to follow though: http://hissomnia.com/wiki/index.php?title=Main_Page Bonjour is on and seems to be being used with IGMP. I haven't yet been able to figure out how to cause these packets myself (they're background noise) but also BonjourBrowser doesn't show any listening services. pcap here: iPhoneBonjourAndIGMP.pcap Safari User-Agent string and whatnot: (refreshing the page I was already at) Now everyone go out there and spoof your User-Agent string to make it look like iPhones have taken over the world ("Wow boss! iPhones make up like 30% of our traffic!") Normal TCP stack. I've done "a little work" (i.e. my masters thesis) on passively fingerprinting TCP/IP headers (ala p0f) but for the purposes of malware detection. That led me to the fact that TCP retransmission inter-packet arrival times (ala RING) are also interesting to look at as well, although I didn't implement this addition in my thesis PoC code. Although I could swear that I don't remember Mac OS X switching it's TCP options midway through retransmission, both the Mac OS X and iPhone packets look like the below. They implement an inter-arrival packet timing of 2-3-3-3-3-6-12-24 seconds. (does anyone have OS X < 10.4.10 and could they try to connect to something which won't return a RST (e.g. Mac OS X when you enable "stealth mode" in the firewall options) and find if they see it matches the below?) Note that p0f doesn't know what to make of the signatures for the second half...I suppose I should submit a signature for that. p0f -s iPhoneTCPTimeout.pcap -S -q -l Pcap here: iPhoneTCPTimeout.pcap When the iPhone crashes it will prompt you in iTunes for if you want to send the crash information to Apple. It does this via an SSL connection to iphonesubmissions.apple.com which is using Apache Tomcat apparently based on the front page at the time of writing. Common sense dictates that I should try and MitM that page given the below...50/50 chance of working. Safari checks SSL certificate validity, but UNCONFIRMED I heard from another person at work that Mail does not. As you may have also heard on DailyDave no HD capability, which means more limited access to the OS as well. I tried sniffing the USB bus from Windows in parallels with a demo program while iTunes was syncing but didn't pick anything up. I will end up booting into Windows I suppose and try again. (FWIW my current conspiracy theory is that Apple will make it write and delete only, but not read, so that people don't steal the OS and go put it on some other ARM-based phone...but I'm just making stuff up for fun ) Questions 7/1/07: Nmap output? Nothing. The iPhone is not running any services listening on any TCP ports, and silently drops all unrequested packets. Can we see a tcpdump of activation traffic? I don't have this as I activated already. Anyone who can get a capture of this, please send it my way (after you check it yourself) Does it automagically try to connect to networks you define when WiFi is enabled? Yes. At first I wasn't sure since a couple times it didn't automatically connect to my home wireless network, but now it seems to if given enough time. Bluetooth SDP browse? (KF wants to know, and I don't know how to do this so I'm waiting for him to reply). Maybe this from Apple System Profiler? Services: Handsfree Gateway, Phonebook, Headset Gateway, IrMC Sync So yeah, no OBEX of any kind...very limited. Original Post 6/29/07: Mail: Mail Supports SSL (I knew it *should* since it's modified from Apple Mail, but I was secretly worried it wouldn't) However, the option for SSL is not on the main account setup (it's one level down in "Advanced" when you go to settings, but the Advanced tab is not there at account setup. SSL Authentication options are: MD5 Challenge-Response, NTLM (oh noes! ), Password Regarding this whole MS Exchange support thing, the only thing that it says when you go to add an account is "IMAP support must be enabled on the Exchange Server." I guess that is a problem for some admins, but AFAIK my work has it enabled. There does not appear to be a way to turn off the rendering of inline images in Mail. This combined with the fact that it supports full HTML mail, has implications for possible exploits by viewing mail messages. Safari: In the Safari settings there is a Security subsection. It has the on/off sliders for JavaScript, Plug-Ins, and Block Pop-ups set to on. It also has Accept Cookies set to "From visited" with alternative options of Never and Always It also has the Clear History/Cookies/Cache options (as 3 separate options) There does not seem to be a way to stop loading images from websites external to the one you're viewing (which would have been nice for faster browsing, as well as stopping ads and so forth) VPN: (I will try to get pics soon) VPN has an L2TP and PPTP tabs. L2TP has Server", Account, Password and Secret fields. PPTP substitutes the Secret field for Encryption level which can be Auto, Maximum, or None. There is a Proxy option which defaults to Off but also has, Manual, and Auto. Selecting Proxy -> Manual gives you Server, Port, Authentication (on/off) Username, and Password fields. Selecting Auto gives you a field for entering a URL (for a pac file I assume). Wireless: 802.11 Wireless is on by default but it doesn't seem to connect to the first open network it finds without you explicitly telling it to. Connection supports: No authentication, WEP Password, WEP hex or ASCII, WPA, WPA2 (w00t, my home WPA2 network works!) It did not import the password for my wireless network from my computer. Bluetooth: Bluetooth is off by default. Bluetooth used 8 character pin when I tried connecting from my Mac to the phone. The phone never saw the Mac even though it was set to discoverable. This is in line with the fact that it has been said that it will not have bluetooth data capabilities. My mac reported "There were no supported services found on your device". The MAC address for the 802.11 is 1 greater than that of the bluetooth. IIRC it can have implications for bluetooth security if you can find the MAC even when it's not in discoverable mode. But because it does not appear to matter if there are no data capabilities... General: There is an "Auto-Lock" feature. You can set it to lock every 1,2,3,4,5 minutes, or never (the default is 1 minute). By default passcode lock is off (as is standard). If you opt for it though unfortunately it's the standard 4 numbers and easily overseen There is also an option called "Show SMS Preview" which defaults to on and which shows you a couple lines of an SMS you receive even if the main screen is locked (as I noticed since I got an SMS from AT&T while the screen was locked) Under Phone options there is something called "Show My Caller ID" which has an on/off option, and which if you set it, will make the call show up as "private" or whatever your phone says when the ID is blocked.
