Discovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf

Presented at Black Hat USA 2016, Aug. 4, 2016, 12:10 p.m. (50 minutes).

With the proliferation of portable computing systems such as tablet, smartphone, Internet of Things (IoT), etc., ordinary users are facing the increasing burden to properly configure those devices, enabling them to work together. In response to this utility challenge, major device manufacturers and software vendors (e.g., Apple, Microsoft, Hewlett-Packard) tend to build their systems in a "plug-and-play" fashion, using techniques dubbed zero-configuration (ZeroConf). Such ZeroConf services are characterized by automatic IP selection, host name resolving and target service discovery. As the major proponent of ZeroConf techniques, Apple has adopted ZeroConf techniques in various frameworks and system services on iOS and OS X to minimize user involvements in system setup. However, when the design pendulum swings towards usability, concerns may arise whether the system has been adequately protected. In this presentation, we will report the first systematic study on the security implications of these ZeroConf techniques on Apple systems.

Our research brings to light a disturbing lack of security consideration in these systems' designs: major ZeroConf frameworks on the Apple platforms, including the Multipeer Connectivity and Bonjour, are mostly unprotected and system services, such as printer discovery and AirDrop, turn out to be completely vulnerable to an impersonation or Man-in-the-Middle (MitM) attack, even though attempts have been made to protect them against such threats. The consequences are serious, allowing a malicious device to steal documents to be printed out by other devices or files transferred between other devices. Most importantly, our study highlights the fundamental security challenges underlying ZeroConf techniques. Some of the vulnerabilities have not been fixed until this submission though we reported to Apple over half a year ago. We will introduce ZeroConf techniques and publish technical details of our attacks to Apple ZeroConf techniques. We will take Airdrop, Bonjour and Multipeer Connectivity as examples to show the vulnerabilities in their design and implementation and how we hacked these ZeroConf frameworks and system services to perform MitM attacks. We will also show that some of vulnerabilities are due to TLS' incompetence to secure device-to-device communication in the ZeroConf scenario, which is novel discovery and contributes to the state of the art.


Presenters:

  • Luyi Xing - System Security Lab, Indiana University Bloomington
    Luyi Xing's major research interest is to find novel and previously unknown ways to "white-hat"ly hack iOS/OSX/Android, Cloud, Web/Browser and other systems. With in-depth knowledge learnt during the hacking, he also delves into securing systems that he hacked. His hacking on OSX, iOS, Android, Cloud has been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, The Register and more. Official blog of Facebook, 1Password discussed about his hacking. Apple, Android, Dropbox, Evernote officially acknowledged his hacking and effort to help protect their users.
  • Xiaolong Bai - TNList, Tsinghua University, Beijing
    Xiaolong Bai is a PhD student in the Department of Computer Science and Technology, Tsinghua University. His major research interest is to find and mitigate new vulnerabilities in mobile systems, including Android, iOS/OS X and so on. He has published several papers on top research conferences including IEEE Security & Privacy and ACM CCS. His hacking on mobile systems and applications has been acknowledged by major IT companies including Apple, Evernote and Tencent. He is now looking for job opportunities in mobile security and system security. His email address is bxl12@mails.tsinghua.edu.cn.

Links:

Similar Presentations: