Jailbreaking Apple Watch

Transcript

1. December 4-7, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Max Bazaliy Jailbreaking Apple Watch

2. December 4-7, 2017 whoami 1 2 3 4 5 6

   7 8 9 10 11 12 o  Security researcher at Lookout o  iOS/tvOS/WatchOS jailbreak author o  Lead researcher on Pegasus exploit chain o  Focused on software and hardware exploitation

3. December 4-7, 2017 o  Released in 2015 o  Apple S1/S2/S3

   processor o  ARMv7k 32 bit architecture o  512/768 MB RAM o  One/Dual-core processor o  WatchOS 1 2 3 4 5 6 7 8 9 10 11 12 What is Apple Watch ?

4. December 4-7, 2017 o  Fetch data from a phone o 

   Data transfer over Bluetooth o  Sync over Bluetooth and WiFi 1 2 3 4 5 6 7 8 9 10 11 12 How does it work ?

5. December 4-7, 2017 o  Access to file system (messages, emails..)

   o  Run debug tools on a watch (radare, frida) o  iPhone attack vector J Why to jailbreak a watch ? 1 2 3 4 5 6 7 8 9 10 11 12

6. December 4-7, 2017 Apple Watch security o  Secure boot chain

   o  Mandatory Code Signing o  Sandbox o  Exploit Mitigations o  Data Protection o  Secure Enclave Processor 1 2 3 4 5 6 7 8 9 10 11 12

7. December 4-7, 2017 Possible attack vectors o  Memory corruption over

   Webkit 1 2 3 4 5 6 7 8 9 10 11 12

8. December 4-7, 2017 1 2 3 4 5 6 7

   8 9 10 11 12 Possible attack vectors o  Memory corruption over Webkit o  Boot chain attack over usb (diags port J)

9. December 4-7, 2017 Possible attack vectors o  Memory corruption over

   Webkit o  Boot chain attack over usb (diags port J) o  Application extension based 1 2 3 4 5 6 7 8 9 10 11 12

10. December 4-7, 2017 Jailbreak step by step o  Get initial

    code execution o  Leak kernel base o  Dump whole kernel (for encrypted kernels) o  Find gadgets and setup primitives o  Disable security restrictions o  Run ssh client on a watch 1 2 3 4 5 6 7 8 9 10 11 12

11. December 4-7, 2017 Bugs of interest o  WatchOS 2.x -

    CVE-2016-4656 & CVE-2016-4680 o  WatchOS 3.1.2 - CVE-2017-2370 o  WatchOS 4.0.1 - CVE-2017-13861 ? J 1 2 3 4 5 6 7 8 9 10 11 12

12. December 4-7, 2017 Leaking kernel base – WatchOS 2.x o 

    CVE-2016-4680 o  Object constructor missing bounds checking o  OSNumber object with high number of bits o  Object length used to copy value from stack o  Kernel stack memory leaked o  Can be triggered from an app’s sandbox 1 2 3 4 5 6 7 8 9 10 11 12

13. December 4-7, 2017 CVE-2016-4656 exploitation o  Kernel mode UAF in

    OSUnserializeBinary o  OSString object deallocated o  retain() called on deallocated object o  Fake object with fake vtable –> code exec o  Can be triggered from an app’s sandbox 13 14 15 16 17 18 19 20 21 22 23 24

14. December 4-7, 2017 o  Problem: No WatchOS 2.x kernel dumps

    o  No decryption keys for WatchOS kernels o  Idea: read kernel as OSString chunks o  vtable offset required to fake OSString o  vtable stored in __DATA.__const in kernel Dumping WatchOS 2.x kernel 13 14 15 16 17 18 19 20 21 22 23 24

15. December 4-7, 2017 13 14 15 16 17 18 19

    20 21 22 23 24

16. December 4-7, 2017 Getting OSString vtable o  OSString vtable reference

    in OSUnserializeBinary! o  OSUnserializeBinary reference in OSUnserializeXML 13 14 15 16 17 18 19 20 21 22 23 24

17. December 4-7, 2017 Dumping kernel by panic logs o  We

    can control pointer to vtable o  Use address to leak as vtable address o  vtable will be dereferenced by retain() call o  Kernel will crash, but save panic log o  Address content appear in register state 13 14 15 16 17 18 19 20 21 22 23 24

18. December 4-7, 2017 It’s fun ! 13 14 15 16

    17 18 19 20 21 22 23 24

19. December 4-7, 2017 Dumping kernel by 4 bytes o  Use

    address to leak as fake vtable address o  Watch will crash, wait until it restore o  ssh to a iPhone and run synchronization service o  Copy panic from Watch to iPhone and to Mac o  Parse panic, read 4 bytes and disassemble ! o  Update address with 4 bytes delta and upload app o  Repeat 13 14 15 16 17 18 19 20 21 22 23 24

20. December 4-7, 2017 13 14 15 16 17 18 19

    20 21 22 23 24

21. December 4-7, 2017 Next step – full kernel dump o 

    Now use fake OSString obj to read kernel o  Read data via IORegistryEntryGetProperty o  Leak kernel header, calculate kernel size o  Dump full kernel to userland by chunks 13 14 15 16 17 18 19 20 21 22 23 24

22. December 4-7, 2017 Next step – kernel symbolication o  Find

    and list all kexts o  Find sysent and resolve syscalls o  Find and resolve mach traps o  Resolve IOKit objects vtable 13 14 15 16 17 18 19 20 21 22 23 24

23. December 4-7, 2017 Next step – setting up primitives o 

    Scan kernel dump for gadgets o  Set up exec primitive o  Set up kernel read & write primitives 13 14 15 16 17 18 19 20 21 22 23 24

24. December 4-7, 2017 Jailbreaking Watch OS 3.x o  Kernels are

    not encrypted now o  No need to dump and symbolicate anymore o  New heap layout, some AMFI fixes o  More sandbox restrictions o  Vurnerable to CVE-2017-2370 13 14 15 16 17 18 19 20 21 22 23 24

25. December 4-7, 2017 CVE-2017-2370 o  Kernel heap overflow o  mach_voucher_extract_attr_recipe

    o  Usermode pointer is used as copyin size arg o  We can corrupt mach message to get kernel RW o  Allocate userclient and read obj vtable -> KASLR o  Can be triggered from an app’s sandbox 25 26 27 28 29 30 31 32 33 34 35 36

26. December 4-7, 2017 Next step – patchfinder o  String \

    byte pattern + xref + analysis o  Simple arm emulator is helpful o  Resolve syscalls table, mach traps table 25 26 27 28 29 30 31 32 33 34 35 36

27. December 4-7, 2017 Getting root and sandbox bypass o  Patch

    setreuid (no KPP) o  patch ucred in proc structure in kernel o  patch sandbox label value in ucred 25 26 27 28 29 30 31 32 33 34 35 36

28. December 4-7, 2017 Getting kernel task o  Patch task_for_pid() o 

    Or save kernel sself in task bootstrap port o  Read it back via task_get_special_port() o  Restore original bootstrap port value 25 26 27 28 29 30 31 32 33 34 35 36

29. December 4-7, 2017 Disable codesign checks o  Patch _debug to

    1 o  patch _nl_symbol_ptr (got) entries o  Patch amfi variables - cs_enforcement_disable - allow_invalid_signatures 25 26 27 28 29 30 31 32 33 34 35 36

30. December 4-7, 2017 Remount rootfs o  Patch __mac_mount o  Change

    mount flags in rootfs vnode o  Patch lwvm is_write_protected check o  Patch PE_i_can_has_debugger in lwvm 25 26 27 28 29 30 31 32 33 34 35 36

31. December 4-7, 2017 Spawning ssh client o  Compile dropbear ssh

    client for ARMv7k o  Compile basic tools package for ARMv7k o  More restricted sandbox than iOS o  Null out WatchOS specific sandbox ops 25 26 27 28 29 30 31 32 33 34 35 36

32. December 4-7, 2017 ssh connection problem… "awdl0/ipv6" = "fe80::c837:8аff:fe60:90c2"; "lo0/ipv4”

    = "127.0.0.1"; "lo0/ipv6" = "fe80::1"; "utun0/ipv6" = "fe80::face:5e30:271e:3cd3"; o  WatchOS interfaces 25 26 27 28 29 30 31 32 33 34 35 36

33. December 4-7, 2017 25 26 27 28 29 30 31

    32 33 34 35 36

34. December 4-7, 2017 Watch <-> iPhone port forwarding NSDictionary *comm

    = @{! @"Command" :@"StartForwardingServicePort", @"ForwardedServiceName" :@"com.apple.syslog_relay",! @"GizmoRemotePortNumber" :[NSNumber numberWithUnsignedShort: pt],! @"IsServiceLowPriority" :@0,};! ! AMDServiceConnectionSendMessage(serviceConnection,! (__bridge CFPropertyListRef)(comm), kCFPropertyListXMLFormat_v1_0);! ! AMDServiceConnectionReceiveMessage(serviceConnection, &response, (CFPropertyListFormat*)&format);! ! NSNumber *iphone_port = response[@"CompanionProxyServicePort"];! 25 26 27 28 29 30 31 32 33 34 35 36

35. December 4-7, 2017 Black Hat Sound Bytes 25 26 27

    28 29 30 31 32 33 34 35 36

36. December 4-7, 2017 SSH over WiFi o  Watch can be

    connected to 2.4Hz WiFi o  Can be a little bit tricky but it works o  iPhone is not involved at all J o  Just leak address and connect 25 26 27 28 29 30 31 32 33 34 35 36

37. December 4-7, 2017 Black Hat Sound Bytes 37 38 39

    40 41 42 43 44 45 46 47 48

38. December 4-7, 2017 Apple Watch usage o  Watch has access

    to SMS, Calls, Health o  Photos and emails synced to Watch o  Access to GPS location o  Microphone usage o  Apple Pay 37 38 39 40 41 42 43 44 45 46 47 48

39. December 4-7, 2017 Post jailbreak o  Full access to jailbroken

    watch file system - Messages - Call history - Contacts - Emails - GPS loacation 37 38 39 40 41 42 43 44 45 46 47 48

40. December 4-7, 2017 What's next ? o  Interpose or trampoline

    system functions o  Catch data on sync with a iPhone o  Call recordings o  Create tweaks for a watch o  Run frida and radare 37 38 39 40 41 42 43 44 45 46 47 48

41. December 4-7, 2017 Black Hat sound bytes o  WatchOS security

    is mostly equal to iOS o  Easier data forensics on a Watch o  Exploits became more valuable 37 38 39 40 41 42 43 44 45 46 47 48

42. December 4-7, 2017 @mbazaliy 37 38 39 40 41 42

    43 44 45 46 47 48