IPhone target analysis and use UDID for Intrusion
The iPhone has some powerful and practical functions, such as location tracking and Remote Data erasure. This actually benefits from its Unique Device Identifier UDID (Unique Device Identifier ). This article describes the standard analysis technology used to discover the target Device of the iPhone and use the QUANTUM Program (QUANTUM) to directly implant the target, indicating the Unique Identifier (UDID) of the iPhone) it can be used to track the target or be associated with the terminal device and the target phone number. It is emphasized that this intrusion technology can now implement and further locate the CNE process.
A. References
[A] iPhone applications and privacy issues: Unique iPhone device identifier (UDID) app transmission analysis/iPhone application sand privacy issues: Ananalysis of Application Transmissi
On of iPhone Unique Device
Identifiers (UDIDs) <content confidential | not published yet>, January 1, October 1, 2010
[B] Apple's only device identifier Identification Technology in CROWNPRINCE-HTTP traffic/CROWNPRINCE-Technique for identifying Apple UDIDsinHTTP traffic B/7844/5001/1/105 <contents confidential | unpublished>, July 22, 2010
[C] Strategic Framework Task 4138585/Strategic Framework Task 4138585, Report No.: 72/09/R/416/C, Roke, Issue 1, 2nd
[D] successful penetration guide/The Good penetration guide-<content confidential | not published yet>
[E] Current SEPP target/Current SEPP targets-<content confidential here | unpublished>
[F] iPhone target list/iPhone target list-<content confidential here | unpublished>
B. Background
Each Apple device (iPhone, iPad, iPodtouch) has a unique hardware identifier called AppleUDID. The UDID is a 40-bit hexadecimal string (160 bits) and looks like a SHA-1 hash value for IMEI, serial number, Bluetooth, and Wi-Fi MAC addresses. Udids can be used by device developers to identify devices. As emphasized in [a], udids appear in multiple applications and can be used to track targets or be associated with other personal identifiers.
Last year, Mobile Theme increased investment in iPhone applications and metadata analysis research. After the experience at this stage, <the content is confidential | not published yet> [c] completed a detailed report on April 9, October 2009, ICTR-MCT [B] developed 29 Search Engine Marketing (SEM) Rules. According to these rules, iPhone metadata can be extracted from a large number of applications by the operator during credit card transactions, especially the unique device identifier (UDID ). At present, Global Telecoms Exploitation (GTE), a Global telecommunications development department affiliated with GCHQ, is developing the Transport Driver Interface (TDI) Rules, in the future, the MVR system can be used to extract UDID events from carriers. The extracted events are used for promotion research. Mutual queries, such as MUTANTBROTH and AUTOASSOC, to Query Focused Datasets (ADS) will ultimately form the foundation for mobile device Association in hard assoc.
Initially, CNE/TECA mobile devices joined the intrusion team to intrude the iPhone. This intrusion is achieved during synchronization between the target mobile phone and the intruded terminal device. It is a successful attempt for the BROKER target, and the short message, call history, and contact information are successfully extracted. After the first attempt, CNE and SD began to look for other single-point terminals that may be synchronized with the iPhone.
HANDEX 2010 (mobile intrusion seminar) was held on September 10, August. Participants investigated the potential vulnerabilities in different aspects of the iPhone operating system. When using the Safari browser, the CNE/TECA mobile device team used a PDF open source Vulnerability to implant a WARRIORPRIDE program inside the target mobile phone to successfully intrude. In addition, surveys, contacts, and test results with the cnquantum team confirm that the implant can be deployed in the QUANTUM iPhone target.
C. Analysis description
CNE Terminal
Part of the SD mobile device intrusion topic is identifying terminal devices that can be synchronized with the iPhone. In this regard, CNE and TAO conducted a survey to find appropriate iPhone registry items by scanning all target terminal devices. After scanning the Single-endpoint (SEPs) Registry Key of all individual process IDs stored in CNE, nine CNE terminals that may be synchronized with the iPhone are displayed. Extract these udids from the registry key and run them in mutant broth and AUTOASSOC. Then, they are passively collected to find 6 iPhone Safari user agents or iPhone email application associations.
A cne terminal battle against <content confidential | unpublished> (ABSOLINEEPILSON) allows for intrusion into Windows terminal devices <content confidential | unpublished>. After scanning the registry key of the device, you can obtain the UDID <content confidential | unpublished>. The results showed that UDID and AdmobSEM rule type and Apple-IMEI-URI TDI type appeared together. Admob is the world's largest mobile advertising network. It allows game publishers to embed advertisements and earn profits from different brands. The target iPhone operating system is 3_0, as shown in the following figure.
△Figure 1. MUTANTBROT matching identifier
△Figure 2. Brief target of the iPhoneUDID User Agent
The target UDID can be used to track the iPhone mobile phone found by the ASBOLINEEPILSON terminal device. In this special case, the target UDID has been queried for 16 times, and the IP address that appears for the last time in December October 24, 2010 <the content is confidential | not published yet> the consumer uses the built-in iPhone email client to enable the Yahoo account. As shown in figure 3. In this example, the EAUTO_Apple-imei-URI TDI rule is used to extract the exact UDID value.
△ Figure 3. iPhone email client User Agent
△ Figure 4. iPhoneAdmob User Agent Profile
Udids of all six targets are run through AUTOASSOC. <Content confidential | unpublished> result 5. It can be seen that there is a clear association with <content confidential | unpublished> yahoo-Y-cookie.
△Figure 5. AUTOASSOC result of ABSOLINEEPSILON
The IP address, identifier type, bearer, and user proxy types of all six targets are extracted to lay the foundation for further development. The six udids obtained through AUTOASSOC run are associated with two high scores: <content confidential | unpublished> and <content confidential | unpublished>, the discussion with <content confidential | not published yet> confirms the accuracy. The BROADOAK task check shows that both targets have identified the allocated iPhone IMEI Association.
Recently, after re-scanning all currently active cne sep, it is concluded that only five of the nine identified CNE devices can be used for intrusion. Four other implants have been removed. Four of the five udids return the recent UDID association found in passive collection. These are described in detail in the iPhone target list. [F]
After analyzing all tao sep, 116 udids are identified. 15 of these udids are associated with the iPhone user proxy, the acquired identifier type, project name, case ID, and recorded IP addresses. The iPhone target list [f] is fully documented. The Cydia user agent with four udids (as shown in Figure 6) indicates that the target mobile phone has been jailbroken, and all four terminals are located in <content confidential here | unpublished>.
△ Figure 6. Jailbreak iPhone user proxy in MUTANT BROTH
These 15 taoudids run through AUTOASSOC, and there are three good associations with the Yahoo selector: <the content is confidential | not published>, <the content is confidential | not published>, and <content confidential | unpublished>. These verify that there is a correct association with the TAO target terminal in turn, two of which are related to the target iPhone IMEI. In addition, the analysis of Yahoo email in Safari clearly shows that the obtained UDID is transmitted in the traffic.
According to observations, among these TAO terminal devices, SOLARSHOCK116 (<content confidential | not published yet>, Iran) can be synchronized with the iPhone UDID <content confidential | not published yet>, when AUTOASSOC is used, it is associated with <content confidential | not published> and <content confidential | not published>. This UDID most recently appeared at October 23, 2010 03:46:36
△Figure 7. solarshock1_udid AUTOASSOC Association
Quantum intrusion
Perform a lot of tests on the QUANTUM critical point and forward it to the elastic sheet intrusion server, further development for the CNE/TECA mobile device joint intrusion team is to identify iPhone targets that have recently become active in appropriate user agents. ICTR's three-week batch BLACKHOLE extraction results show a large number of iPhone targets and Xkeyscore query results pointing to other targets. Other results are discussed and disseminated with different IPTS, two of which are also transmitted through TAO contacts.
Check all 44 selectors to verify that a correct user agent exists. Among the 44 selectors, there are 41 Yahoo selectors and 3 Gmail selectors. As shown in figure 8, 26 have valid iPhone Safari user proxies. In a summary of the target mobile phone OS version (as shown in Table 1), red highlights the OS versions that have been successfully intruded: 3_1_2, 3_1_3, and 4_0_1. In all 26 cases, target analysts have obtained detailed information about the target iPhone user.
Table 1. iPhone target OS Overview
For example, the target with the Yahoo selector
△ Figure 8. Valid iPhone Safari user proxy in MB (<content confidential here | not published yet> )
The target selector is a target that is
To discover all potential OS versions associated with the selector, perform further MUTANT BROTH, AUTOASSOC, and MARINA queries on all target selectors with Safari user proxies. The result of the MARINA profile query shows the OS version returned in the MachineID domain. The queried user proxy, time/date, bearer, IP address, and other associated selectors are displayed in the iPhone target list [f. The Association selector is either from mutany broth or AUTOASSOC, or directly stated in BROADOAK. As shown in figure 8, to verify the unique match between itself and the iPhone and the target Yahoo selector, all yahoo B-cookies run in MUTANT BROTH.
D. Operation Result
QUANTUM redirection and PDF Safari browser intrusion are used to cope with 3_1_2, 3_1_3, and 4_0_1Safari OS versions. Five of the 26 valid and intrusive OS version targets are added to the QUANTUM system for Target Locating.
After receiving the notification, gchq ept faces two options: (1) Add the target to the existing CNE section 7th "guarantee" [e]; (2) Further improve the positioning Assistance Section [d], and write appropriate assurance content. The updated 7th "warranty" was approved by the Alibaba Cloud ICP Filing Team and signed by the CNE Legal Department. After the three NSA targets are discovered, the CNE Legal Department adds them to the Cooperation Agreement form to permit intrusion.
Initially, both the
The Analysis and assurance work on the other five objectives has been completed. On April 9, October 30, the QUANTUM redirection and PDF intrusion for
In July, a redirection was successfully implemented to <content confidential | unpublished>. However, it is estimated that the Mobile Phone firmware type cannot be verified because the Javascript program is disabled. The initial investigation of the firmware type was removed after being discussed by CNE. However, the iPhone target has not been enabled recently and cannot be intruded. In the collection process, the other two targets of QUANTUM were not found.
Currently, four CNE single-point terminals are found based on the recently synchronized iPhone target. The most recent detection was the September 29, 2010 overhead target. These targets are monitored by CNE. When the iPhone synchronizes with an existing SEP device, a SLIDE program that allows WARRIORPRIDE implantation will be installed.
E. Conclusion
By analyzing the association between the target device UDID and the known target Yahoo selector and the information passively collected, the UDID can be used to associate the iPhone with the terminal synchronization device and assign tasks to the Yahoo selector. UDID can be used to track the target iPhone in real time. In theory, it can also be used as a selector for QUANTUM events (where traditional selectors such as yahoo-Y/B cookies are unavailable. Of course, UDID can also be used for application intrusion, which is small and must be mentioned.
Currently, the UDID and reverse engineering SHA-1HASH cannot be used to find IMEI, MAC address, and serial number.
The next step (started) is to identify the target that is suitable for QUANTUM intrusion. Development and Monitoring of the identified targets are still in progress. Searching for the associated IMEI helps identify the firmware in the target for intrusion.
CNE is currently conducting a monthly survey on the registry entries of all the target devices of the iPhone UDID. Similar critical mechanisms of all broadstores require XKS workflows. We hope to add other targets for the QUANTUM intrusion in the future or find other targets on the new cne sep, so as to successfully intrude the target mobile phone.
F. Future work
Identify a large number of iPhone targets by analyzing three PRESTON paths. After extracting the appropriate UDID value and iTuneXDSID, you must develop at least three sets of targets. To successfully track these terminal devices, the CNE obtains the path and finds the target iPhone. The 5th "warranty" should be described in place.
The next step is to redirect and intrude into the server WHIPSAW by BSS and TECA. Direct iPhone implantation should be possible in the next few months. However, the WHIPSAW intrusion can only be achieved on the ADSL line.
SLIDE needs to be automatically implanted on the iPhone device. This process is still manual and requires the CNE operator to connect to the terminal device when the target device is synchronized with the terminal device and the iPhone.
You need to write down a large number of iPhone TDI to prepare for the Quality Function Deployment (QFD) associated with other target selectors for subsequent event contamination, it also makes it possible to further track the target identifier in real time.
Appendix
Analyst target positioning Assistant
Appendix B
<Content confidential | not published yet> Search for the Glass iPhone directory structure
<Content confidential | unpublished> returned files