Apple Watch 2 MITM ...
 
Notifications
Clear all

Apple Watch 2 MITM stealing

30 Posts
4 Users
0 Likes
2,211 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Trying to replace broken (usual flex cable) Home Button Assembly with TouchID (up of iPhone 5S) we see attempts to break in. Connecting TO (C) or NOT (N) to iTunes is essential (part 1). SIGNED IN (SI) or SIGNED OUT (SO) (button 'Sign in' visible) also (part 2). The Apple servers behind the Activation Lock Service (Find my iPhone) is (part 3). Consider in part 1 not only USB-to-Lightning cable but also OverTheAir (OTA) possibility to connect in part 1. We add on thinking 3 states of device status NewBorn (NB) means sealed and unused, Used (U) incl. in-use, used or shut off for long time, ReNewBorn (RBN) is the state of a resetted device ('erase all content and settings', 2nd button from top). In the lab we observed a constellation of N, SO (result of N) of a RNB with accepting a replacement Touch ID to unlock the phone. The device before was TouchID locked.

So far so complex.

How to visualize the possible constellation setups, we faced that we need a visualizationt tool to
design the test procedure of all possible combinations.

Before continuing one thing to think of Mobile Payment (several on the market, but focussing on looming ApplePay in Europe), breaking the security of TouchID and fingerprints is interesting.

Question Who is interested to start a shared platform for Tripple-I (3I) including iPhone, AppleWatch and ApplePay testing and discussions? As close to CashCrime essential to protect Criminals from outside to learn from this subject.

Why all this? Obfuscating a stolen device and able to pay is crime to enforce.

Ready to start firing 😉

RoGu

 
Posted : 08/01/2016 11:51 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Upd Suspects do everything to hide. Mobile Broadbands are highly observed by Lawful Interception (LI function, 3GPP TS 23.271). Break into Secured Wifis or steal and misuse stuff to hide a form of. The more interception the more misuse of innocents. 3I proj in short 'steal, break & pay' focuses strong on misuse of connectivity (SIMs often fast blocked but Wifi still able) and money laundering (in form of bank accounts or debit/credit card misuse). AppleWatch2 comes in March (macrumors, appleinsider, 9to5mac).

Highly prepared crime uses few hours to jump in and succeed. Users do not realize whats
going on. But we LEs have to know.

Who joins the gang? Only collab-based will succeed. Come-on Geeks -)

RoGu

 
Posted : 10/01/2016 11:17 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Upd Got a helpful advice as my first post is not understandable.

On a iPhone 6S the home button assembly was replaced. The owner before had Touch ID (fingerprint) enabled to unlock the device. After replacing the device could be unlocked without Touch ID - which I confess sounds weird.

Theoretically not possible by design of Apple. But a real case observed. To figure out how this could happen I kindly ask iOS crypto guys to help me. By design Touch ID and A8 (or up) are 'married for live'.

So just to discuss the possibility if this realy can be is helpful. As we did not test structured but
observed the case, we are not able to replay the break.

Always open for refining and learning -))

 
Posted : 11/01/2016 1:40 pm
(@jjh2320)
Posts: 21
Eminent Member
 

Hi RoGo,

Your post makes for an interesting read, however, i am still a little unclear as to what you mean exactly when yous say

After replacing the device could be unlocked without Touch ID

Do you mean there was no longer a lock at all on the device at all? As if there was no lock in the first place?

Thanks,

JJH

 
Posted : 11/01/2016 7:27 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

After changing the home button assembly the iPhone 6S was unlockeable WITHOUT fingerprint (TouchID). Before it was locked WITH fingerprint.

Cannot be in real to overcome the fingerprint security element by replacing the home button assembly! The TouchID is 'married' with the A8 by design.

 
Posted : 11/01/2016 10:39 pm
(@badgerau)
Posts: 96
Trusted Member
 

Hi,

Thanks for your post. I am interested in this approach but for clarification purposes can you confirm if my understanding of your approach is correct.

You have an Apple Iphone 6s, which is locked with TouchID and you do not know the password or pin code to bypass the Touch ID.

You physically replaced the TouchID sensor yourself, which unlocked the phone, allowing you access to the data. Is this correct?

Thanks

 
Posted : 13/01/2016 6:02 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

#badgera correct. Lets for mutual understanding define the elements as follows a) The physical home button assembly consists of 4 parts sapphire crystal (glas) - where the finger touches, steel detection ring, Touch ID sensor (electronic sensor) - sandwiched, not physically touched by the finger, think of kind of scanner sensor through the crystal), tactile switch (provides the common 'home button' function - the 'click'. The whole of this is called 'home button assembly'
and available as spare part. Apple announced that the Touch ID in the 6S-line is improved and the version 2 of Touch IDs.

Its about Touch ID v2 - not backwards v1 built in older devices. So its all about 6S devices.

The Touch ID takes the fingerprint receipt which gets hashed and stored locally in the Secure Enclave (located within a zone on the A7 and A8 ref forums.macrumors.com/threads/offline-apple-pay.1847591 post of 'kdarling' Feb 17, 2015 – guess in iPhone 6S its A9 CPU its the same, as security architecture (I guess?) did not changed) #good graphic there!#.

RoGu

 
Posted : 13/01/2016 4:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You mean this one?
http//forums.macrumors.com/threads/offline-apple-pay.1847591/#post-20722632

For mutual understanding, let's use a picture
https://www.ifixit.com/Teardown/iPhone+6s+Teardown/48170

We are talking of this thingy here, right?

jaclaz

 
Posted : 13/01/2016 5:57 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

exactly, thanks for the link and pics

RoGu

 
Posted : 13/01/2016 6:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Good. )

This behaviour, once confirmed, gives a whole new meaning to the sentence
https://www.replacebase.co.uk/iphone-6-replacement-home-button-assembly-flex-champaign-gold-original-6865/

Original iPhone 6 and 6 Plus home button flex with Touch ID sensor

Please note, due to the nature of the parts security the touch ID feature wont function due to the parts being paired with your phones mother board - this will only function as the home button until a fix has been released to enable the Touch ID

jaclaz

 
Posted : 13/01/2016 10:48 pm
Page 1 / 3
Share: