DISCOVERINGANDEXPLOITINGNOVELSECURITY VULNERABILITIESINAPPLEZEROCONF (Xiaolong Bai, LuyiXing)(co-firstauthors), NanZhang,XiaoFeng Wang,Xiaojing Liao,Tongxin Li,Shi-MinHu TsinghuaUniversity, IndianaUniversityBloomington GeorgiaInstituteofTechnology, PekingUniversity 1 Who are we ? • SystemSecurityLab,IndianaUniversityBloomington – Focus on novel problems in system security – High-impact publications on IEEE S&P, ACM CCS, Usenix Security, NDSS – http://sit.soic.indiana.edu/en/ • Our advisor: Prof. XiaoFeng Wang – Top10authorsonleadingsecurityvenuesforthepast10years – http://www.informatics.indiana.edu/xw7/ 2 Who are we ? • We have two talks on Black Hat USA 2016 – Luyi Xing and Xiaolong Bai, DISCOVERINGANDEXPLOITINGNOVEL SECURITYVULNERABILITIESINAPPLEZEROCONF, August 4, Jasmine Ballroom, 12:10- 13:00 – NanZhang, DANGEROUSHARE:HANGINGATTRIBUTEREFERENCES HAZARDSDUETOVENDORCUSTOMIZATION, August 4, SouthSeas GH, 17:00- 17:25 3 DISCOVERINGANDEXPLOITINGNOVELSECURITY VULNERABILITIESINAPPLEZEROCONF 4 ZeroConf • Zero Configuration Networking • Automatically configures a usable computer network – Nomanualconfiguration – Nospecificconfigurationserver • Designed to reduceusers’ burden – Setting up a new network – Use a new service. 5 ZeroConf • Bonjourprotocol – zero-configurationnetworkingoverIPthatApplehas submittedtotheIETF. • Goals: – Withlittleornoconfiguration – toadddevices/servicestoalocalnetwork – Existingdevicescanautomaticallyfindandconnectto thosenewdevices/services 6 Bonjour • Administrators – noneedtoassignIP,hostnames,servicenamestonetworkservices (e.g.,printer) • Whenusingaservice,userssimply – asktoseewhatnetworkservicesareavailable – andchoosefromthelistofautomaticallydiscoveredservices. 7 Howabouttraditional configurednetwork? 8 Traditionally ✔ MustConfigure: – IP – Printername, • e.g.,lh135-soic.ads.iu.edu – DNSserver 9 Traditionally MustConfigure: – IP – Printername, • e.g.,lh135-soic.ads.iu.edu – DNSserver 10 FeaturesofBonjour 1. Serviceconfiguresitself – IP,hostname,serviceinstancename 2. Clientsautomaticallydiscoveravailableservices – Nopre-knowledgeoftheservice’sname,hostnameorIP 11 1.ZeroConf Concept 2.So,how? 12 FeaturesofBonjour 1. Serviceconfiguresitself – IP,hostname,serviceinstancename 2. Clientsautomaticallydiscoveravailableservices – Nopre-knowledgeoftheservice’sname,hostnameorIP 13 Addanewprintertoanetwork 14 Aprinterconfiguresitself IsanybodyusingIP fe80::abcd:1234....? 15 Aprinterconfiguresitself IP fe80::abcd:1234 No? Great,I’lltakeit. 16 Aprinterconfiguresitself IP fe80::abcd:1234 Anybodyusinghostname HP9FE5.host.local? 17 Aprinterconfiguresitself IP fe80::abcd:1234 Hostname HP9FE5.host.local No? Wonderful,I’lltakeit. 18 Aprinterconfiguresitself IP Anybodyhavingaprinting servicenamedHP-Service9FE5? fe80::abcd:1234 Hostname HP9FE5.host.local ServiceInstanceName HP-Service-9FE5 19 Aprinterfinishes configuringitself IP fe80::abcd:1234 Hostname HP9FE5.host.local ServiceInstanceName HP-Service-9FE5 20 FeaturesofBonjour 1. Serviceconfiguresitself – IP,hostname,serviceinstancename 2. Clientsautomaticallydiscoveravailableservices – Nopre-knowledgeoftheservice’sname,hostnameorIP Twophases:DiscoveryandResolution 21 Automaticallyfindtheprinter:Discovery Q1: Anyonehasaprinterservice? A1: IhaveHP-Service-9FE5 22 Automaticallyfindtheprinter:Resolution Q1: Anyonehasaprinterservice? Q2: SoonwhichhostisthisHP-Service9FE5? A1: IhaveHP-Service-9FE5 A2: It’sonhost HP9fe5.host.local 23 Automaticallyfindtheprinter:Resolution Q1: Anyonehasaprinterservice? Q2: SoonwhichhostisthisHP-Service9FE5? Q3: Whatistheaddressof NPI9fe5.host.local? A1: IhaveHP-Service-9FE5 A2: It’sonhost HP9fe5.host.local A3: Itsaddress is fe80::abcd:1234 24 Added/Saved theprintertoyourlist IP fe80::abcd:1234 Hostname HP9FE5.host.local ServiceInstanceName HP-Service-9FE5 25 Added/Saved theprintertoyourlist IP Apple: Applicationsstoreserviceinstancenames, soiftheIP,port, or hostnamechanged,the applicationcanstillconnect. fe80::abcd:1234 Hostname HP9FE5.host.local ServiceInstanceName HP-Service-9FE5 26 ServiceinstancenameHP-Service-9FE5 issaved IP fe80::abcd:1234 Hostname HP9FE5.host.local ServiceInstanceName HP-Service-9FE5 Savedprinter= AprinterwhoownsservicenameHP-Service-9FE5 27 Adversary Model • Onadevice(malwareinfected)inyourlocalnetwork • Aimstointerceptsecrets/filestransferredbetween uninfected devices 28 Adversary Model • YourMac/printerareun-infected • Stealyourprintingdocuments? 29 1.ZeroConf Concept 2.ZeroConf How 3. ZeroConf Breaking Printer 30 1.ZeroConf Concept 2.ZeroConf How 3. ZeroConf Breaking Case1:AttackBonjour 31 AttackBonjour • Twoexamples • Printer – PrintersusingBonjour • PhotoSync – SynchronizingphotosbetweenMacandiPhoneusingBonjour • Notan application-specificorservice-specificproblem – Vulnerabilities in the design of Bonjourprotocol 32 Adeviceinfectedbymalware IP Hostname ServiceInstanceName HP-Service-9FE5 33 Adeviceinfectedbymalware IP Hostname ServiceInstanceName HP-Service-9FE5 Ihaveaprintingservice instancenamed HP-Service-9FE5 ServiceInstanceName HP-Service-9FE5 34 Adeviceinfectedbymalware IP Hostname ServiceInstanceName HP-Service-9FE5 Ihaveaprintingservice instancenamed HP-Service-9FE5 xf ServiceInstanceName HP-Service-9FE5 35 Savedprinter= AprinterwhoownsservicenameHP-Service-9FE5 NewServiceName HP-Service-9FE5(2) xServiceInstanceName HP-Service-9FE5 36 Whyithappens? Three Changing Attributes: – IP – Hostname – ServiceInstanceName Apple: Applicationsstoreserviceinstancenames, soiftheIP,port, or hostnamechanged,the applicationcanstillconnect. 37 Lackofauthentication Three Changing Attributes: – IP – Hostname – ServiceInstanceName • Anyonecanclaimanyvalueofthethreeattributes • Theprotocolonlyguaranteesnoduplicates. 38 Ifnotsavingserviceinstancenames, isitsecureenough? 39 AttackBonjour • PhotoSync – SynchronizingphotosbetweenMacandiPhoneusingBonjour • Notsavingserviceinstancename – Clientdiscoversandresolvestheservereachtime 40 Normally • Discovery:Clientbrowsesforserver WhohasPhotoSync service Server Client means broadcast 41 Normally • Discovery:Serverrespondswithserviceinstancename WhohasPhotoSync service Ihave.serviceinstancename:abcd Server Client means broadcast 42 Normally • Resolution1:Clientqueriesforthehostnameoftheservice WhohasPhotoSync service Ihave.serviceinstancename:abcd Whatisthehostname ofabcd Server Client means broadcast 43 Normally • Resolution1:Serverrespondswiththehostname WhohasPhotoSync service Ihave.serviceinstancename:abcd Whatisthehostname ofabcd Its hostname isMacbook Server Client means broadcast 44 Normally • Resolution2:Clientqueriesfortheaddressofthehost WhohasPhotoSync service Ihave.serviceinstancename:abcd Whatisthehostname ofabcd Its hostname isMacbook Whatistheaddress ofMacbook Server Client means broadcast 45 Normally • Resolution2:Serverrespondswithitsaddress WhohasPhotoSync service Ihave.serviceinstancename:abcd Whatisthehostname ofabcd Its hostname isMacbook Whatistheaddress ofMacbook Client Server Itsaddress is 192.168.0.1 means broadcast 46 WhatCanGoWrong? • Anothermalware-infecteddevicespoofstheclient – SuccessfulMan-in-the-Middle • DuringResolution – Serviceinstancenametohostname – Hostnametoaddress 47 WhatCanGoWrong? • Attack1:serviceinstancenametohostname What is the host name of service instance abcd Server Client Attacker 48 WhatCanGoWrong? • Attack1:serviceinstancenametohostname The host name of service instance abcd is Macbook Server Client The host name of service instance abcd is Mallory Attacker 49 WhatCanGoWrong? • Attack1:serviceinstancenametohostname Server Client Connect Attacker 50 WhatCanGoWrong? • Attack1:serviceinstancenametohostname Server Connect Client Connect Attacker 51 WhatCanGoWrong? • Attack2:serviceinstancenametohostname What is the address of host Macbook Server Client Attacker 52 WhatCanGoWrong? • Attack2:serviceinstancenametohostname The address of host Macbook is 192.168.0.1 Server Client The address of host Macbook is 192.168.0.100 Attacker 53 WhatCanGoWrong? • Attack2:serviceinstancenametohostname Server Client Connect Attacker 54 WhatCanGoWrong? • Attack2:serviceinstancenametohostname Server Connect Client Connect Attacker 55 Demo • https://www.youtube.com/watch?v=WUWusqgqFr0&feature= youtu.be 56 FundamentalProblem • • • Lackofauthentication Anyonecanclaimanyvalueoftheidentificationattributes Theprotocolonlyguaranteesnoduplicates,butnotsecurity. Isiteasytoprovideauthentication? 57 1.ZeroConf Concept 2.ZeroConf How 3.ZeroConf Breaking Case2:Airdrop 58 AirdropbetweenAppledevices • WithAirDrop,youcansharephotos,videos,websites, locations,andmorewithpeoplenearbywithanAppledevice. 59 AttackAirdrop Jeff’sMacbook: Q1:Anyonehasan airdropservice? Alice’siPhone: Ihaveaservicenamed abcd.airdrop.service 60 AttackAirdrop Jeff’sMacbook: Q2:Soonwhichhostis Alice’sservice? 61 AttackAirdrop Jeff’sMacbook: Q2:Soonwhichhostis Alice’sservice? Alice’siPhone: A2:It’sonhost Alices.iphone.local Bob’siMac: A2:It’sonhostBobs.imac.local 62 Alice’siPhonehasservicenamedabcd.airdrop.tcp, whichisonhostBobs.imac.local Jeff’sMacbook: Q2:Soonwhichhostis Alice’sservice? Alice’siPhone: A2:It’sonhost Alices.iphone.local Bob’siMac: A2:It’sonhostBobs.imac.local 63 DoesTLShelp? Jeff’sMacbook: Connect https://Bobs.imac.local Alice’siPhone: A2:It’sonhost Alices.iphone.local Bob’siMac: A2:It’sonhostBobs.imac.local 64 TLSinAirdrop https://Bobs.imac.local Servercertificateissuedtoappleid.CDEF… Bob’siMac Jeff’sMacbook https://Alices.iphone.local Servercertificateissuedtoappleid.ABCD… Alice’siPhone 65 Sothecertificateinairdrop canhardlybeusedforauthentication. https://Bobs.imac.local Servercertificateissuedtoappleid.CDEF… Bob’siMac Jeff’sMacbook https://Alices.iphone.local Servercertificateissuedtoappleid.ABCD… Alice’siPhone 66 Domainshouldmatchthecertificate https://Bobs.imac.local Servercertificateissuedtoappleid.CDEF… Bob’siMac Jeff’sMacbook https://google.com xf Certificateissuedtogoogle.com xf 67 Domainshouldmatchthecertificate https://Bobs.imac.local Servercertificateissuedtoappleid.CDEF… Bob’siMac Jeff’sMacbook https://Alices.iphone.local Servercertificateissuedtoappleid.ABCD … Alice’siPhone 68 What’swrongwithTLSinAirdrop • Thecertificateinairdropcannotbeusedforauthentication – E.g,certificateshouldbeissuedtoAlice – butindeedissuedtoappleid.ABCD… • ThecertificateshouldbeissuedtoWHAT? 69 What’swrongwithTLSinAirdrop • Issuethecertificatetothedomain(hostname)? – No.Hostnamemaychange andnotrepresentingauser • Issuethecertificatetotheuser’sname? – No.Namecanbeduplicated • Issuethecertificatetotheuser’ssocialsecuritynumber? – No.socialsecuritynumberistooprivate 70 What’swrongwithTLSinAirdrop • Linkingahumantohercertificateiscomplicated – challengeinfindinganyidentifiableinformationthatare • well-known • noprivacyimplication • andunique 71 Demo • https://www.youtube.com/watch?v=2JEJLpvnRO4 72 TechnicalDetails • Airdropservicedaemon:/usr/libexec/sharingd – ResponsibleforBonjourprocessandhttpsconnection • Notethernet interface,Appleprivateinterface – awdl0:AppleWirelessDirectLink – Device-to-devicedirectlink 73 TechnicalDetails • Howtoworkonthisinterface? – sharingd usesanApple-privatesocketoptionSO_RECV_ANYIF (0x1104) 74 SomecustomizedZeroConf protocols • FileDrop – TCPpacketsfordiscovery – ellipticcurvecryptographyforsecurity – Failedinauthentication • challengeinlinkingahumantoherpublickey 75 1.ZeroConf Concept 2.ZeroConf How 3. ZeroConf Breaking Case3:Apple’sVulnerableframework 76 Apple’sVulnerableframework • Multipeer Connectivity(MC) – Aframeworkforautomaticservicediscoverybetweennearbydevices acrossWi-FiandBluetoothwithoutconfiguration • Objecttoidentifyeachapp:peerID – displayName (public)&uniqueID (private) 77 Normally • AutomaticServiceDiscoveryWithoutConfiguration – ServersadvertisepeerIDs Server peerID displayName:Alice uniqueID:8573a peerID displayName:Bob uniqueID:6c5b3 Server Client 78 Normally • AutomaticServiceDiscoveryWithoutConfiguration – ServersadvertisepeerIDs,ClientbrowsepeerIDs (showdisplayName) Server peerID displayName:Alice uniqueID:8573a Alice Bob peerID displayName:Bob uniqueID:6c5b3 Server Client 79 Normally • EvenifservershavethesamedisplayName Server peerID displayName:Alice uniqueID:abcde peerID displayName:Alice uniqueID:54321 Server Client 80 Normally • EvenifservershavethesamedisplayName – uniqueIDs generatedbyMCwillalwaysbedifferent Server peerID displayName:Alice uniqueID:abcde peerID displayName:Alice uniqueID:54321 Server Client 81 Normally • EvenifservershavethesamedisplayName – uniqueIDs generatedbyMCwillalwaysbedifferent Server peerID displayName:Alice uniqueID:abcde Alice Alice peerID displayName:Alice uniqueID:54321 Server Client 82 WhatCanGoWrong? • Attackeractsasbothclientandserver – BrowseandacquirepeerID objectfromvictimserver Server peerID displayName:Alice uniqueID:abcde Client&Server Client 83 WhatCanGoWrong? • Attackeractsasbothclientandserver – AdvertiseusingthesamepeerID object Server peerID displayName:Alice uniqueID:abcde Alice peerID displayName:Alice uniqueID:abcde Client&Server Client 84 WhatCanGoWrong? • ClientcannotdistinguishbecauseofsameuniqueID Server peerID displayName:Alice uniqueID:abcde Alice peerID displayName:Alice uniqueID:abcde AnUpdate? Client&Server Client 85 WhatCanGoWrong? • ClientcannotdistinguishbecauseofsameuniqueID • Clientmapstheonlypeertoattacker’saddress(MitM) Server peerID displayName:Alice uniqueID:abcde Alice peerID displayName:Alice uniqueID:abcde Client&Server Client 86 Technical Details • MitM attacker – First acts as client browsing for advertising servers – Once found a server, advertise using the same peerID 87 IfnotusingpeerID toforidentification, isitsecureenough? 88 1.ZeroConf Concept 2.ZeroConf How 3. ZeroConf Breaking Case4:MCinQQ 89 MCinQQ FacetoFaceTransfer • PopularinstantmessagingsoftwareinCN – 829millionactiveaccounts (Wikipedia) • Face-To-FaceTransfer – Transferfilesbetweennearbypeersbyusing Multipeer Connectivity • NotusingpeerID foridentification – CustomizeduniqueQQID SendFile Recv File 90 Normally • ReceiveradvertisesitsQQID MyQQIDis1234 Receiver Lookingforreceiver Sender Receiver MyQQIDis4321 91 Normally • SenderbrowsesforreceiversandfoundtheirQQIDs MyQQIDis1234 Receiver FoundReceivers: QQID:1234 QQID:4321 Sender Receiver MyQQIDis4321 92 Normally • SenderconnectstoreceiverandgivesitsQQID Receiver Connect FoundReceivers: QQID:1234 QQID:4321 MyQQIDis5678 MyQQIDis5678 Connect Sender Receiver 93 Normally • SenderconnectstoreceiverandgivesitsQQID Receiver Connect FoundReceivers: QQID:1234 QQID:4321 MyQQIDis5678 MyQQIDis5678 Connect Sender SenderConnected: QQID:5678 SenderConnected: QQID:5678 Receiver 94 WhatCanGoWrong? • ReceiveradvertisesitsQQID MyQQID is1234 Lookingforreceiver Sender Lookingforreceiver Attacker Receiver 95 WhatCanGoWrong? • Attackerfoundvictimreceiver’sQQID MyQQID is1234 Lookingforreceiver Sender FoundReceiver: QQID:1234 Attacker Receiver 96 WhatCanGoWrong? • AttackeradvertiseusingthesameQQID MyQQID is1234 Lookingforreceiver Sender Advertising QQID:1234 Attacker Receiver 97 WhatCanGoWrong? • SenderfoundonlyoneQQID MyQQID is1234 FoundReceiver: QQID:1234 Sender Attacker Receiver 98 WhatCanGoWrong? • SenderconnectstoAttacker FoundReceiver: QQID:1234 Sender Connect QQID:5678 Attacker Receiver 99 WhatCanGoWrong? • AttackerconnectstoReceiverusingtheSender’sQQID Connect QQID:5678 Sender Attacker Receiver 100 Demo • https://www.youtube.com/watch?v=B71FlD3_vrc 101 1.ZeroConf Concept 2.ZeroConf How 3. ZeroConf Breaking Case5:Bluetooth 102 AllyouriOS notificationsbelongtome • ZeroConf onBluetooth:AppleHandoff – AservicethatletsiOSandOSXsynchronizedatathroughBluetooth withoutconfiguration 103 Normally • HandoffcreatesBluetoothChannelwithoutconfiguration – DevicesloggedinwiththesameiCloudaccount – PairingautomaticallythroughiCloudaccount Bluetooth 104 WhatCanGoWrong? • BluetoothZeroConf:Noapp-levelauthentication • AppleNotificationCenterService(ANCS) – designedforBluetoothaccessoriestoaccessnotificationsoniOSdevices Bluetooth 105 WhatCanGoWrong? • BluetoothZeroConf:Noapp-levelauthentication • AppleNotificationCenterService(ANCS) • ThroughBluetoothchannelcreatedbyHandoff Bluetooth 106 WhatCanGoWrong? • BluetoothZeroConf:Noapp-levelauthentication • AppleNotificationCenterService(ANCS) • ThroughBluetoothchannelcreatedbyHandoff Bluetooth 107 Demo • https://www.youtube.com/watch?v=c5viAzAs0Uo 108 Summaryofattacks • AttacksonAppleZeroConf channels – Bonjour (Printer,PhotoSync) – Airdrop – CustomizedZeroConf protocols (Filedrop) – Multipeer Connectivity(MCBrowserViewController,QQ) – Handoff • Allvulnerabilitieswerereportedtovendors,acknowledgedby mostvendors 109 1.ZeroConf Concept 2.ZeroConf How 3.ZeroConf Breaking 4.Impact 110 Impact • Measurement – Weanalyzed61popularMacandiOSappsworkingwithZeroConf – 88.5%arevulnerabletoman-in-the-middleorimpersonationattacks ZeroConf Channels Vulnerable/ Sampled Bonjour 18/22 files,directoriesandclipboardsynced,documentsprinted, instantmessage MC 24/24 filesandphotostransferred,instantmessage BLE 10/13 Usernameandpassword forOSX Customized protocols 2/2 SensitiveInformationLeaked remote keyboardinputandfilestransferred 111 1.ZeroConf Concept 2.ZeroConf How 3.ZeroConf Breaking 4.Impact 5.ProtectingZeroConf 112 ProtectingZeroConf • Problem:linkahumantohercertificateiscomplicated • SpeakingoutYourCertificate(SPYC) – Voicebiometricstiescertificatetoidentity 113 SpeakingOutYourCertificate Hashh Partitionto kn-bitsegments Δ1||Δ2||…||Δk nk mostsignificantbits <w1, w2, …, wk> Wordslistlinkingtothecertificate 114 ProtectingZeroConf • Challenge:linkahumantohercertificate • SpeakingoutYourCertificate(SPYC) – Voicebiometricstiescertificatetoidentity – HumanSubjectStudy:convenientandeffective 115 Conclusion • Apple’sZeroConf techniquesarenotsecureasexpected – Theusability-orienteddesignaffectssecurity • Addressingsuchsecurityrisksisnontrivial – Challengeinbindingahumantohercertificate • OurDefense:SPYC – Voicebiometricstiescertificatetoidentity 116