Over the Garden Wall — Let's steal data from your iPhone
The tech giants tell us their walled gardens are there to protect us, keeping our data safe. But can we use their ecosystems against them? In this talk, we explore how Apple’s implicit trust in their own hardware allows us to steal passwords and other sensitive data from your iPhone. In climbing the garden wall, we’ll learn to talk like an Apple Watch, and get intimately familiar with Bluetooth, about a dozen curious protocols, and all the OSI layers. And — if the stars align — you’ll learn a fun new way to use your badge…
Since my last talk at Troopers24 on the Apple Watch, we’ve spent the last year digging deep into what makes an iPhone trust an Apple Watch. This trust has far reaching consequences: By default, your iPhone freely shares internet access, intimate health data, and even WiFi- and account passwords with your Apple Watch — data that is usually extremely well protected on iOS.
iPhones have long enjoyed a reputation as the most secure smartphones — featuring strong encryption, lockdown modes, and features specifically engineered to prevent sophisticated hardware attacks. For years, jailbreaks for current iOS versions have been scarce, and attacks on iOS are mostly the realm of nation state adversaries.
But can we exploit Apple’s implicit trust in their walled garden to exfiltrate data from your iPhone? Can we get unusually deep access to system features on current, stock-iOS phones? And can you, too, perform a nation-state-style supply chain attack with $25 and too much free time?
Over the past year we invested extensive reverse engineering efforts into answering exactly these questions. By dissecting firmware, analyzing hundred of packet captures and millions of lines of system logs, we were able to master all of the protocols associated with the Apple Watch. We are very excited to give you a demo of our shiny new Apple Watch impersonation attack. Along the way, we’ll also reflect on the nature of trust in walled gardens, security by obscurity, and the tensions between interoperability, security, and user consent.