With the proliferation of portable computing systems such as tablet, smartphone, Internet of Things (IoT), etc., ordinary users are facing the increasing burden to properly configure those devices, enabling them to work together. In response to this utility challenge, major device manufacturers and software vendors (e.g., Apple, Microsoft, Hewlett-Packard) tend to build their systems in a "plug-and-play" fashion, using techniques dubbed zero- configuration (ZeroConf). Such ZeroConf services are characterized by automatic IP selection, host name resolving and target service discovery. As the major proponent of ZeroConf techniques, Apple has adopted ZeroConf techniques in various frameworks and system services on iOS and OS X to minimize user involvements in system setup. However, when the design pendulum swings towards usability, concerns may arise whether the system has been adequately protected. In this presentation, we will report the first systematic study on the security implications of these ZeroConf techniques on Apple systems.
Our research brings to light a disturbing lack of security consideration in these systems' designs: major ZeroConf frameworks on the Apple platforms, including the Multipeer Connectivity and Bonjour, are mostly unprotected and system services, such as printer discovery and AirDrop, turn out to be completely vulnerable to an impersonation or Man-in-the-Middle (MitM) attack, even though attempts have been made to protect them against such threats. The consequences are serious, allowing a malicious device to steal documents to be printed out by other devices or files transferred between other devices. Most importantly, our study highlights the fundamental security challenges underlying ZeroConf techniques. Some of the vulnerabilities have not been fixed until this submission though we reported to Apple over half a year ago. We will introduce ZeroConf techniques and publish technical details of our attacks to Apple ZeroConf techniques. We will take Airdrop, Bonjour and Multipeer Connectivity as examples to show the vulnerabilities in their design and implementation and how we hacked these ZeroConf frameworks and system services to perform MitM attacks. We will also show that some of vulnerabilities are due to TLS' incompetence to secure device-to-device communication in the ZeroConf scenario, which is novel discovery and contributes to the state of the art.
Luyi Xing's major research interest is to find novel and previously unknownways to "white-hat"ly hack iOS/OSX/Android, Cloud, Web/Browser and othersystems. With in-depth knowledge learnt during the hacking, he also delvesinto securing systems that he hacked. His hacking on OSX, iOS, Android, Cloudhas been reported by Time, CNN, Forbes, Mirror, Fox News, Yahoo, CNET, TheRegister and more. Official blog of Facebook, 1Password discussed about hishacking. Apple, Android, Dropbox, Evernote officially acknowledged his hackingand effort to help protect their users.
Xiaolong Bai is a PhD student in the Department of Computer Science andTechnology, Tsinghua University. His major research interest is to find andmitigate new vulnerabilities in mobile systems, including Android, iOS/OS Xand so on. He has published several papers on top research conferencesincluding IEEE Security & Privacy and ACM CCS. His hacking on mobile systemsand applications has been acknowledged by major IT companies including Apple,Evernote and Tencent. He is now looking for job opportunities in mobilesecurity and system security. His email address isbxl12@mails.tsinghua.edu.cn.