Max Bazaliy 11

3 Jailbreaking 4 5

Apple Watch 8

Max Bazaliy 11

December 4-7, 2017 12 1

whoami 2

3 o Security researcher at Lookout 4 5

o iOS/tvOS/WatchOS jailbreak author 6 o Lead researcher on Pegasus exploit chain 7 8 o Focused on software and hardware 9 exploitation 10 11

December 4-7, 2017 12 1

What is Apple Watch ? 2 Released in 2015 3 o 4 o Apple S1/S2/S3 processor 5 ARMv bit architecture 6 o 7k 32 7 o 512/768 MB RAM 8 One/Dual-core processor 9 o 10 o WatchOS 11 December 4-7, 2017 12 1

How does it work ? 2

4 o Fetch data from a phone 5 6 o Data transfer over Bluetooth 7 8 o Sync over Bluetooth and WiFi 9

December 4-7, 2017 12 1

Why to jailbreak a watch ? 2

4 o Access to file system (messages, emails..) 5 6

o Run debug tools on a watch (radare, frida) 7 iPhone attack vector J 8 o 9

December 4-7, 2017 12 1

Apple Watch security 2 o Secure boot chain 3 4 o Mandatory Code Signing 5 o Sandbox 6 7 o Exploit Mitigations 8 o Data Protection 9 10 o Secure Enclave Processor 11 December 4-7, 2017 12 1

Possible attack vectors 2

4 o Memory corruption over Webkit 5 6

December 4-7, 2017 12 1

Possible attack vectors 2

4 o Memory corruption over Webkit 5 6

o Boot chain attack over usb (diags port J) 7

December 4-7, 2017 12 1

Possible attack vectors 2

4 o Memory corruption over Webkit 5 6

o Boot chain attack over usb (diags port J) 7 o Application extension based 8 9 10 11

December 4-7, 2017 12 1

Jailbreak step by step 2 o Get initial code execution 3 4 o Leak kernel base 5 o Dump whole kernel (for encrypted kernels) 6 7 o Find gadgets and setup primitives 8 o Disable security restrictions 9 10 o Run ssh client on a watch 11 December 4-7, 2017 12 1

Bugs of interest 2 o WatchOS 2.x 3 4

- CVE-2016-4656 & CVE-2016-4680 5 o WatchOS 3.1.2 6 7 - CVE-2017-2370 8 9

o WatchOS 4.0.1 10 - CVE-2017-13861 ? J 11 December 4-7, 2017 12

Leaking kernel base – WatchOS 2.x 2

3 CVE-2016-4680 o 4 o Object constructor missing bounds checking 5 OSNumber object with high number of bits 6 o 7 o Object length used to copy value from stack 8 9

o Kernel stack memory leaked 10 o Can be triggered from an app’s sandbox 11 December 4-7, 2017 12 13

CVE-2016-4656 exploitation 14

15 o Kernel mode UAF in OSUnserializeBinary 16 17 o OSString object deallocated 18 o retain() called on deallocated object 19 20 o Fake object with fake vtable –> code exec 21 o Can be triggered from an app’s sandbox 22 23

December 4-7, 2017 24 13

Dumping WatchOS 2.x kernel 14

15 o Problem: No WatchOS 2.x kernel dumps 16 17

o No decryption keys for WatchOS kernels 18 o Idea: read kernel as OSString chunks 19 20 o vtable offset required to fake OSString 21 22 o vtable stored in __DATA.__const in kernel 23

December 4-7, 2017 24 13

Getting OSString vtable 14 o OSString vtable reference in OSUnserializeBinary! 15 16 o OSUnserializeBinary reference in OSUnserializeXML 17

December 4-7, 2017 24 13

Dumping kernel by panic logs 14

o We can control pointer to vtable 16 o Use address to leak as vtable address 17 18

o vtable will be dereferenced by retain() call 19 o Kernel will crash, but save panic log 20 21

o Address content appear in register state 22

December 4-7, 2017 24 13

It’s fun ! 14

December 4-7, 2017 24 13

Dumping kernel by 4 bytes 14 o Use address to leak as fake vtable address 15 o Watch will crash, wait until it restore 16 17 o ssh to a iPhone and run synchronization service 18 o Copy panic from Watch to iPhone and to Mac 19 o Parse panic, read 4 bytes and disassemble ! 20 21 o Update address with 4 bytes delta and upload app 22 o Repeat 23 December 4-7, 2017 24 13

December 4-7, 2017 24 13

Next step – full kernel dump 14

15 o Now use fake OSString obj to read kernel 16 17

o Read data via IORegistryEntryGetProperty 18

20 o Leak kernel header, calculate kernel size 21 22 o Dump full kernel to userland by chunks 23

December 4-7, 2017 24 13

Next step – kernel symbolication 14

o Find and list all kexts 17 o Find sysent and resolve syscalls 18 19 o Find and resolve mach traps 20 21

o Resolve IOKit objects vtable 22

December 4-7, 2017 24 13

Next step – setting up primitives 14

16 o Scan kernel dump for gadgets 17 18 o Set up exec primitive 19 20

o Set up kernel read & write primitives 21 22 23

December 4-7, 2017 24 13

Jailbreaking Watch OS 3.x 14

15 o Kernels are not encrypted now 16 17

o No need to dump and symbolicate anymore 18 o New heap layout, some AMFI fixes 19 20 o More sandbox restrictions 21 22

o Vurnerable to CVE-2017-2370 23

December 4-7, 2017 24 25

CVE-2017-2370 26 o Kernel heap overflow 27 28 o mach_voucher_extract_attr_recipe 29 o Usermode pointer is used as copyin size arg 30 31 o We can corrupt mach message to get kernel RW 32 o Allocate userclient and read obj vtable -> KASLR 33 34 o Can be triggered from an app’s sandbox 35 December 4-7, 2017 36 25

Next step – patchfinder 26

28 o String \ byte pattern + xref + analysis 29 30

o Simple arm emulator is helpful 31 o Resolve syscalls table, mach traps table 32 33

December 4-7, 2017 36 25

Getting root and sandbox bypass 26

28 o Patch setreuid (no KPP) 29 30

31 o patch ucred in proc structure in kernel 32 33

o patch sandbox label value in ucred 34 35

December 4-7, 2017 36 25

Getting kernel task 26

27 Patch task_for_pid() 28 o 29 o Or save kernel sself in task bootstrap port 30 31 o Read it back via task_get_special_port() 32 Restore original bootstrap port value 33 o 34

December 4-7, 2017 36 25

Disable codesign checks 26

27 o Patch _debug to 1 28 patch _nl_symbol_ptr (got) entries 29 o 30

o Patch amfi variables 32 - cs_enforcement_disable 33 34 - allow_invalid_signatures 35

December 4-7, 2017 36 25

Remount rootfs 26 o Patch __mac_mount 27 28 o Change mount flags in rootfs vnode 29 30

31 o Patch lwvm is_write_protected check 32 33 o Patch PE_i_can_has_debugger in lwvm 34 35

December 4-7, 2017 36 25

Spawning ssh client 26

27 o Compile dropbear ssh client for ARMv7k 28 29 o Compile basic tools package for ARMv7k 30 31

o More restricted sandbox than iOS 32 o Null out WatchOS specific sandbox ops 33 34

December 4-7, 2017 36 25

ssh connection problem… 26

27 o WatchOS interfaces 28 29 "awdl0/ipv6" = "fe80::c837:8аﬀ:fe60:90c2"; 30 31

"lo0/ipv4” = "127.0.0.1"; 32 "lo0/ipv6" = "fe80::1"; 33 "utun0/ipv6" = "fe80::face:5e30:271e:3cd3"; 34 35

December 4-7, 2017 36 25

Watch <-> iPhone port forwarding 26

NSDictionary *comm = @{! 27 @"Command" :@"StartForwardingServicePort", @"ForwardedServiceName" :@"com.apple.syslog_relay",! 28 @"GizmoRemotePortNumber" :[NSNumber numberWithUnsignedShort: pt],! 29 @"IsServiceLowPriority" :@0,};! ! 30 AMDServiceConnectionSendMessage(serviceConnection,!

(__bridge CFPropertyListRef)(comm), 31 kCFPropertyListXMLFormat_v1_0);! ! 32 AMDServiceConnectionReceiveMessage(serviceConnection, &response, (CFPropertyListFormat*)&format);! 33 ! NSNumber *iphone_port = response[@"CompanionProxyServicePort"];! 34

December 4-7, 2017 36 25

Black Hat Sound Bytes 26

December 4-7, 2017 36 25

SSH over WiFi 26

27 o Watch can be connected to 2.4Hz WiFi 28 29 o Can be a little bit tricky but it works 30 31

o iPhone is not involved at all J 32 o Just leak address and connect 33 34

December 4-7, 2017 36 37

Black Hat Sound Bytes 38

December 4-7, 2017 48 37

Apple Watch usage 38

39 o Watch has access to SMS, Calls, Health 40 41

o Photos and emails synced to Watch 42 o Access to GPS location 43 44 o Microphone usage 45 46

o Apple Pay 47

December 4-7, 2017 48 37

Post jailbreak 38

39 o Full access to jailbroken watch file system 40

- Messages 41 - Call history 42 43

- Contacts 44 - Emails 45 46

- GPS loacation 47

December 4-7, 2017 48 37

What's next ? 38

39 o Interpose or trampoline system functions 40 41 o Catch data on sync with a iPhone 42

o Call recordings 43 44 o Create tweaks for a watch 45 46

o Run frida and radare 47 December 4-7, 2017 48 37

Black Hat sound bytes 38

40 o WatchOS security is mostly equal to iOS 41 Easier data forensics on a Watch 42 o 43 o Exploits became more valuable 44 45

December 4-7, 2017 48 37

42 @mbazaliy 43 44

December 4-7, 2017 48