-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Intrepidus Group Security Advisory
http://www.intrepidusgroup.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Title: Apple TV Touch Setup Wi-Fi and iTunes Password Disclosure
Release Date: 10 March 2014
Discoverer: David Schuetz <david.schuetz@intrepidusgroup.com>
Vendor: Apple
Vendor Reference: http://support.apple.com/kb/HT1222
CVE Reference: CVE-2014-1279
Systems Affected: Apple TV (3rd generation) running ATV 6.0 - 6.0.2
Risk: Medium
Status: Published
Timeline
--------
Discovered: 10 October 2013
Reported: 8 November 2013
Fixed: 10 March 2014
Published: 10 March 2014
Summary
--------
The release of Apple TV version 6.0, based on iOS 7.0, introduced a new
convenience feature for the setup of new Apple TV units, colloquially
referred to as "Touch Setup."
This features permits a user with a mobile iOS device such as an iPhone, to
use BlueTooth Low Energy (BTLE) to transfer certain configuration information
to a newly-activated Apple TV system, including iTunes Store ID and password,
and Wi-Fi SSID and password.
An issue exists where detailed logging is enabled in the Apple TV.app binary,
resulting in detailed packet data being dumped to the Apple TV log. This data
includes hexadecimal representations of the configuration information
transferred from the mobile device to the Apple TV, including AppleID and
Wi-Fi passwords passed in cleartext.
An attacker with access to an Apple TV may be able to recover this data from
the system log, if it has been stored on the Apple TV.
Details
-------
Apple TV applications may save certain logging and debugging information to
the system using NSLog() and similar mechanisms. The logs may be viewed by
attaching the Apple TV unit to an OS X system via a micro-USB cable, and
using an application such as the Xcode Organizer or iPhone Configuration
Utility.
In general, these log entries are ephemeral, however, certain log data on
the Apple TV (and other iOS devices in general) are retained to some degree
on the device filesystem and may thus be available for viewing at a later
date. At this time, it is not clear whether the Touch Setup logs are
retained on the Apple TV or mobile iOS device after completion of the setup
process.
The Apple TV app (as well as the touchsetupd daemon on the mobile iOS device)
sends detailed descriptions of data sent and received during the Touch Setup
process.
In the case of the mobile iOS device, this data is encrypted using
a key exchanged between the two devices. However, it may be possible that
enough information is leaked in these debug messages (or other related log
entries) that an attacker may recover the session key and thus decrypt the
entire conversation.
In the case of the Apple TV unit, the data are generally written to the log
two or even three times: First, the raw encrypted data as received from the
mobile device, then the decrypted, yet compressed, plaintext of that data,
and then finally the uncompressed data itself.
The decompressed data containing configuration information required to
complete the Touch Setup process is provided as a binary property list
(plist). The plist contains, among other data, the following information:
AppleID (iTunes account) information:
* First Name
* Last Name
* AppleID (email address)
* Password
Local Wi-Fi information:
* SSID
* Password
Steps to Reproduce
------------------
To demonstrate this vulnerability, the following hardware will be required:
1. Apple TV (3rd generation) running Apple TV system version 6.0 through 6.0.2
2. A "recent" mobile iOS device such as iPhone 4S or later (see Systems
Affected for full list), running iOS version 7.0 or later
3. A system running OS X, with Xcode installed
4. A display connected to the Apple TV via HDMI
5. A micro-USB cable connected to the Apple TV and ready to connect to a
system running OS X
The procedure is as follows:
1. Ensure the Apple TV is "factory fresh" either by acquiring a new,
shrink-wrapped unit, or using a full "factory reset" on an existing unit.
2. Connect the Apple TV to the display using HDMI
3. Connect the micro-USB cable to the Apple TV (it may be necessary to obtain
a very low-profile connector, or to use a utility knife to shave the
micro-USB connector, in order to connect both the HDMI and USB connectors
simultaneously). DO NOT connect the cable to the OS X machine at this point.
4. Ensure the mobile iOS device has BlueTooth enabled and is logged in to the
local Wi-Fi network (following Apple's instructions:
http://support.apple.com/kb/HT5900)
5. Launch Xcode on the OS X system, and open the Xcode organizer.
6. Reboot the Apple TV by removing and re-inserting the power cable. Once the
Apple logo has appeared (or shortly thereafter) connect the micro-USB
cable to the OS X system.
7. In Xcode organizer, select the Apple TV device and view its Console log. It
may be desirable to connect the mobile iOS device via another cable to
capture its log as well.
8. When the Apple TV has reached the language selection screen, follow the
instructions to complete the Touch Setup process.
9. Save the Apple TV log data to a text file.
10. Search the log file for data similar to the following:
Oct 10 15:48:07 Apple-TV Apple TV[24] <Warning>: [TRDeviceSetupServer]
Decompressed data: <62706c69 73743030 d2010203 04516151 70557365 747570d9
05060708 090a0b0c ....
11. Select the hexadecimal data (between the <> marks on that log entry) and
convert to a binary file.
12. View that file using a plist editor. For example,
plutil -convert json -r <filename> -o -
13. The data recovered should look something like this: [.keys and other
data which may be unique or private have been redacted here]
{
"a" : "setup",
"p" : {
"au" : {
"h" : {
"x-apple-orig-url" : "https:\/\/p44-buy.itunes.apple.com\/WebObjects\/MZFinance.woa\/wa\/authenticate",
"edge-control" : "no-store, cache-maxage=0",
"x-set-apple-store-front" : "143441-1,19",
"Expires" : "Thu, 10 Oct 2013 22:47:49 GMT",
"apple-timing-app" : "402 ms",
"pod" : "44",
"Cache-Control" : "private, no-cache, no-store, no-transform, must-revalidate, max-age=0",
"x-apple-lokamai-no-cache" : "true",
"Content-Type" : "text\/xml; charset=UTF-8",
"x-apple-translated-wo-url" : "\/WebObjects\/MZFinance.woa\/wa\/authenticate",
"x-apple-jingle-correlation-key" : "--redacted--",
"Content-Encoding" : "gzip",
"x-apple-date-generated" : "Thu, 10 Oct 2013 22:47:48 GMT",
"x-apple-application-site" : "ST13",
"x-apple-application-instance" : "440051",
"x-apple-asset-version" : "0",
"Date" : "Thu, 10 Oct 2013 22:47:49 GMT",
"Set-Cookie" : "X-Dsid=--redacted--; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, TrPod=3; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, isPpuOptOut=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.apple.com, hsaccnt=1; version=\"1\"; path=\/WebObjects; domain=.apple.com, mz_at0---redacted--=--redacted--; version=\"1\"; expires=Wed, 30-Sep-2015 22:47:49 GMT; path=\/; domain=.apple.com, mz_at_ssl---redacted--=--redacted--; version=\"1\"; expires=Sat, 10-Oct-2015 22:47:49 GMT; path=\/; domain=.apple.com; secure, Pod=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com; secure, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com; secure, Pod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, itspod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, mzf_in=440051; version=\"1\"; path=\/WebObjects; domain=.apple.com; secure, mzf_odc=ST1; version=\"1\"; expires=Thu, 10-Oct-2013 23:17:49 GMT; path=\/WebObjects; domain=.apple.com, mzf_dr=0; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/WebObjects; domain=.apple.com, ns-mzf-inst=179-11-80-157-121-8031-440051-44-st13; version=1; Max-Age=1800; path=\/; domain=.apple.com; httponly",
"x-webobjects-loadaverage" : "23",
"x-apple-request-store-front" : "143441-1,19 t:6",
"Content-Length" : "522",
"itspod" : "44"
},
"b" : {
"status" : 0,
"password" : "--redacted--",
"m-allowed" : true,
"creditBalance" : "1311811",
"freeSongBalance" : "1311811",
"clearToken" : "--redacted--",
"is-cloud-enabled" : "true",
"passwordToken" : "--redacted--",
"dsPersonId" : "--redacted--",
"creditDisplay" : "",
"accountInfo" : {
"address" : {
"firstName" : "David",
"lastName" : "Schuetz"
},
"accountKind" : "0",
"appleId" : "--redacted--"
}
}
},
"np" : "--redacted--",
"c" : "US",
"l" : "en",
"ns" : "--redacted--",
"ha" : "--redacted--",
"rp" : true,
"hg" : "00000000-0353-d139-58e8-619c235c480b",
"di" : true
}
}
Fix Information
----------------
A review of the affected binaries using IDA Pro indicates that these debug
statements are hard-coded into the system. It may be possible for Apple to
remotely change the "DEBUG LEVEL" at which the system is run, to prevent this
data from being logged, however, it is not clear whether that will be possible.
Even if the logs are remotely disabled, the capability remains, and may be
inadvertently or maliciously reactivated at a later date. It is expected that
a fix will only be available by completely removing the logging commands
from the binary and shipping a new release of the Apple TV software.
-------------------------
After reviewing the vulnerability, the vendor responded that the issue would
be fixed in a future release of the Apple TV operating system.
The vendor has indicated that the issue was fixed in Apple TV system 6.1
(based on iOS 7.1), released on 10 March 2014. A review of the affected
binaries in a pre-release version of 6.1 has indicated that the data is no
longer written to the log.
###
Intrepidus Group Security Advisory
http://www.intrepidusgroup.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Title: Apple TV Touch Setup Wi-Fi and iTunes Password Disclosure
Release Date: 10 March 2014
Discoverer: David Schuetz <david.schuetz@intrepidusgroup.com>
Vendor: Apple
Vendor Reference: http://support.apple.com/kb/HT1222
CVE Reference: CVE-2014-1279
Systems Affected: Apple TV (3rd generation) running ATV 6.0 - 6.0.2
Risk: Medium
Status: Published
Timeline
--------
Discovered: 10 October 2013
Reported: 8 November 2013
Fixed: 10 March 2014
Published: 10 March 2014
Summary
--------
The release of Apple TV version 6.0, based on iOS 7.0, introduced a new
convenience feature for the setup of new Apple TV units, colloquially
referred to as "Touch Setup."
This features permits a user with a mobile iOS device such as an iPhone, to
use BlueTooth Low Energy (BTLE) to transfer certain configuration information
to a newly-activated Apple TV system, including iTunes Store ID and password,
and Wi-Fi SSID and password.
An issue exists where detailed logging is enabled in the Apple TV.app binary,
resulting in detailed packet data being dumped to the Apple TV log. This data
includes hexadecimal representations of the configuration information
transferred from the mobile device to the Apple TV, including AppleID and
Wi-Fi passwords passed in cleartext.
An attacker with access to an Apple TV may be able to recover this data from
the system log, if it has been stored on the Apple TV.
Details
-------
Apple TV applications may save certain logging and debugging information to
the system using NSLog() and similar mechanisms. The logs may be viewed by
attaching the Apple TV unit to an OS X system via a micro-USB cable, and
using an application such as the Xcode Organizer or iPhone Configuration
Utility.
In general, these log entries are ephemeral, however, certain log data on
the Apple TV (and other iOS devices in general) are retained to some degree
on the device filesystem and may thus be available for viewing at a later
date. At this time, it is not clear whether the Touch Setup logs are
retained on the Apple TV or mobile iOS device after completion of the setup
process.
The Apple TV app (as well as the touchsetupd daemon on the mobile iOS device)
sends detailed descriptions of data sent and received during the Touch Setup
process.
In the case of the mobile iOS device, this data is encrypted using
a key exchanged between the two devices. However, it may be possible that
enough information is leaked in these debug messages (or other related log
entries) that an attacker may recover the session key and thus decrypt the
entire conversation.
In the case of the Apple TV unit, the data are generally written to the log
two or even three times: First, the raw encrypted data as received from the
mobile device, then the decrypted, yet compressed, plaintext of that data,
and then finally the uncompressed data itself.
The decompressed data containing configuration information required to
complete the Touch Setup process is provided as a binary property list
(plist). The plist contains, among other data, the following information:
AppleID (iTunes account) information:
* First Name
* Last Name
* AppleID (email address)
* Password
Local Wi-Fi information:
* SSID
* Password
Steps to Reproduce
------------------
To demonstrate this vulnerability, the following hardware will be required:
1. Apple TV (3rd generation) running Apple TV system version 6.0 through 6.0.2
2. A "recent" mobile iOS device such as iPhone 4S or later (see Systems
Affected for full list), running iOS version 7.0 or later
3. A system running OS X, with Xcode installed
4. A display connected to the Apple TV via HDMI
5. A micro-USB cable connected to the Apple TV and ready to connect to a
system running OS X
The procedure is as follows:
1. Ensure the Apple TV is "factory fresh" either by acquiring a new,
shrink-wrapped unit, or using a full "factory reset" on an existing unit.
2. Connect the Apple TV to the display using HDMI
3. Connect the micro-USB cable to the Apple TV (it may be necessary to obtain
a very low-profile connector, or to use a utility knife to shave the
micro-USB connector, in order to connect both the HDMI and USB connectors
simultaneously). DO NOT connect the cable to the OS X machine at this point.
4. Ensure the mobile iOS device has BlueTooth enabled and is logged in to the
local Wi-Fi network (following Apple's instructions:
http://support.apple.com/kb/HT5900)
5. Launch Xcode on the OS X system, and open the Xcode organizer.
6. Reboot the Apple TV by removing and re-inserting the power cable. Once the
Apple logo has appeared (or shortly thereafter) connect the micro-USB
cable to the OS X system.
7. In Xcode organizer, select the Apple TV device and view its Console log. It
may be desirable to connect the mobile iOS device via another cable to
capture its log as well.
8. When the Apple TV has reached the language selection screen, follow the
instructions to complete the Touch Setup process.
9. Save the Apple TV log data to a text file.
10. Search the log file for data similar to the following:
Oct 10 15:48:07 Apple-TV Apple TV[24] <Warning>: [TRDeviceSetupServer]
Decompressed data: <62706c69 73743030 d2010203 04516151 70557365 747570d9
05060708 090a0b0c ....
11. Select the hexadecimal data (between the <> marks on that log entry) and
convert to a binary file.
12. View that file using a plist editor. For example,
plutil -convert json -r <filename> -o -
13. The data recovered should look something like this: [.keys and other
data which may be unique or private have been redacted here]
{
"a" : "setup",
"p" : {
"au" : {
"h" : {
"x-apple-orig-url" : "https:\/\/p44-buy.itunes.apple.com\/WebObjects\/MZFinance.woa\/wa\/authenticate",
"edge-control" : "no-store, cache-maxage=0",
"x-set-apple-store-front" : "143441-1,19",
"Expires" : "Thu, 10 Oct 2013 22:47:49 GMT",
"apple-timing-app" : "402 ms",
"pod" : "44",
"Cache-Control" : "private, no-cache, no-store, no-transform, must-revalidate, max-age=0",
"x-apple-lokamai-no-cache" : "true",
"Content-Type" : "text\/xml; charset=UTF-8",
"x-apple-translated-wo-url" : "\/WebObjects\/MZFinance.woa\/wa\/authenticate",
"x-apple-jingle-correlation-key" : "--redacted--",
"Content-Encoding" : "gzip",
"x-apple-date-generated" : "Thu, 10 Oct 2013 22:47:48 GMT",
"x-apple-application-site" : "ST13",
"x-apple-application-instance" : "440051",
"x-apple-asset-version" : "0",
"Date" : "Thu, 10 Oct 2013 22:47:49 GMT",
"Set-Cookie" : "X-Dsid=--redacted--; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, TrPod=3; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, isPpuOptOut=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.apple.com, hsaccnt=1; version=\"1\"; path=\/WebObjects; domain=.apple.com, mz_at0---redacted--=--redacted--; version=\"1\"; expires=Wed, 30-Sep-2015 22:47:49 GMT; path=\/; domain=.apple.com, mz_at_ssl---redacted--=--redacted--; version=\"1\"; expires=Sat, 10-Oct-2015 22:47:49 GMT; path=\/; domain=.apple.com; secure, Pod=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com; secure, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com; secure, Pod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, itspod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, mzf_in=440051; version=\"1\"; path=\/WebObjects; domain=.apple.com; secure, mzf_odc=ST1; version=\"1\"; expires=Thu, 10-Oct-2013 23:17:49 GMT; path=\/WebObjects; domain=.apple.com, mzf_dr=0; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/WebObjects; domain=.apple.com, ns-mzf-inst=179-11-80-157-121-8031-440051-44-st13; version=1; Max-Age=1800; path=\/; domain=.apple.com; httponly",
"x-webobjects-loadaverage" : "23",
"x-apple-request-store-front" : "143441-1,19 t:6",
"Content-Length" : "522",
"itspod" : "44"
},
"b" : {
"status" : 0,
"password" : "--redacted--",
"m-allowed" : true,
"creditBalance" : "1311811",
"freeSongBalance" : "1311811",
"clearToken" : "--redacted--",
"is-cloud-enabled" : "true",
"passwordToken" : "--redacted--",
"dsPersonId" : "--redacted--",
"creditDisplay" : "",
"accountInfo" : {
"address" : {
"firstName" : "David",
"lastName" : "Schuetz"
},
"accountKind" : "0",
"appleId" : "--redacted--"
}
}
},
"np" : "--redacted--",
"c" : "US",
"l" : "en",
"ns" : "--redacted--",
"ha" : "--redacted--",
"rp" : true,
"hg" : "00000000-0353-d139-58e8-619c235c480b",
"di" : true
}
}
Fix Information
----------------
A review of the affected binaries using IDA Pro indicates that these debug
statements are hard-coded into the system. It may be possible for Apple to
remotely change the "DEBUG LEVEL" at which the system is run, to prevent this
data from being logged, however, it is not clear whether that will be possible.
Even if the logs are remotely disabled, the capability remains, and may be
inadvertently or maliciously reactivated at a later date. It is expected that
a fix will only be available by completely removing the logging commands
from the binary and shipping a new release of the Apple TV software.
-------------------------
After reviewing the vulnerability, the vendor responded that the issue would
be fixed in a future release of the Apple TV operating system.
The vendor has indicated that the issue was fixed in Apple TV system 6.1
(based on iOS 7.1), released on 10 March 2014. A review of the affected
binaries in a pre-release version of 6.1 has indicated that the data is no
longer written to the log.
###