This document summarizes how an iOS MITM attack can be performed by tricking a user into installing a fake certificate authority. The attacker sets up a rogue wireless access point called "Gate" and generates a mobile configuration profile containing the fake CA certificate. When the user connects to the access point and installs the profile, the attacker gains the ability to decrypt SSL traffic, access backups of personal data like photos and messages, and send fake push notifications or remotely wipe the device by abusing the trusted CA status. The attack only requires the user to tap "install" twice, highlighting how easily iOS security can be compromised through social engineering.
7. Why we can’t create fake signature?
Because “Apple Root CA” fingerprint hardcoded into iOS and have to
be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60
sieg.in 7
9. Certificate Authority Storage
Few from 186 are quite interesting :
– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
– C=JP, O=Japanese Government, OU=ApplicationCA
– C=CN, O=China Internet Network Information Center, CN=China Internet
Network Information Center EV Certificates Root
…
sieg.in 9
14. Mobileconfig contains
WiFi settings (pass, SSID) for “Gate”
CA
Proxy Settings, if we want victim’s traffic even
it has left attack range. (Only for iOS6)
iCloud backup (enable it, if not)
sieg.in 14
30. Summary
User only have to tap ‘Install’ two times to make
us able to :
– Sniff all his SSL traffic (cookies,passwords, etc)
– Steal his backup (call log, sms log, photos and
application data)
– Send him funny push messages or just wipe device
sieg.in 30