Lightning Authentic...
 
Notifications
Clear all

Lightning Authentication Chip spy

13 Posts
5 Users
0 Likes
932 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Out of an investigation we found spying over an USB-A to Lightning cable. The cable is not certified MFI and non-Apple. Do you think the following tester will help to figure out?

https://www.aliexpress.com/item/IOS10-Cable-Tester-identifier-for-iPhone-7-6s-6-Plus-E75-C48-Cable-ID-Code-Reader/32751440231.html?spm=2114.40010308.4.2.yz6Aqk

Who knows technical details behind these parameters?

Lightning Cable Reader V3.2
Chip-ID
VID
PID
VER
AV
ID-SN
ASN
MSN

Model ATS-618

If not, do you have a better mobile tester? Besides a logic analyzer in-lab we try to test a COTS device as low quality MITM-component to log and intercept the data flow.

Thank you in advance.

 
Posted : 21/02/2017 11:34 am
(@athulin)
Posts: 1156
Noble Member
 

Out of an investigation we found spying over an USB-A to Lightning cable. The cable is not certified MFI and non-Apple. Do ou think the following tester will help to figure out?

Figure out what? Something about the cable? about the device that was connected at Lightning end of it? or at the USB end of it? or about the information that was passed over the cable?

How knows technical details behind these parameters?

Presumably, someone who has spent some time hacking the T1 chip (if that's what does the job). Apple is unlikely to provide the information, unless you can back up your request well. So … the hacking community of south-east asia?

 
Posted : 21/02/2017 9:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Maybe of use, maybe not
http//ramtin-amin.fr/#tristar

If I may, a question how exactly it is/was the spying supposed to be working?
I mean is there a storage of some kind in the cable/connector that stores *whatever* data is exchanged through the cable?
Or is there a radio/WiFi/Whatever transmitter that transmits the data that is exchnaged through the cable?
Or does the cable "suck" data from the device even if no data is transmitted to it?

jaclaz

 
Posted : 22/02/2017 12:17 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

@athulin - thank you. Figure out what? We want to take the tester's inlay to build a Man-In-The-Middle MITM logger to intercept the spying in the T1 chip, means

what is running on the lightning-connector's PCB with the T1.

@jaklaz- thank you too! The spying is weird - Wireshark shows no traffic running immediately if iphone connected, but after the iphone was disconnected data runs from the single connected cable! over the test machine which runs Kali live-running in forensics mode (stealthy).

The cable talks without device.

Don't hold my cracy. I am not.

We dismantled the white cable housing, looks pretty fine in comparison to genuine Apple accessory. Before Chip-off expensive task we want to better understand how this works.

 
Posted : 26/02/2017 12:27 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Rolf,

What you are researching is completely above my head and outside of my knowledge and experience.

It would be useful if the "Lightning Authentication Chip spy" could somehow intercept and record one or more Apple security tokens as the travel from a PC to an iPhone (or vice versa).

Reference ATEX (Apple Token Extractor) https://blog.elcomsoft.com/2014/06/breaking-into-icloud-no-password-required/

Would it be possible to fit a USB Rubber Ducky type hardware / capabilities into the chip(s) you are investigating https://hakshop.com/products/usb-rubber-ducky-deluxe

So, if your spy chip could record necessary security tokens and then transmit the token to an unfriendly party's remote server, could that unfriendly party then access the iPhone's iCloud backup, for example?

 
Posted : 26/02/2017 8:00 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Don't hold my cracy. I am not.

I am pretty sure that you are not crazy ) , but you are seemingly failing at describing the situation, as I still don't get it, maybe it is just me 😯 , but could you expand on what you observed?

I mean *like*

You use the Lightning cable to connect the iPhone to a PC (running Kali), to a USB port.
You do some activity on the iPhone (which kind of activity?).
Then you disconnect the cable from the iPhone side, leaving it connected to the PC.
Suddenly you observe some data flow from the cable to the PC. (but directed to where/what?)
And how much data?
I mean, is the amount of data proportional (roughly) to the different amount of activities you carry on the iPhone while connected in different test sessions?
What happens when you insert the cable (with the iPhone already connected to its Lightning end) in the USB port?
What happens when you insert the cable (without the iPhone already connected) in the USB port?
What happens if after a test session you disconnect the cable from the PC (the USB side), then you disconnect from the cable the iPhone, wait - say - 15 minutes and then re-insert just the cable?
Does something different happen if you reduce the delay before inserting to - still say - only 10 seconds?

jaclaz

 
Posted : 26/02/2017 4:14 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

@UnallocatedClusters,

We knew about the EPPB ATEX before and first thought that the Lightning PCB Spy (LPS) as we call it just intercepts the iCloud Authentication Token (iAT) to the two EPROMS on the PCBs Printed Circuit Boards. But these EPROMs (BQ2025) are just 64 or 128 bit respectively and 'in use' by Apple. But we fear that the NX20P3 is either a counterfeit or was hacked.

USB Rubber Ducky is a good idea and will be crosschecked -) Thank you.

@jaclaz

The phenomena about spying is without any user interaction. We just connected the iPhone to the test machine over USB port. It self powers on and thats it. No unlocking. We guess the spying was already on the cable before coming in-lab.

If we disconnect the device leaving just the cable connected to the PC the LPS sends an AES-128 string out to an IPv4 geolookuped residing in P.R.C. The delay time is between 158 sec and 203 minutes but seems to be initiated from outside. But exactly this cannot be because our own IP was first unknown to the C&C server, so had to be initiated by either the device or the cable. This means the device (not jailbroken) can be part of the issue.

Without device

Ok, we changed the setup with just the cable connected over USB to the test machine but now with a 'new' VPN-based U.S. IPv4 (our 'new' IP). The cable started to talk again to a NEW IPv4.
We did this over and over again. The cable talked always to a new IPv4 but limited to a range of 8 addresses round robin. Everytime we disconnect and reconnect the cable it starts talking after about 2 minutes.

Its obvious that these 8 IPv4 addresses are stored on the LPS.

We only did once (before Without device section) connect the device to the cable. After we just connected the cable to the PC. Maybe this was our mistake but eliminated after we changed the outgoing IP address.

Ok, this is just the technical setup part but the issue is serious as behind is an iCloud breach with business related picture extortion. Cannot talk about this in detail.

Sorry for not answering your questions in detail, but hope you get a sense.

You know my slogan Don't Feed Criminals! Will further not talk about the device (iPhone).

 
Posted : 27/02/2017 9:23 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Sorry for not answering your questions in detail, but hope you get a sense.

Sure, now it makes more sense, thanks.
Still I am not understanding the logic (which may be flawed), if the cable "phones home" even on itself (i.e. without any device connected) which kind of info (from the device) can it be transmitting?

I mean, would it be possible that it just transmits a sort of "telemetry" info not related to the device connected (or not connected)?

jaclaz

 
Posted : 27/02/2017 1:36 pm
(@coradias)
Posts: 1
New Member
 

Hi…i am a new user here. As per my knowledge If we disconnect the device leaving just the cable connected to the PC the LPS sends an AES-128 string out to an IPv4 geolookuped residing in P.R.C. The delay time is between 158 sec and 203 minutes but seems to be initiated from outside.

pcb assembly

 
Posted : 08/03/2018 4:09 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Thank you for the work you all (Jaclaz / Althulin / Rolf Guttman / et al) perform protecting us citizens. I sincerely mean that.

 
Posted : 08/03/2018 7:09 pm
Page 1 / 2
Share: