SSL Snarfing

Here we show you step-by-step how simple it can be for someone to steal your email password from your iPhone


…and what you can do about it.

I’m going to show you how easy it is to steal the email password to an iPhone, just doing it over wireless. It’s Incredibly straightforward and it’s all to do with the fact it is all too easy to accept an invalid SSL certificate on an iPhone.

So, we’ve got some scripts here [shown on monitor]. They’re used to throw up a fake wireless access point. We’re using these tools, Airbase (Airbase-ng) and Ettercap, to do an SSL man-in-middle attack.

What we’ll do is just sit here and wait for the iPhone to try and join our fake wireless network. We’ll then offer it an SSL certificate, a fake one that’s based on the real one it trusts from the mail server that it’s trying to receive mail from. There’s only a few bytes difference between the SSL certificates, but it’s enough to enable this man-in-middle attack.

I’ve got Airbase which a wireless tool you can get hold of very easily- it’s part of the BackTrack distribution. It’s running a DHCP server so we can give it an IP address. We’re also using Ettercap to perform the man-in-middle attack- basically capturing the SSL certificate, modifying it and sending it back to the device.

The fake access point we’re running has been named “BT Openzone”, because it’s the most popular access point name out there. We could call it pretty much anything, we could even use tools like the wireless Pineapple to do this on-the-fly for us. Obviously the iPhone doesn’t send its credentials in clear text, it uses SSL based encryption. The problem is the error message that the iPhone presents to the user. If you try to synchronise your email, and have an invalid SSL certificate you get this error message [screen shot of the message]. It’s simply too straightforward. It says Cancel, Details, or Continue in blue. Frankly I think the majority of people would simply press Continue. Just by accepting that invalid certificate you can now see the password to the user’s email account has popped-up here [on monitor]. I can now log in to their mail, do anything I want, steal their identity, the works.

The real issue is the fact that the invalid SSL certificate warning is just too basic. It’s not red, it doesn’t flash, there are no danger signs provided. If you compare that to a warning with an Android phone it tells you not to do it. On a Windows phone, as rare as they are, it’s impossible to accept an invalid SSL certificate in most configurations. I really think Apple need to make these errors red so that people understand that accepting an invalid SSL certificate is really, really bad. It’s going to result in your password being pinched.