Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but there was a lot of confusion about how it could possibly work and whether it was safe. The particular person who published the instructions added a note to remember not to type in your real username and password when prompted, which should be a big hint that while he was not looking to harvest the passwords, they were all being sent to his fake App Store server. Anyone could set up an alternate server – especially if his is blocked by law enforcement – and conveniently "forget" to mention that whatever username and password you type in will be sent to them. Even with the warning, many people admitted to using their real username and password with the pirate server, because they did not realize they were giving it away to a stranger. Let's be clear: the existing fake iOS in-app purchase server has not yet been caught being malicious, but the techniques it uses to enable piracy are dangerously insecure. This is a story about exactly how it can go wrong.
There is a full transcript after the images for screen readers.
How Sally Got Owned – a sad cautionary tale by Melissa Elliott / @0xabad1dea (picture of young girl with tablet computer) This is Sally. Her parents got her a tablet for her birthday, but she doesn't have much allowance to spend on things like apps and music. That's a shame, because her favorite game just came out with an add-on pack that costs $5. (picture of a cheerful pirate with an eye-patch) But wait! Peter Pirate claims that he has an easy way to get the expansion pack for free! Sally is internet-savvy enough to wonder if it's a prank, but her friend already tried it and it really works! (picture of Peter Pirate holding up a tablet with the settings screen) "It's very simple," explains Peter. "First, go into your wi-fi settings and find the one called 'DNS Server.' Change it to the number I give here." (picture of a shiny certificate that says "Fakey McFakeFake, totally a legit authority") "The second step is to install this file I made called a 'root certificate' to your tablet. No matter how many times the confirmation dialogue warns you that its authenticity cannot be verified, keep tapping yes!" (picture of Sally looking uncertain) Sally doesn't know what a DNS server or a root certificate is, and instead of asking someone she thinks to herself: "Well, what's the worst that could happen?" Sally follows the instructions and gets her free stuff. The next day, Sally finds that someone has logged into her Facebook. What?! This is based on the true story of a real hack, although no-one has gotten their Facebook stolen – or maybe just not yet. Let's examine how this hack works, why it only works with Sally's full co-operation, and why these two simple steps empower Peter Pirate to steal the private accounts on Sally's tablet if he wants to. Should you really trust someone who is helping you cheat your way out of paying? (A picture of Sally's tablet and Peter Pirate. An arrow reading "TOTAL TRUST" connects the two.) Sally has modified settings on her tablet that instruct it to believe whatever Peter says. She's counting on him – whether she realizes it or not – to play by friendly rules. But will he? DNS stands for "domain name system" and is an essential part of the internet that converts people-friendly website names like "veracode.com" to computer-friendly IP addresses like 220.127.116.11. It's essentially just a giant phone book that is constantly updated, not only because new websites are added but because existing ones have moved or changed ownership. (a diagram of a tablet looking for veracode.com. The request goes through its wi-fi router, which forwards it the ISP's DNS server, which asks an authoritative server for the newest information.) That's highly over-simplified but you get the idea. Under normal circumstances, your computers will automatically find your internet service provider's DNS server, which chats with other DNS servers to keep up to date. The system is not perfect; when an incorrect domain-name-to-IP-address conversion (often planted by a hacker) gets spread, that's called DNS poisoning. However, such poisoned info is usually fixed within hours. Most computers allow you to override your auto-detected DNS settings with a specific server; maybe the default one is too slow or participates in censorship or redirects you to tacky ads when a domain is not found. However, you had better pick a replacement server that's honest! (diagram: The tablet is looking for veracode.com but asks to skip the ISP's DNS server and be sent straight to Peter. Peter gleefully cackles: "I can say whatever I want and you'll believe me!)" When you manually change your DNS server, you are giving whoever runs it the power to lie to you – and to the apps running on your computer. That's the first step in how Peter Pirate's cheating technique works. He has set up his own DNS server which only has one answer to give: itself! (picture: The tablet says "I'm the store app. I need to find the payment site." A pirate server says: "It's… right here! What a coincidence!") When the app store attempts to connect to the payment server, it receives a fake answer from Peter Pirate and proceeds to start an inquiry about payment with Peter. If the payment connection was not authenticated, that would be the end of it as Peter has successfully impersonated the real server and can lie about the payment having gone through, fooling the game into unlocking the bonus pack. Achievement unlocked: Blatant Piracy! However, of course the programmers of the store app were smart enough to use authentication; this means that – if Peter only fakes the DNS – all that will happen is this: (a computer message that says "ERROR! Could not connect! Try again later.") Mind you, this is a good thing – it's what keeps important websites like your bank from being easily impersonated. The store app detected that it had not been given an authorized encryption key from the payment server and refused to talk to it. Now, I'm skipping over a lot of details here – SSL encryption is very complicated – but Peter notices that the store does not only accept one specific "certificate" (an encryption key that is bundled with the info of what site owns it) but will accept any certificate issued in the payment server's name if it's certified as authentic by a trusted Certificate Authority. Peter Pirate needs to get in the business of being a trusted Certificate Authority! (picture of Peter proudly holding up a fake certificate, exclaiming "Here at Pirate Passports we guarantee to issue ID!") Your computer came pre-stocked with a list of Certificate Authorities (CA's) that are considered safe to trust, such as Verisign or GoDaddy. Every once in a while, a CA is disgraced and removed from these lists – that was the sad fate of one called DigiNotar when it was hacked and used to sign off on fake certificates for sites such as Google. If Peter is willing to commit some serious crimes, he could try to hack a reputable CA and make a forged certificate for the payment server. However, he has the advantage that Sally is willingly co-operating, so there's an easier way. Most computers have a way for the owner to manually add a new CA to the trusted list, both because a new one might become popular and because many corporations, schools and governments run their own private CA's. Hence, Peter can merely make his own private CA and ask Sally to manually approve it for her tablet. There's no paperwork involved; making a private CA consists only of Peter running a program on his computer to generate a file called a root certificate. He sends it to Sally, and her tablet warns her that it could be issued by anybody and she should be very certain she trusts it before saying yes. (A picture of Sally saying "meh, why not" as she taps on her tablet.) Now he can make his own "genuine" certificate for the payment server and the store app won't be able to tell the difference. It will first receive a fake IP address and then a fake-but-real-looking SSL (secure sockets layer) certificate. It will now proceed blissfully unaware that it's been had. In security parlance, we would say that the server has been "spoofed." Sally thinks nothing of it when she taps her username and password into the store app after configuring her tablet to be hacked. She doesn't realize that she just transmitted that information to Peter! Sally, was your app store password the same as your Facebook? (picture of Sally looking embarrassed, saying "…Maybe?") Sally, this is why everyone tells you to use different passwords! It was a prank after all – a cruel prank to steal the passwords of people willing to do anything to not spend $5 in the app store. Now suppose Sally was savvy enough to have a unique password for every important website. That should keep the maximum damage Peter can do pretty low, right? He only got her app store account. … Not really. While Sally is busy unlocking free stuff in her game, her email app hits its fifteen-minute timer and logs in to check for new mail. Peter planned ahead for this and made fake certificates for the most common mail providers. Hence, the email client is tricked by the fake DNS and fake certificate, and sends Sally's email account name and password to Peter. There's probably a lot he can do with that! (a picture of Sally sobbing) It all ends in tears for Sally, who now has to explain to her grandparents why her Facebook is covered in (censored). Good luck, Sally. Don't make yourself an easy target. Stick to legitimate software from trusted sources as much as possible. Piracy often leaves you exposed with dangerous techniques like this, with unpatched security holes, or with deliberately infected copies of games or movies. Trusting cheaters is how Sally got owned. veracode.com - application security in the cloud (including iOS and Android!)