Black Box Version 1.0 Manual de usuario descargar pdf (Pagina 23)

Push Profile to Device

• Can’t send the push message

• But can instruct device to poll

–MDMOutstandingActivities.plist

• The “Status: Idle” message

–Place into ConfigurationProfiles folder

–Device will poll MDM server

• If command is “InstallProfile”:

–Device responds “Not Now”

–Waits until unlocked, then tries again

Re-Installing MDM

• If device receives new MDM profile

–Fails: “Device already managed by MDM”

• Unless new profile exactly matches old

–Then, the device silently re-enrolls

–Sends Token, PushMagic, and UnlockToken

• Since we’re MITM, those come to us

• Can’t use the APNS tokens

–Don’t have right push cert

No matter what we retrieve from the device, it’s unlikely we’ll be able to

forge the push messages through Apple. So the attacker could simply

wait for the legitimate MDM server to send a push message, or we

could force a poll of the server by adding a special ﬁle to the device.

Once the device sees that ﬁle, it contacts the server. If the server then

responds with the installation command for our MDM proﬁle copy, the

device will say “Not Now” and refuse to install. But as soon as the

device is unlocked, it will remember that it deferred a proﬁle, contact the

server, and complete the command.

Normally, installing a new MDM proﬁle will result in an error from the

device. But as mentioned, if the proﬁle exactly matches, then the device

will simply “re-enroll” in the same service. It does this silently, without

any indication to the user at all.

Since the MDM server is being impersonated by the attacker, now the

attacker gets the new UnlockToken. (They also get a new APNS Token

and PushMagic string, but those are useless without the right APNS

certiﬁcate).

1 2 ... 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Sin comentarios

Black Box Version 1.0 Manual de usuario Pagina 23