Tag Archives: Iphone

Accessing (Safely?) Nagios on iPhone

iPhone-NagiosI was looking for a Nagios application to install on my iPhone for tests purpose and I was surprised to find more hits than expected. It’s true that Nagios is one of the best (if not THE best) open-source monitoring solutions. There is a huge community of developers and contributors busy to add extra features or tools around the core application.

It sounds logical that a lot of projects started to expand Nagios monitoring capabilities to mobile devices. This post focuses on iPhone devices but the same logic applies to all mobile platforms.

Before deploying an application on my mobile, I had a look at the security aspects! Basically, Nagios is a web-based applications and could be accessed directly from any mobile browser (no web 2.0 technology is used). The best way to access it is to access it through a  (SSL)VPN. But the standard web interface is not designed for small screens. Using a wrapper is much more convenient and use perfectly the mobile native interface but introduce some risks…

First,some applications are available for free and only provide a “read-only” access to the Nagios data. On the other side, paying applications offer more features and allow the user to interact with the Nagios servers via a “read-write” access. Possible actions are the Nagios classics: enable/disable checks, add comments, schedule downtime, acknowledge problems etc.

Second, I reviewed some available applications on the AppStore. They use different methods to access the Nagios data:

  • Some access  a MySQL database. In this case, Nagios must be configured to use NDOutils, an add-on which uses a MySQL backend to store the monitoring data.
    Example:  The old versions of N-Mobility.
  • Some access directly the Nagios standard interface (based on CGI scripts) and “simulate” a browser.
    Example: TouchMon.
  • Some uses a specific wrapper coded in PHP which grabs the Nagios data using the standard CGI scripts
    Example: New version of N-Mobility or iNag.

Of course, you can restrict access to Nagios via the organization WiFi network but today, users need mobility! The main consequence is: data could be accessed via wild WiFi, Edge or 3G networks. If you plan to deploy Nagios application on mobile devices, there are several security issues that you have to keep in mind:

  • Nagios servers contains critical data and must not be directly reachable from the Internet. The data contained in the configuration files and check results has even more value than a port scan from a pen-tester point of view. It’s just like a gold mine!
  • Data sent between the Nagios server and the iPhone will pass via untrusted networks. They must be encrypted using SSL.
  • How to authenticate the mobile devices? Only authorized devices can retrieve Nagios information.
  • What about the data stored locally in the mobile device memory? How does the application handle the data?

Here is an example of architecture to deploy a Nagios mobile application “in the wild”:

Safe Nagios Infrastructure

Click to enlarge

The traffic coming from the Internet must of course be filtered by a firewall. The mobile devices will use a server in a DMZ where will be installed the “wrapper”. Connections from this wrapper to the Nagios server will be restricted and inspected by a second firewall. The traffic between the mobile devices and the proxy (at least) will be encrypted and authentication is mandatory.

A good recommendation is to allow only a “read access” to the Nagios data. This will allow the mobile user to have a clear view of what happens on the monitoring infrastructure. If he needs to perform an intervention, he will use the regular remote access solutions (corporate laptop, SSL VPN, token, etc).

To conclude, the remaining question is: do you really need to access Nagios when you are not at the office? Just from my own point of view…

iOS4 from a Security Point of View

iPhone Hacker

(source: iphoneusers.net)

The brand new firmware for the iPhone announced by Apple a few weeks ago is publicly available since yesterday. Called “iOS4” (special dedicace for cisco.com), it includes more than 100 new features like multitasking, folders, etc. I won’t review them here, there are multiple complete reviews already available online. Google is your best friend!

But, let’s focus on security. What did change with this new release? You remember the recent security hole found when connecting the iPhone to an Ubuntu host? (the “auto-mounting” issue)

Yesterday, in parallel to the iOS4 release, Apple also issued a security update dedicated to iOS4 (article HT4225). This document contains 64 (!) vulnerabilities fixed by the new firmware. If you check the homepage of the iOS4, there is no information about the security fixes and new security features introduced with this new release.

iOS4 comes with a “data protection” feature. From Apple website: “Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments.“.

Good point: Developers have access to an API to use this data protection. Guys, it’s up to you to build secure applications from now! But, on the other side, why Apple only encrypts e-mails and contacts and not the whole set of users data? Smartphones contain so much sensitive information today!

Two important remarks:

  • The “data protection” feature is only available for devices that offer hardware encryption (iPhone 3GS and iPod Touch 3rd Generation).
  • If you upgrade from a version 3 to iOS4, you’ll need to restore your data to benefit of the encryption

To conclude: upgrade to the iOS4 not only for the transparent background and folders but also for your security!

What About Confidentiality of Data in Repair Centers?

Warranty

Bad day today… My iPhone died! Yesterday it was 100% functional and today refused to boot or charge!? No reaction event after a hard-reset and a few hours of charging… This irritates me at the highest level. Well!

No alternative, I went to my local dealer and explained the problem. Of course, they can’t do anything and my phone has to be sent to the repair center “for further analysis”.

After performing the required administrative tasks, I started the following conversation with the vendor:

Me: “And by the way, what about the confidentiality of my personal data?
Vendor: “I hope you have a backup, your phone will be returned erased!
Me: “Don’t care about my backup, but what about the data stored on the phone now?
Vendor: “Of course, it’s always best to clean up the phone before returning it to the repair center
Me: “I agree… But it does not boot anymore! I can’t cleanup it by myself!
Vendor: “Ah! Indeed…

Silence…

Vendor: “But normally, the engineer don’t read your data! Don’t be afraid! They cannot do this…

New silence…

Vendor (smiling): “And if the phone is dead, your data won’t be accessible anymore!

This conversation left me a strange feeling, almost as if my privacy could be violated!

Dear Mr Vendor, first, if the phone does not boot, it does not mean that the data won’t be readable anymore! And even digital supports affected by an hardware failure can still reveal interesting information. Second, you have to know that the weakest link in a security policy or company policy will always be the human. In our mind, “prohibited” == “tempting”. That’s the human behavior!

Today’s mobile devices are not used only to give and receive calls. They are part of your life and contains more and more sensitive data (SMS, e-mails, pictures, documents, videos, notes, …). And often, security of the same devices is kept at a very low level!

Do you remember this story?

iPhone Tethering Howto

iPhone 3G

In the long list of new features brought by the new iPhone firmware 3.0 comes “tethering” in my personal top-ten! What’s this? Tethering means a way to connect to the Internet from a device (usually a laptop computer using a mobile device as modem/router. More info are available on Wikipedia.

Another Belgian blogger already posted a tutorial to enable tethering for Proximus users but it was related to Mac OS. I received more details from another friend and tested in my XP environment (running in a VirtualBox).

What are the requirements?

  • an iPhone 3G running a 3.0 firmware
  • a data subscrition (in this case via Proximus)
  • iTunes

First, download the Proximus IPCC file (“iPhone Carrier Configuration File“) available here to your local disk.

Connect your iPhone to the host running your current iTunes instance. Open a command line and start iTunes with the following parameter:

C:\> cd Program Files\iTunes
C:\Program Files\iTunes> itunes /setPrefInt carrier-testing 1

Wait for all synchronization or backup operations to successfully finish and upload the IPCC carrier file by shift-clicking on the “Restore” button. A dialog box pops up and select the file:

Click to enlarge

Click to enlarge

Once done, open your iPhone settings (Setting -> General -> Network) and a new option must be available: “Internet Tethering”):

Click to enlarge

Click to enlarge

iPhone Connected

Leaving the USB cable connected, slide the switch to “On” and immediately, your Windows XP must detect a new USB Ethernet device and start the installation. A few seconds later, your new network connection should be ready as seen on the right screenshot.

The new connection will be managed as a normal Ethernet connection and will receive an IP address via DHCP and a default gateway (Note: This could have a really bad impact on your bill if you leave your iPhone as default gateway for a long time. Traffic is charged by Proximus as data traffic. Take care, it is really expensive!)

To disconnect, just slide the option “Internet Tethering” to off on your iPhone.

By pure curiosity, I checked the IPCC file. In fact, as any Office 2007 document, this is a simple zip archive:

$ file proximus_be.ipcc
proximus_be.ipcc: Zip archive data, at least v1.0 to extract
$ unzip proximus_be.ipcc
Archive:  proximus_be.ipcc
   creating: Payload/
  inflating: Payload/.DS_Store       
   creating: Payload/PROXIMUS_BE.bundle/
  inflating: Payload/PROXIMUS_BE.bundle/carrier.plist  
  inflating: Payload/PROXIMUS_BE.bundle/Info.plist  
  inflating: Payload/PROXIMUS_BE.bundle/version.plist  
$ cd Payload
$ cd PROXIMUS_BE.bundle
$ file *
carrier.plist: XML  document text
Info.plist:    XML  document text
version.plist: XML  document text

The most interesting file is “carrier.plist” which contains all the settings to configure Web, MMS and Tethering with Proximus. I suppose it should be easily configurable for other carriers.

And what about Linux? My XP runs in a VirtualBox running on Ubuntu. It should be nice to access the 3G network from Linux when no other alternative is present. When I connect my iPhone to Ubuntu and enable Tethering, nothing appends:

Jun 24 16:46:21 zeroday kernel: [60504.220520] usb 2-3: new high speed USB device using ehci_hcd and address 10
Jun 24 16:46:21 zeroday kernel: [60504.363052] usb 2-3: configuration #1 chosen from 4 choices

I found the following solution (via Bluetooth) via a script called uit.sh (“Ubuntu iPhone Tethering“). Looks nice!

One more time, take care of your carrier invoice! Data is really (too much) expansive but it can help you to send/receive some urgent mails or tweets…

RSA Software Token for iPhone

RSA SecurID Logo

Since the 6th of June, a great application is available (for free) in the AppStore. RSA released an iPhone version of its software token!

I already spoke about strong authentication on this blog. To resume, strong authentication is achieved by mixing at least two different types of authentication methods from the following list:

  • Something you know (a password or a PIN code)
  • Something you have (a key, a token)
  • Something you are (your fingerprint, your retina, your hand, voice, …)

Strong authentication is also called multi-factor authentication. There are commercial products like the RSA SecurID but there are also solution less expensive, based on open code and very affordable hardware like the Yubikey (example: Strong authentication on Linux).

Click to enlarge

Click to enlarge

A token is a piece of hardware which generates an OTP (“One Time Password“). To log into a system, you need a login, the OTP generated by your token (and sometimes a PIN code). RSA provides a lot of hardware tokens.

The OTP is valid during a small period of time (like one minute). That’s why time synchronization is mandatory between the tokens and the authentication device.

Even if the tokens are small enough to be easily carried (in a pocket, on a keyring), they remains an extra piece of hardware to always bring with you! Why not use another device that we always carry? Like a mobile phone! Modern mobile phones have enough resources (CPU, memory), have Internet connectivity and are synchronized via NTP.

For a long time, a Java RSA SecurID was available for mobile phones or any device running a Java VM. For a few days, the same application is available for the iPhone!

Click to enlarge

Click to enlarge

The application is available for free and quite easy to implement with your existing RSA infrastructure. My company provides RSA tokens to connect to SSL or IPSEC VPNs. That was a good opportunity to perform some test with my iPhone.

I asked my local admin (thanks Steven!) to create and assign a new software token to my account and I received an e-mail with a link like this:

com.rsa.securid.iphone://ctf?ctfData=xxxxxxx

Note: If your local admin uses Outlook to send you the token URL, it will be incorrectly formated! (an extra “/” will be added: “ctf/?ctfDate=” and will prevent the RSA iPhone application to install the token). For more details, read this blogpost.

Read the received e-mail on your iPhone and open the link. The RSA application will be started and automatically install the token. Once done, the next steps will depend on your local RSA installation. Check with your local admin for details. In my case, the token was configured in “new-pin” mode. During the first authentification, the system asked me to configure a PIN code.

More details are available on the RSA website.

iPhone + iTunes + VirtualBox

iTunes

As posted a few days ago, I configured my new corporate laptop. But iTunes was still missing (to sync my iPhone). I’m using iTunes to sync some Outlook content (contacts and agenda) and security podcasts (ok, and some MP3s too &59#;-).

Unfortunately, VirtualBox is known to be very sensitive regarding the USB devices management. Anyway, I successfully re-synced my iPhone on the new notebook. [Reminder: The native OS is Ubuntu and Windows XP is running as a VirtualBox guest]. Here is my procedure to re-sync the iPhone. Note that the iPhone support has been fixed in release 2.0.6 of VirtualBox!

First, backup your old iTunes library. Follow the procedure described in the documentation. Keep the DVD or CD in a safe place for later use. It’s a straight forward operation.

Then, configure the USB support on Ubuntu/VirtualBox. In my case (Ubuntu 8.10 – Intrepid), the USB support in VirtualBox was not working out of the box. A nice error message was displayed each time I started the guest:

Could not load the Host USB Proxy Service (VERR_FILE_NOT_FOUND). 
The service might be not installed on the host computer. 

I had to manually perform some changes. Edit the file /etc/init.d/mountdevsubfs.sh and add the following lines at the end of the do_start() function:

 
mkdir -p /dev/bus/usb/.usbfs
domount usbfs "" /dev/bus/usb/.usbfs usbfs \
   -obusmode=0700,devmode=0600,listmode=0644
ln -s .usbfs/devices /dev/bus/usb/devices
mount --rbind /dev/bus/usb /proc/bus/usb

The user running the VirtualBox guest must have read/write access to these file (check the permissions):

# /bin/ls -l /proc/bus/usb/*/*

Now, start VirtualBox and add the detected devices to your guest. Connect your iPhone (it should be detected at Linux level). You’re ready to boot your Windows XP guest. Once done, the detected USB devices should be available. Windows should detect your iPhone like a digital camera now.

Re-install iTunes and restore your data (with the DVDs/CDs created during the first step). Once the restore process done, iTunes will detect your iPhone and start a sync. iTunes will detect that the iPhone was previously sync’d with another computer and ask you a confirmation: You can choose to merge or replace the data. Choose the first option.

The backup + sync operations took longer than on a native Windows XP but it worked perfectly. Once the synchronization successfully completed, disconnect the iPhone in a safe way: first, disable the iPhone via the VirtualBox sub-menu (the tool bar below the guest window) then disconnect the USB cable. Yes, my iPhone calendar is up-to-date now!

iPhone – Linux VPN

The iPhone 3G firmware is really open to the world via 3G or Wi-Fi. Compared to Wi-Fi, mobile networks are quite secure. Warning, I never said that they are bullet-proof, but tapping a mobile network requires much more resources than Wi-Fi! Wireless network are widely available, which make them a good target for hackers!

On the iPhone, common applications can be secured (HTTPS in Safari and the mail client support SSL encryption) but the remote server must offer SSL services! Fortunately, the iPhone supports VPN! Three types of VPN are available: IPSEC, L2TP and PPTP. In this case, to protect our personal information, why not encrypt all the traffic through a VPN session established with a remote server? Let’s go!
Read More →

iPod Auto-Erase Feature

The new firmware 2.1 is available for the iPod and introduced a new feature: You can configure your device to automatically erase all its data after ten unsuccessful password attempts!

iPhone Auto-Erase Feature

iPhone Auto-Erase Feature

No idea if the same feature will be present in the iPhone version (which should be available today). Nice feature but be sure to have a strong backup policy in case you’ll try to unlock your device after a very long party night! ;-)