Intrepidus Group Security Advisory

http://www.intrepidusgroup.com


Title:              Apple TV Touch Setup Wi-Fi and iTunes Password Disclosure
Release Date:       10 March 2014
Discoverer:         David Schuetz <david.schuetz@intrepidusgroup.com>
Vendor:             Apple
Vendor Reference:   http://support.apple.com/kb/HT1222
CVE Reference:      CVE-2014-1279
Systems Affected:   Apple TV (3rd generation) running ATV 6.0 - 6.0.2 
Risk:               Medium
Status:             Published

Timeline

  • Discovered: 10 October 2013
  • Reported: 8 November 2013
  • Fixed: 10 March 2014
  • Published: 10 March 2014

Summary

The release of Apple TV version 6.0, based on iOS 7.0, introduced a new convenience feature for the setup of new Apple TV units, colloquially referred to as “Touch Setup.”

This features permits a user with a mobile iOS device such as an iPhone, to use BlueTooth Low Energy (BTLE) to transfer certain configuration information to a newly-activated Apple TV system, including iTunes Store ID and password, and Wi-Fi SSID and password.

An issue exists where detailed logging is enabled in the Apple TV.app binary, resulting in detailed packet data being dumped to the Apple TV log. This data includes hexadecimal representations of the configuration information transferred from the mobile device to the Apple TV, including AppleID and Wi-Fi passwords passed in cleartext.

An attacker with access to an Apple TV may be able to recover this data from the system log, if it has been stored on the Apple TV.

Details

Apple TV applications may save certain logging and debugging information to the system using NSLog() and similar mechanisms. The logs may be viewed by attaching the Apple TV unit to an OS X system via a micro-USB cable, and using an application such as the Xcode Organizer or iPhone Configuration Utility.

In general, these log entries are ephemeral, however, certain log data on the Apple TV (and other iOS devices in general) are retained to some degree on the device filesystem and may thus be available for viewing at a later date. At this time, it is not clear whether the Touch Setup logs are retained on the Apple TV or mobile iOS device after completion of the setup process.

The Apple TV app (as well as the touchsetupd daemon on the mobile iOS device) sends detailed descriptions of data sent and received during the Touch Setup process.

In the case of the mobile iOS device, this data is encrypted using a key exchanged between the two devices. However, it may be possible that enough information is leaked in these debug messages (or other related log entries) that an attacker may recover the session key and thus decrypt the entire conversation.

In the case of the Apple TV unit, the data are generally written to the log two or even three times: First, the raw encrypted data as received from the mobile device, then the decrypted, yet compressed, plaintext of that data, and then finally the uncompressed data itself.

The decompressed data containing configuration information required to complete the Touch Setup process is provided as a binary property list (plist). The plist contains, among other data, the following information:

AppleID (iTunes account) information:

  • First Name
  • Last Name
  • AppleID (email address)
  • Password

Local Wi-Fi information:

  • SSID
  • Password

Steps to Reproduce

To demonstrate this vulnerability, the following hardware will be required:

  1. Apple TV (3rd generation) running Apple TV system version 6.0 through 6.0.2
  2. A “recent” mobile iOS device such as iPhone 4S or later (see Systems Affected for full list), running iOS version 7.0 or later
  3. A system running OS X, with Xcode installed
  4. A display connected to the Apple TV via HDMI
  5. A micro-USB cable connected to the Apple TV and ready to connect to a system running OS X

The procedure is as follows:

  1. Ensure the Apple TV is “factory fresh” either by acquiring a new, shrink-wrapped unit, or using a full “factory reset” on an existing unit.

  2. Connect the Apple TV to the display using HDMI

  3. Connect the micro-USB cable to the Apple TV (it may be necessary to obtain a very low-profile connector, or to use a utility knife to shave the micro-USB connector, in order to connect both the HDMI and USB connectors simultaneously). DO NOT connect the cable to the OS X machine at this point.

  4. Ensure the mobile iOS device has BlueTooth enabled and is logged in to the local Wi-Fi network (following Apple’s instructions: http://support.apple.com/kb/HT5900)

  5. Launch Xcode on the OS X system, and open the Xcode organizer.

  6. Reboot the Apple TV by removing and re-inserting the power cable. Once the Apple logo has appeared (or shortly thereafter) connect the micro-USB cable to the OS X system.

  7. In Xcode organizer, select the Apple TV device and view its Console log. It may be desirable to connect the mobile iOS device via another cable to capture its log as well.

  8. When the Apple TV has reached the language selection screen, follow the instructions to complete the Touch Setup process.

  9. Save the Apple TV log data to a text file.

  10. Search the log file for data similar to the following:

    Oct 10 15:48:07 Apple-TV Apple TV[24] : [TRDeviceSetupServer] Decompressed data: <62706c69 73743030 d2010203 04516151 70557365 747570d9 05060708 090a0b0c ….

  11. Select the hexadecimal data (between the <> marks on that log entry) and convert to a binary file.

  12. View that file using a plist editor. For example,

    plutil -convert json -r -o -

  13. The data recovered should look something like this: [keys and other data which may be unique or private have been redacted here]

{
  "a" : "setup",
  "p" : {
    "au" : {
      "h" : {
        "x-apple-orig-url" : "https:\/\/p44-buy.itunes.apple.com\/WebObjects\/MZFinance.woa\/wa\/authenticate",
        "edge-control" : "no-store, cache-maxage=0",
        "x-set-apple-store-front" : "143441-1,19",
        "Expires" : "Thu, 10 Oct 2013 22:47:49 GMT",
        "apple-timing-app" : "402 ms",
        "pod" : "44",
        "Cache-Control" : "private, no-cache, no-store, no-transform, must-revalidate, max-age=0",
        "x-apple-lokamai-no-cache" : "true",
        "Content-Type" : "text\/xml; charset=UTF-8",
        "x-apple-translated-wo-url" : "\/WebObjects\/MZFinance.woa\/wa\/authenticate",
        "x-apple-jingle-correlation-key" : "--redacted--",
        "Content-Encoding" : "gzip",
        "x-apple-date-generated" : "Thu, 10 Oct 2013 22:47:48 GMT",
        "x-apple-application-site" : "ST13",
        "x-apple-application-instance" : "440051",
        "x-apple-asset-version" : "0",
        "Date" : "Thu, 10 Oct 2013 22:47:49 GMT",
        "Set-Cookie" : "X-Dsid=--redacted--; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, TrPod=3; version=\"1\"; expires=Fri, 10-Oct-2014 22:47:49 GMT; path=\/; domain=.apple.com, isPpuOptOut=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.apple.com, hsaccnt=1; version=\"1\"; path=\/WebObjects; domain=.apple.com, mz_at0---redacted--=--redacted--; version=\"1\"; expires=Wed, 30-Sep-2015 22:47:49 GMT; path=\/; domain=.apple.com, mz_at_ssl---redacted--=--redacted--; version=\"1\"; expires=Sat, 10-Oct-2015 22:47:49 GMT; path=\/; domain=.apple.com; secure, Pod=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com, X-Dsid=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.volume.itunes.apple.com; secure, X-Token=; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/; domain=.vpp.itunes.apple.com; secure, Pod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, itspod=44; version=\"1\"; expires=Sun, 10-Nov-2013 23:47:49 GMT; path=\/; domain=.apple.com, mzf_in=440051; version=\"1\"; path=\/WebObjects; domain=.apple.com; secure, mzf_odc=ST1; version=\"1\"; expires=Thu, 10-Oct-2013 23:17:49 GMT; path=\/WebObjects; domain=.apple.com, mzf_dr=0; version=\"1\"; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=\/WebObjects; domain=.apple.com, ns-mzf-inst=179-11-80-157-121-8031-440051-44-st13; version=1; Max-Age=1800; path=\/; domain=.apple.com; httponly",
        "x-webobjects-loadaverage" : "23",
        "x-apple-request-store-front" : "143441-1,19 t:6",
        "Content-Length" : "522",
        "itspod" : "44"
      },
      "b" : {
        "status" : 0,
        "password" : "--redacted--",
        "m-allowed" : true,
        "creditBalance" : "1311811",
        "freeSongBalance" : "1311811",
        "clearToken" : "--redacted--",
        "is-cloud-enabled" : "true",
        "passwordToken" : "--redacted--",
        "dsPersonId" : "--redacted--",
        "creditDisplay" : "",
        "accountInfo" : {
          "address" : {
            "firstName" : "David",
            "lastName" : "Schuetz"
          },
          "accountKind" : "0",
          "appleId" : "--redacted--"
        }
      }
    },
    "np" : "--redacted--",
    "c" : "US",
    "l" : "en",
    "ns" : "--redacted--",
    "ha" : "--redacted--",
    "rp" : true,
    "hg" : "00000000-0353-d139-58e8-619c235c480b",
    "di" : true
  }
}

Fix Information

A review of the affected binaries using IDA Pro indicates that these debug statements are hard-coded into the system. It may be possible for Apple to remotely change the “DEBUG LEVEL” at which the system is run, to prevent this data from being logged, however, it is not clear whether that will be possible.

Even if the logs are remotely disabled, the capability remains, and may be inadvertently or maliciously reactivated at a later date. It is expected that a fix will only be available by completely removing the logging commands from the binary and shipping a new release of the Apple TV software.


After reviewing the vulnerability, the vendor responded that the issue would be fixed in a future release of the Apple TV operating system.

The vendor has indicated that the issue was fixed in Apple TV system 6.1 (based on iOS 7.1), released on 10 March 2014. A review of the affected binaries in a pre-release version of 6.1 has indicated that the data is no longer written to the log.