iOS IPSec client is vulnerable to DNS hijacking

Originator:davepeck
Number:rdar://21622967 Date Originated:30-Jun-2015 05:01 PM
Status:Open Resolved:
Product:iOS Product Version:8.4
Classification:Security Reproducible:Always
 
Summary:

A recent paper titled "A Glance through the VPN Looking Glass" discusses several VPN client vulnerabilities, including novel new DNS hijacking attacks. After investigation, we believe that iOS <= 8.4 is vulnerable to the DNS hijacking attack described in section 5.3.2 of the paper. (We suspect iOS 9 is similarly vulnerable, but we have not yet tested.) This attack requires an adversary to control the DHCP host that the victim is connected to, which is to say, the attack does not require particularly complex network vantage. The attack assigns the victim an IP address within a small bogus subnet that includes the VPN provider's DNS server, thereby binding all traffic on the subnet toward the non-virtual network interface with sufficiently high priority in the routing table that DNS requests will be routed outside of the tunnel. This in turn can be leveraged to proxy all non-HTTPS traffic -- aka, to turn the VPN into an effective no-op from a security perspective. It should be noted that this attack is described as related to PPTP and L2TP in the paper, but after investigation we believe does indeed apply to the iOS IPSec implementation too. (A simple look at the device's network interfaces and routing tables should confirm this is the case; see notes below for a link to the paper and our suggested mitigation.)


Steps to Reproduce:

1. Set up a IPSec VPN endpoint
2. Have that VPN endpoint push DNS servers with a well-known IP address (for example, 8.8.8.8)
3. Run a 'malicious' DHCP server as described in the "Looking Glass" paper, section 5.3.2
4. Connect an iOS device to the VPN endpoint
5. Examine the routing table to verify that a malicious DHCP server can successfully convince the iOS device to route DNS requests outside the IPSec VPN tunnel


Expected Results:

iOS device running built-in IPSec client is not vulnerable to DNS hijacking attack


Actual Results:

iOS device running built-in IPSec client *is* vulnerable to DNS hijacking attack


Version:

iOS 8.4


Notes:

To fix this problem, iOS should insert static routes into the routing table that explicitly route traffic to the DNS servers pushed through the tunnel.

You can download a copy of "A Glance through the VPN Looking Glass" at http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf

It appears that anyone who takes advantage of iOS 9's packet tunnel provider extension point will be able to provide their own routes, and therefore mitigate this attack. But the default IPSec client should certainly do so too!

To be perfectly clear, while the paper suggests mitigations against the DNS hijacking attack in section 5.3.2, *none* of these (including the VPN-gateway-IP-is-DNS-IP) work successfully given the default IPSec stack's routing table configuration.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!