Professional Documents
Culture Documents
Eric Smith Report - Amanda Ladas vs. Apple Case
Eric Smith Report - Amanda Ladas vs. Apple Case
Eric Smith Report - Amanda Ladas vs. Apple Case
Oclober,20't2,
the 5ft
day of
Apple lnc.
ndant
50"
1.
Attached hereto and marked as Exhibit "4" to this my affidavit is a true copy of
jnnt
/,o7uk , this
October, 2012.
P4,in
Section L : Introduction
This report was prepared by Eric Smith of Danville, Pennsylvania. My areas of expertise include: information network design, information security, and analysis of electronic data transmissions. A curriculum vitae outlining my education, certification, and experience is included as an appendix to this report.
Action.
Opinion
My opinion and findings are detailed in Section 3: Conclusions. Reasons
for Opinion
The reasons for my opinion are based on the findings outlined in this report.
Assumptions
This report assumes an unmodified Apple smart device (e.g.,iPhone) running the iOS4x operating system is used in a routine fashion by its owner.
Methodology
Complete details as to the methodology of investigations performed in this report are included in
Section 2: Methodology.
the court and not be an advocate for any party, that have made this report in conformity with that duty, and that I will, if called on to give oral or
am responsible
Exhibit "A"
Respectfully submitted,
Thrs rs Ixhrbt arrrrjavrt
<slgnature>
"
reierred to ,n lhe
Eric Smith
l.a.
Eric Smith
www.pskl.us
Karn C. Drumheller, Notary hrblic Cooper Twp, Mqrtor Cornty connission expircs Ianuv lL2016
iOS4x Operating System Privacy Issues: An Analysis of Data Transmitted from an Apple Device to the Apple Corporation
Contents
List of Figures ...............
Section 1: Instructions Provided and Nature of Opinion
Reasons for
Introduction...............
......... 15 Analysis.. Analysis............... ..........23 Usage........ ........26 .....26 Two, Part I: Installing Applications ................ Two, Part II: Downloading Media................. .......29 ........ 31 Two, Part Itr: Using Applications................ ......33 Section 3: Conclusions............. Appendix... .................. 35 Appendix A: Extraction of Geolocation Data from the WIGLE Database .........-... 36
Phase Phase Phase Phase Phase Phase
Opinion Opinion 4ssumptions................. Methodology................ Advice and Certification........... Section 2: Methodology........... Phase One: Analysis of an Idle Device
Sought.......
................... 3 ......................... 4
One Analysis, Part One: Initial Phone-Home One Analysis, Part Two: Periodic Phone-Home Two: Analysis of IOS4 Communications during Device
List of Figures
Figure 1: The iOS4x Device Studied...... ............ 5 Figure 2: T\e Laboratory Data Network ............... ............... 6 Figure 3: iOS4x Network Configuration Page...... ................ 7 Figure 4: Proxy Server Configuration............... .................... 8 Figure 5: PD( 515 Firewall Configuration............. ............... 8 Figure 6: Generation of a RSA Keypair ................ ............... 9 Figure 7: Creation of a Certificate Signing Request...... ...... 10 Figure 8: Creating the Signed Certificate ........ I I Figure 9: Combining the Keys and Certificate ................... 11 Figure 10: The Initial "Install Profile" Screen ....................12 Figure 11: Certificate Installation Warning Screen ............ 13 Figure 12: Trusted Root CA Installation Complete... .........14 Figure 13: Connection to gs-loc.apple.com........... ............. 16 Figure 14: Security Certificate for gs-loc.apple.com.. ........17 Figure 15: Data Transmitted to gsJoc.apple.com...... ,........ 18 Figure 16: Response from gsJoc,apple.com, Page I of 2 ......... ............ 19 Figure 17: Response from gs-loc.apple.com, Page 2 of 2 .....................20 Figure 18: Ethernet MAC Address of the Cisco l23l AP..... ................21 Figure 19: WIGLE Cross-Reference Data... .......................22 Figure 20: WIGLE.net Locations of Access Points Found in the Apple Data .........22 Figure 2l: Data Uploaded to iphone-services.apple.com.......... ............23 Figure 22: Wtreless MAC Address of the Cisco 1130 Access Point.......... ..............24 Figure 23: Periodic Data Upload to iphone-services.apple.com.............. .................25 Figure 24: T\e iOS4 App Store.......... .............26 Figure 25: Information Required to Obtain an Apple ID ............. .........27 Figure 26: Logglng into Apple's App Store on the iOS4x device. ........28 Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to 4pp1e......... ..................29 Figure 28: Purchasing music via the iTunes application ....................... 30 Figure 29: Loggng into iTunes to Purchase Music...... ...... 30 Figure 30: iTunes Login and Subsequent Transmission of the AppleID and Password to Apple3l Figure 31: An IOS Application using the iAd System ........32 Figure 32: Relationships between Collected Data.......... .......................34
Eric Smith
www.pskl.us
Secton 2: Methodology
For the investigations outlined in this report, an Apple iPhone 3GS running iOS version 4.3.3 (Figure 1) was used. For the purposes of this study, a device with an inactive cellular connection was employed so we could insure that all data transiting the device would pass through the builr in 802.11 WiFit connection and not a cellular telephone network.
No sn
lce
1l:37
AM
Songs Videos
167
21
Photos
289
89
Applications
Capacity Available Version Carrier
Model
14,3 GB 10.0 GB
Note the "No Service" icon which indicates the absence of a cellular data connection. To determine the extent to which location data was being automatically shared with Apple, a wireless network was created in a laboratory setting so that any data transmitted via the device's builrin WiFi radio could be collected and analyzed (Figure 2). The networking hardware used in for this investigation consisted of a Cisco wireless access point model 1130 and a Cisco wireless access point model1231, both connected through a Cisco 3550 24-port Ethemet switch to a Cisco PD( 515 firewall. The PD( 515 was configured so it provided network address translated (NAT)z intemet access to any devices which connected to the Cisco wireless access point. Several Intel-PC based workstations were also connected to the Cisco 3550 Ethernet switch so traffic ffansmitted through the wireless network could be analyzed.
t
2
Intemet
/\
- \
1___/
t--/
) )
Intel-PC Solkstation
wiFi AP
(123
#1
l)
WiFi AP +2 (l l 30)
Figure
IOS4x Device
Wiled Connection
2:
By design, switched Ethernet networks do not permit the inspection of traffic by a monitoring station. In order to bypass this limitation, proxy software was installed on the Intel-PC computer systems. The proxy software used in this investigation includes the Charles Debugging Proxy3, MITM Proxya, and Ettercap5. The Intel-PC computer systems ran the Microsoft Windows 7
and Backtrack Linux6 operating systems.
In order to direct network traffic from the iOS4x device through the appropriate proxy server, the iOS4x device was connected to the lab's wireless network. A static IP address and subnet mask were configured as shown in Figure 3.
3 a 5 6
http ://www.charlesproxy.com./
http://mitmproxy.org/
http://ettercap.sourceforge.net/
http
://www.backtrackJinux.orgl
Eric Smith
www.pskl.us
Forgel
tP Adtlress DHCP
fh l,letwork
192.168.254.111
255.255.255.0
8.8.8.8
Search Domains
. l{TT raYv
In order to route traffic through the proxy server(s) for analysis, the iOS4x device was confrgured to use a proxy server as shown in Figure 4.
No Sen
lce
9:26 PM
Router
DNS 8.8.8.8
Searcir Domains
HTTP Proxy
off
Server Port
Manual
Auto
192.168.254.1 8888
OFF
Authentcaton
Figure
4: Proxy
Server Configuration
The Cisco PD( model 515 f,rrewall was configured to drop any network traffic from the iOS4x device, other than Domain Name Server lookups. This prevented any trafhc from leaving the laboratory network in any fashion other than through the configured proxy server. The relevant configuration of the PD( 515 firewall is shown in Figure 5.
EILb FRll
PDO15 - s$irtcRf File Edt Vry options lranfer Script Toole ttfndou
E@
Help
J :S
q, E g * q s s
E.
11
12 Ro. 98
Cols
VT1@
Figure
5: PD(
This configuration allows for the interception and analysis of unencrypted traffic. Much of the communications between an iOS4x device and Apple's servers is encrypted in order to protect it from eavesdropping and modification while in transit across the global internet. In order to analyze those communications which are encrypted using the industry-standard Transport Layer
Eric Smith
www.pskl.us
Security? suite of protocols, it is necessary to obtain a root certicate8 (root CA) which is trusted by the device to be studied. With such a certificate in hand, it is possible to bypass this encryption 1fl samine the plain-text content of such messages. The process for creation and importation of a root CA is as follows. The OpenSSL suite of toolse was used to create a 1,024-bitRSA publicrivate key pairr0 as seen in Figure 6. A certifrcate signing request (CSR)tt was then created from this newly-generated RSA keypair. A self-signed security certificate was then generated in PEMr2 format based on the generated keys and the data provided during the creation of the CSR. The certificate and RSA keypair are subsequently rnerged into a single file in PKCS 1 213 fonnat for use by the proxy tools.
IejsmiLlrec2 23 2l-40 247 *]$,rrerr>sL Berrsd -ouL ios4.keU 1024 GeneraLing Ri ;rivate keLr. 1024 biL lc,rrg mc'rltiltrs
((r:10001)
ios4.l..eg
KTY
lfJ+gVlljl2rlcUqo3RPIclu0n0rHBnDhzB/6aif42l'lial-i3Z6mVffLrxa.rlG./*dpU S,r'/c lPb4FeQZtv I Y42HJb4ODorf qm4BSl;' r /,l XmvQG -98 ,1Fl,l/Q LP,/o+uL i oKel tglNp00L0llej[iCbtxoCuYrllYaStguPeXlI:JcY.:,gsFszkCQQIIPNcmPJt(rIxl'172
trJg09vQlrrt'l[<lx c5DsHk zeheZYNl SF lHfnRx 5R S5 /e 7E C HYF QSro3TpNV5 x XB 7 m SL /udqqt'lG 1kA l'1DBr l0mTur4m9Ac / /4lJt Dl H3 r og<r ZHF i I K1;lrL lrnam /F x m T0f lo qqtnSns :10{E go9XlVSeSZ+iVVFAF Ts3QJBAl4SC3B.jeRXBnE IXp2/aeltdDbh5
I'lTTflXTBflHBgttt ifrc2FlrpgsTsUQ+nr/S.[)x3FiepzmkVS'1FTt0l'lll4r8my:iTHAt4 qImsXupZJDgclB0Gv04BedRILNXLVN6CHVEIY+prET0G0+rrSl'lHKG3Frl5f,:xmI dB1n6 tl'15Q50 Xc llf LsZrll/5U1b 0.rf k 5BJI z3B Zd I vSL t q V.jclCnlL I m6Qi,rI DrQB
4els08l'16>tLrS/rIrlLgpHter9rdgi3t:<,1auSQlc4X5a+onullvllif3l'lhBllQGhl /. jF 7 s r r dc ltlX4 rBI g ml'1|1 tJN ZBL xm qGt. ll'l jNLlll',.itlNF- xL1gcr Z I z tl Z N lg t [l QtrSlrFllgYD+7ot]pm.FCQBP9Qek.r,loF'T.lFQl'l09lPT0xl:i201uFNl0utQv0l0.1
mU
k k k.1
aD
a t F 8 0 z F
u P Cp
Xtr6R 3 P n KEY
/0, 2 I
tl h - l>
<l
-END RS PRIVTE
u l, 9 v k 4 =
Figure
6:
http://en.wiki pedia.org/wikiransport-[-ayer-Security http://en. wikiped-ia.org/wiki/Root-certifi cate e http://www. openssl.org/ t0 http://en.wikipedia. org/wiki/Public-key-cryptogr-aphy II http://en.wkipedia. org/wiki/Certificate-sigrrhg-request t ' http://en.wikipedia.org/wiki lX.509
8
|
iOS4x Operating
S1's1sm
privacy Issues
YoL
ittto gour certificate re(luest. I'lhat gotr are aboul t rrter rs uhal i; crllerl a Distrngrrishetl There are (lule {eu frr.rlr bu'l yo,r,-an oave sLrme bank
some {ie.ls there ur.l [>c a delarlt valLcIf gotr elter - . -, the lielrl rill he l':f I l:.rtk.
"lS operr>:L r e. -red ket ios4.ket1 -otr[ o4,trr to erter irlormtion that u.i-I he incorporaled
Name
or a
Dll
For
Courrtrg Name (2 letter cocle) LXXI:C SLaLe or Province Name (full namei []:BC Localii-g Nlmc (cg. citg) [Dclult C t r.:Varrcorrvcr 0rgatrization Nane (c-g, comrarrg.r IDel.rulL tomrang f l ]:pskl ,rrs
Name (cg. se<;t. lon) []: Commoll Nanre (eg. rlLLr- rrafi or- (l(,uf ser ver': Email A,ltlr ess [ ] :
0rganizatioral Llnit
Itostnanre)
[]:
Please errter t-le fol otrirrg 'exi-ra' .rlLrib,Les to be sent L,rrth gour certifrcate rerlresL A rhal I errge rassuorrl [
:
rr
ortional
comra11U rrme
II:
zCBti0ILAUtsAlt1suCQYLlV0tlLrJDtltl l'lfktAlULCirCQkl'lxL jQLlgNVBAcIl VZhlmNvdXZlc E 0llA4 G1LlE[guHc HNr l;C 51c u C Brr zANB gk clhkiGSuOBAQt FrCtB jQAugYkCgYEAon66Nhl,l6Y0Ll9Sl.PplLln0:0d0X,c5:FUtRCL jFuAZ/JsUiADH.i.l rF BKI'ISQ4HcgUB rt+ PHr'LIXU zVr1T c ghl ZR C GP, ,;lr F 9B LPc6 * V lruht xTuRXflQJpXGc tZ +rTU0dF3F ng 7Ga 1v+ VNI'14 zmhZ0 QSSH9 ul,lXSL 0i 7, I Y 3Qr S95ZtrkllCfluE lflal lr H0tCSqSIl;3DQt0Llf l4 CiBJnLeA.l bur Yu,iR / XI.{0 LNPt3uRUc^2T,iPP o0 cu f !t
C
I'tllB{
-__-
ig0sCYece0Pf-,mlbl(rttDTl'l0rc9DerC0lJs.ll;5Dliz5rJI:ll(Oe'JLl,lhNN'5l,lpYYCr
vUZ3nXXR*f 00UGm.gL S!r.V\'0RoQ016.'
1
jlll
EVUE
jmHul'lSFl,leSE0rlTmVluoe+sA7
i05
le.smith@ec2 23 21 4A
24 -ls
Figure 7: Creation of a Certilicate Signing Request
Eric Smith
ltww.pskl.us
10
L-19
q z s 1
IejsmithGcc2-23-?l-40-247 -J$ o>crrssl x509 -clags 3650 -:ignkcg ios.l,kcg -in ios4.csr -rccl out ir-'s4.crt
Sigrratrrr-e ok
:ub
Gel
rrc
L
mor
e ios4.cr
GSU 0
r 1 g0,r
c a zn
NBgk(thk i
BflQtJFttBflQ
s uCQYDVQQGF
uJtl
tLl'lAk A1Ut Aut Qk 'lxt A QBgN V Acill VZ lrlm NvclXZI c j tQll A4 GAIUt I gullc llNr bU51c zel- r0x14 jA5ilLJYxNIJlllN I Jal- u0gl4 ASl'llJQxNDlllN t Jal'lEAxC zJBgNVBAY I
k NB14Qs uCQYII\QQT
UlJCQ
z F S 14BfiG 1
tJFBuu.lVm
FlAott:qSIbli0Qt BfQUr4 r:iNAD t iQKB gQCi I r o 2t bpg 5T 3sQ r nV SctxB3RepzmkVSlLIt0lll,l4Br'SmxSlAllqlnsXuplJUgtlytQGvU4SedRfLNXLVNtC HV FIY+pUFTtrG0*rr5l.lHKG3F05FcxAn rlB{1nGt I'l5Q50Xcl,l1l s/rll.z5tll b0nFl.5
c 2 t sL n V zl'lIG f
JI z3BZdIvSL t rV.rlC rilLl mGQUIDAQBl'lfi0GCSttSIh3DQtB0UAA4GBACf ql 1Ik0 qbCUCm IrvPQrrgegvtlJL/9QIlBoRKkf rrJi+9 Ihf iel,l/Sn/XxNRpctr*UbldKiQXmrVG 0RBF j z lRgtCXkNE zFP0afN2ll>Y3vb/X20tl8cX2dL1mtDPl liYBk 4JHrLrtoBs03J0
B
It q
Zl65SkVYt
pl'l 7tlp
x zh95mNNk
l1
25 Ro$,s,102
C"l, f]l{_
Figure
8l
J l
Verilging
Ie
? ejsmitlrOec2-23-2I-40-241'-J$ o>etrssl pkcs12 -export -out ios4.>lx -inkeg ios4.l,.eg -itr ios4.crt nler Fxport Passuorrl:
jsmi-th0ec2-23-21-40-24/ -]$
s*&9
frrter
Ex>ort Passuorcl:
-l$ more ios4.ilx 0 0 + rH+ iift R 6 @ Hi+iyto c { -t LLKC^L Y.l ix ". ^?'licL oio.Jc t0cI.1i z1,/- >i 0 $ L$',> ir=N ;i/:il c I0-'>c+o"v^ 1U5S7' ; *:# ijPi * H= 0 0 p('r. "RS-P i 6fi<- -c 6NAC B C.F f ;T 0 r H'L l0 c0
le,jsmitlr@ee2 23-?1-40-?4/
Eir
Ie.jsmith@ec2-23-21-40-?47'']$ ls -l ios4.rl-x -ru r u-r'-- 1 ejsmiLh ejsmiLlr 1525 5ep b 10:3/ ios4.r1x IcjsmithGec2 23-21-40-24/ -]$ [e,ismitlr@e,:2 23 21 40 247 ^]1' I
Ic jsm-ith@cc2-23-21-40-247
]$
25 R110.?
Col.
'/T1m
Figure
In order for the device to accepl and use those certificates signed by this newly-created root C,{, the certificate must be manually irnported into the device to be studed and configured as a valid
Eric Smith www.pskl.us
1l
root CA. On an iOS4x device, this is accomplished by viewing the "ios4.crt" file (Figure 8) in the Safari web browser on the device. \Vhen the Satari web browser encounters a security certificate in PEM format, the "Install Profile" screen appears as shown in Figure 10.
lnstaf
'When
the user clicks "Install", the warning screen as shown in Figure 11 is presented to the user.
t2
The authenticity of "pskl.us" cannot be verified. lnstalling this prolile will change settlngs on your lPhone.
Root Certificate
lnstalling the certifcate "pskl.us" will add t to the list ol trusted certificates on your iPhone.
'When
the user clicks "Install" on the waming screen, the new root CA is installed and trusted as
Eric Smith
www.pskl.us
l3
Profile lnstalled
pskl.us
OTrusted
Receved Sep l, f 2
Contains Certfbate
More
ftalls
H i q'
Figure 12: Trusted Root CA Installation Compiete
With this conflguration in place on the iOS4x device, it is now possible to decrypt and analyze
any intercepted communications between the device and those remote servers owned or managed by Apple or its affiliates or contractors.
l4
Within seconds of the device's initial connection to the wireless network, it established a secure, encrypted connection to a remote server named "gs-loc.apple.com". Using the tools outlined in the Methodology section, it was possible to decrypt this communication and study the contents. As can be seen in Figure 13, the device used |TPS method POSTI4 to ftansmit data to the
server at https://gs-loc.apple.com/clls/wloc.
ra
-7o28VIPVo29
15
Eric Smith
www.pskl.us
Gartifi c.ate
\fiewens.1lo,sqppter0rl . :'
Senerat
I O.tuir,
SSt
S.*.r
Certificate
BruedBy
Common Name (CN)
Organization (O) Entrust Certification Authority - LlC
Entrust Inc,
rnnnnn. e
ntru t,
eUrp a
ir
n co
rp
rate
d by ref e re n c e
1/4/2010
10/u2012
fingerprhtr
SHAI Fingerprint MD5 Fingrrprint
DFr6L4Cr2lr57:lAFLSBr2AE2rFl:FBrfl9:9Er5:91170:50;T0;E1
C
I I
E 8 5r 9 F
01
2:11
9 B
0A
24.
6 D
CA. C? r 40
;E
The data transmitted from the iOS4x device to Apple can be sen in Figure 15.
t7
l--llE
Su(ture
I Squh(
hts://gsloc.ppl.,com
- dltl
nullr
3 l
i- r
_@
h.y/
pbcwloc
00 0I 00 2e 33 2e a I0 30 34 30j.8
05 65 6e 5f 55 53 00 00 00 09 34 2e 38,t 32 00 00 00 0r 00 00 00 79 12 3 31 33 3 63 33 3 32 65 3a 64 62 00 20 c0 0c
33 12 3a
e .3.0J2
40
4.3
oll3:c3rze:i
A l ht.//noti!2.dropboicomj0
htr,//iphone-:eruicer,apple com
=-
pb(wloc
_ -
pbcaloc
pb
cwloc
_- pbcrloc
pbcudor
pb(wlo(
pbcwloc pbcwloc pbcwloc
Headerl
Te* Uo lomj3gJ
Roording
l5!B ot2uB
Analysis of this data reveals that the iPhone being studied is transmitting the device's configured language ("en_IJS", United States English), current iOS4 version ("4.3.3.8J2"), and what appears to be a MACr5 addess ("0:13:c3:2e:db:40") to the "gs-loc.apple.com" server. A MAC address is a unique identifier assigned to an Ethernet device in order to distinguish it from any othff device on the network. As defined by the Ethernet specificationsl6, a MAC address must be globally unique and may not be re-used on multiple devices.
Further investigation reveals that the MAC address being transmitted is the MAC address of the laboratory's Cisco model I23l wireless access point to which the device is associated (Figure 18: Ethernet MAC Address of the Cisco I23I AP (Figure 18: Ethernet MAC Address of the Cisco
123t AP).
The response from Apple's servers, based on the uploaded data, can be seen in Figure 16. lt is interesting to note that this response, which is in Google's Protocol BufferslT format, contains additional MAC addresses. This is a partial download of Apple's crowd-sourced geolocation database which is used to assist iOS4x location-aware applications in determining the device's physical locationrs. Apple's geolocation database maintains the mapping between the BSSID (wireless MAC address) of a wireless access point and that access point's geographic location. By submitting to Apple the BSSID of a nearby access point, an iOS4x device can determine its
r5 t7
http ://en.wikipedia.org/wiki/lvfAC-addess
o2lBo2.3.htm:.
col-buffers/ 11/04l27{pple-Q-A-on-Location-Data.hrf
18
approximate physical location by querying Apple's database. As is the case with most intemet communications, the pubic facing IP used by the iOS4x device is known by the remote server and can be associated with the submitted or queried location data.
Ch!d.r
1.6,5 -
File Edit
Me
Wndr
Help
xltall
E
l,
ht//9r-1o.,ppl..(om
A
G
_@
pbcwioc
clh-
nullr()
lttp//hotify2.dropbGromr00
i
E
htps//iphone-;eNicer.apple.com hcy/
pbcwlo. pb(wloc
pbr*loc
pbcsloc
,
,_
pbcrloc
pbcsloc pbc*loc
pbswloc
, - pbc*loc
_ _ _
5 0 l3c3r2e:: f
6 0:
0 'h 16:9c:92:
d4:41
(0
6
O:
)' ( 6 X'
6r
3:5t:far6d:f0
0 x?'
0r 15r
ff:2b:
6
r(
9c:92 d4: 43
0 xt' 20 011235 0s10303a3231 3a65383a62303a 5 Or2!t e8,bor 30 30 31 3 32 63 I2 le 08 ec c2 f 9e 0f 10 cS cd lrzc (0 98 bd e3 ff ff ff ff Ol lA 2a 20 OO 28 f Ol 30 50 0f 5829606a80I0b12370aII38343e64 XI F 1 A4r 62 3d32 66 3a 31 37 3 33 36 36 38 32 12 Lf OA bt2trL1.36rez f3 d7 8f 9e 0f l0 ca a 9? bd e3 ff ft ff fr 0I r f 0Xf' 182a200028fd01300e582860bI0Ia80I 6 4:?:cf:9 02 12 36 a Il 34 34 3 61 3? 36 63 66 3a 66 39 3 31 65 3a 61 35 12 .le 00 fS b3 8 9e 0f l0 f3 le:es 7 9A bd 3 ft ff ff fr Ol 1A 2 20
OO
2A fd 0I
Ico 3009580c6035a80I06f23?oelf 32303a 0X'5 7 z0r kr?:agragrtlz 34 65 3a 37 66 3 5l 39 3 61 39 3a 34 32 12 I 08 dD e2 95 9e 0f I0 fd fB d 3 eE r. tf f 01183620002rtf 03006582860e?01 6 ( 0Xl' 0l 06 12 36 oa Io 30 3a 32 32 3a 37 35 3e 65 31 6 trzzrlsreL 3a 62 32 3a 34 65 12 lf 0 8c 8c ff 9d 0f t0 dg rb2.4e 0 ( cTf0bce3fftt fftI 18 30200028 al02 5 0: 300e58336092010111235010303a 0h' 31 35 3a 66 66 3 31 39 3e 32 65 3a 62 63 12 Le l5:ff:f9:2e:bc 08 (U fe 9d 0f I0 r ae f0 bc e3 r i t ff lnnnn26n nl lfl 2 2 n 2 9 n2 ? ll 5fi tf 6n 52 n nl nx'R HradlTe Hu lRl
B ot24YB
Eric Smith
www.pskl.us
l9
Fil Edit Ms
E
08 89
OL LO
Lt
El
htr.//gr-lo(.apph.<om
cll5/
5 GB
E E
nul:l]
G
pbcwloc
hfrpj//ory2.dropbotcomr80 hnp/phon-reMcr.pple,com
hcyl
pbilloc
_ _
pbcrloc
pbcwloc
__ pbcslo( pbc*loc
pb.wl
pbrrloc pb(wlo(
_ _
pbcwloc
pbcrlor pbc*lo(
pbcwlo(
cb 9e 0f l0 a6 9d e9 bc e3 tf E ff f 20 00 2 e9 0I 30 0b 58 2f 60 ?4 ae 0l 0a L0 30 3 31 31 3a 35 30 3 35 39 3 39 35 I2 lf 08 dd 9d 0f I0 9f e ff ft ff ff 0I IA 35 20 00 28 fc 0I 30 60 0c 0l d 01 0. 12 36 0 II 35 63 3a 64 34 3 66 62 3 62 34 3 38 3? 12 1 c3 9e 0f l0 e2 c? al8 bc e3 f fE u ff 20 00 20 eb 0I 30 0c 58 29 60 22 Ol 0a I0 34 34 3a 61 3? 3a 63 66 38 3? 3a 3 32 30 2 ff 08 ff 18 fc 9d 0r I0 86 bs 5d0 df bc e3 ff ff f ff 0l 0 2e 20 00 Z8 bd 02 30 5e0 0d 50 29 60 06 03 0 0l 0l 12 3{ 0a 0 30 36 31 5t0 35 3 66 66 3a 36 3a 65 30 3a 61 66 l2 Ie 08 c2 cd 9e 0f l0 d3 ec f5 bc e3 f ff ff tE 0I l8 2d 20 00 28 l 01 30 0d 58 24 60 23 eA 0l 06 12 35 0 0f 30 3e 31 32 3 65 3 31 61 3 61 65 3a 00000630 39 3I 12 Ii 08 ea bd d3 9d 0f l0 fB 8e cZ bd e3 000006 fl lf ef tf 0t I8 32 20 OO 2A A2 02 30 0c 58 2a 0000650 60 5 0l a0 0I 06 12 36 0a l0 38 3 38 36 3 33 00000660 62 3a 33 63 3a 63 31 3a 34 6l 12 I 08 88 eZ d0 000006?t 9d 0f 10 fZ cI cl bd e3 EE tt ef. f.t 0I 18 30 20 00000680 i0 28 82 02 30 0b 50 3e 60 88 02 BB 01 06 12 36 00000690 0 l0 30 3 31 63 3a 31 30 3a 31 34 3a 62 33 3 000006il 61 63 12 If 08 h4 82 ca 9d 0t l0 d7 a0 ca bd 3 0000060 ff ff 1 tf 0l 16 2f 20 EE 2A A6 02 30 0b 50 3e 60 df 0I 0 0I 06 12 3? 0 U 33 30 3 34 36 3 39 61 3a 33 63 3a 34 65 3 64 3t rZ rf 08 bd 89 98 9e 0f l0 d d ddbd e3 f fr t ff 0I 8 68 2O OO 28 eg 0J, 30 Ia 58 20 60 8e 02 E 01 01 l2 36 0 J.0 30 3a 31 65 38 65 35 3B 66 33 3 3? 66 3a 35 66 12 lf 08 ec 99 9c 9c 0f I0 b e0 cl bc e3 ft ff ff ff 0I .10 5? 20 00 28 8e 02 30 0e 58 3e 60 0 02 r 0I 0l 12 36 0 I0 30 3a 32 32 3a 33 66 3a 61 30 3a 64 66 3t 66 34 12 l 08 c2 d8 9e 0f I0 d 4 bd ei f n tt ff 0I I8 2e 20 OO 2A 92 02 30 0e 58 28 60 0l d 0 01 06 12 66 34 b9 d 0 58 64 61 08 cd 0L 8 0I L2 36 62 2a 36 3a e3 3e 3a c2 2a 36
el
(
6
x/'
50 59r
0:
IIr
f4r95
)C'
d: d4:
s l0 6 5c:
: b4:8?
( 0 x)'. 4trclrlr
' '(0 4
0!.!
6br20 Xl
5:
ff:6:
e0:
I
5
x't
9t
( 0x8' /
'
9e:3c:
( 0 1 3ir46r ft:
h
6 >'
( 0x
0:
:58
3f : a0:
s { 0x 6 0rz2r ff: E4
H.adr'lTd Hd l@J
uB
d4ua
Eric Smith
www.pskl.us
20
[$
rez.rre.zs+u7 - SecureCRT
EE
I
i"?
' E
I ii= r
E.,
l f" I I E I,t,;l
F2:AES-128
fE-e
Eso\,',
e8c-ok twtoo
-f -[-
Figure
l8:
In order to verify that the data received from Apple contains information about nearby access points, the publicly-accessible wireless access point location database known as WIGLET9 was queried against the MAC address data present in Apple's response. Seven matches were found (
C (lst 2 ztes)
'Zfrf
Latitt-de 40.8W452r
40.88700485 40-444'733 40-8924173a
LGgrU-de
-:76.5T839r-7
d,h, b2b
b9
076e
-:76.5%2%4
-:76.%989288 -76.56638391 -'76.%3L6376 -76.55799103
f495 91 Armage
-76.5558427 -16.%38352
o.'797128
Stadard
hiaticn
re
http://wigle.net/
Eric Smith
www.pskl.us
21
Figure 19) which corresponded to access points within the immediate vicinity of the location of the iOS4x device being studied.
Since the WIGLE data is sourced from individuals who record locations of wireless access points from a moving vehicle, a technique known as "wardriving"20, it is not surprising that the locations reported fbr these access points are along a major roadway. Apple's geolocation database is comprised of data collected by mobile iOS devices and would be of signifrcantly greater precision. It is clear from this result that Apple, by way of this query inechanism, is aware of the physical location of virtually every iOS4 device.
as measured
Lati-de rc.845221" 40.88700485 40.89444733 $.B92M3I Q.L7I6 40.8054 Q.ffiM16 40.89150804 g.00a56aq
i,G:i-tu 16.5T83971
-:76.5%?2%4
-:t6.%92
-76.56638391 -:76.%31:63'76 -76.55799103 -:76.555U-L1
-:76.%38352.
O.79-n28
20
http ://en.wikipedia.org/wikiAMardriving
Eric Smith
www.pskl.us
22
Figure 20: WIGLE.net Locations of Access Points Found in the pple Data
Eric Smith
www.pskl.us
23
iOS4x Operati
The physical location of the test device is marked with a red and white star in
Figure 20.
Eric Smith
www.pskl.us
24
lolElr13
Sructur | Srqucncr
Ch.rt I NotJ
33 -tb Z0
l httpr/gJ 5 clli/ ui
null{)
lo(,appte.com
wloc
00 0l 00 05 65 6e 5 55 53 00 00 00 09 34 2e 2e 33 2e 3A 4B 32 00 00 00 64 00 00 I l2 0a 0 0s 4e 38 38 41 50 12 12 69 50 6e 6 6e 65
4E 53 34 2e 33 2e 33
en IJS .3.8J2 d
4.3
Iti
El
lZ h.y/
ffi
pbcrlo(
-_l pbcwloc
--
pb(rlor
pbcwloc
pbcqlo. pb(wlo(
36 4a 32 la le 0B II 34 3s 32 31 3a 39 66 3s 34 35 ff tt tt tf fr ff ff OI 22 ?2 44 40 l.l 93 cS fd 4? 26 4 49 32 00 40 ee 42 E4Ds td 59 e2 42 l,td 0 l0 30 39 32 33 64 34 3a 34 3I .t0 0r 38 00 l8 bc ll t ff ft ff ff ff lf. 0L 22 26 09 ? 3d ea aE d7 7? M tr lI 93 c5 fi 4'l 26 24 53 c0 ld ba b6 9B 42 49 32 00 fi & t4 bS 4l 2d ac 49 0? 42 35 d 59 2 42 I 4d 0a t0 30 3 31 33 3 63 33 3 32 65 36 64 62 3 34 30 .t0 0b 38 00 LB cl i ff Ef ff t ff f tf OI 22 2e 19 a7 3d ea 17 12 44 4 I. 93 cS d 41 26 24 53 IO c0 ld bb6 98 42 49 32 00 40 ee 42 f4 bS 4I : 20 ac 49 01 & 35 fd 59 e2,U Ia 4d 0a 10 30 3a 1n 33 3a 35 66 3a 66 61 3a 36 64 3a 66 30 lO 06 00 l8 d? ff fE ff f ff ft ff tf 0l 22 2 09 t 3d f d? ?2 44 40 ll 93 cS fd 4? 26 24 53 c0 ld b b6 98 42 49 32 OD 40 ee 42 f{ bS 4l Zd c ?o 49 01 42 35 td 59 eZ 42 la 4d 0a l0 30 3a 31 33 I80 36 63 33 3a 32 65 3a 64 62 3a 34 30 lO 0b 38 00 t90 18 bf tf ff fl tr tt t. t l OL 22 2a 09 e? 3d e af d? ?2 44 {0 ll 93 cS td 41 26 24 53 c0 ld cl df 3d 49 8 ?? 10 2d .13 4 b5 { 2d c 49 07 {2 35 df 8f c 42 .L 4d 0 t0 30 3 3t 36 3a 39 63 3 39 32 3d 64 34 3a 34 3l l0 0t 38 00 IA c4 e. t e.f ff fC ff ff fe Ol 22, 2d 09 f? 3d ee af d7 72 M 40 lI 93 c5 f 41 26 24 53 c0 ld ct 3d 42 !, 8 77 40 21 43 f4 b5 41 2d ac 49 07 42 35 df 8f 8c 42 a fr 0a l0 30 3a31 33 3a 35 66 3a 66 6.1 38 36 64 3a 66 30 1 06 38 00 18 d6 ff ff ff ff f ff ff ff it 22 2 09 f? 3d a f d'I '12 44 4 l. 93 cS td 4'l 26 24 53 c0 ld cl 3d 42 49 Ba ?? 40 2d 43 f4 b5 4l Zd ac 49 E? 42 1S df flf 4.42 4 ni l 34 i4 3 61 3? 1 63 Headrt I Text H
2t
34 3a 61 31 3a 63 66 l0 02 3 0 lB 4 Ef 2 09 f? 3d e f d? 24 53 c0 Ldb6 b6 98 41 2d c,19 0? 42 35 3 31 36 3a 39 63 3
cf:21:9t:
45
rDB
G5
I85YBn O:l 3:5f: f: 6d: f0 6 tDB 0a5 BI2CD I85YBH O!I3 :c3:2e:clb:40 I =
rD8 D5
Cs
9c:921d4:4I I
ES
34MB oi
MB
This communication illustrates how Apple's crowd-sourced V/i-Fi database is created and maintained. The data transmitted appears to be a superset of the Wi-Fi location data downloaded from Apple during the initial check-in as described earlier, combined with unique wireless location data colected by the parlicular iOS4x device. For exarnple, the MAC address of the Cisco 1130 wireless access point used in the laboratory network (Figwe 22) is present among the data submitted to Apple, as can be seen in the highlighted section in Figure 21. The physical location of this new access point is now known to Apple and can be used by subsequent iOS4x devices via MAC address lookup to determine location. As in the earlier case, the public-facing IP used by the iOS4 device is known and can be associated with the submitted location data.
25
l-,= ll
ii
Figure 22: Wireless MAC ,A.ddress of the Cisco 1130 Access Point
26
B
8000
7000
6000
5000
4000
3000
2000
1000
916120120:00
2',1
I:
Installing Applictions
On an iOS4x device, software applications, commonly known as "Apps", are purchased and installed by launching Apple's built-in "App Store" utility.
No Servlce
8:lil PM
In order to install any applications on an iOS4x device using the "App Store" utilit the user must log in with his or her "Apple ID". In order to obtain an Apple ID, the user must provide his or her e-mail address, name, mailng address, and date of birth to Apple (Figure 25). h order to make purchases in the App store, a user may elect to enter payment information, such as a credit card or a pre-paid Apple iTunes gift card number.
28
'*A
EI
b.
tur4
d.
id brr4ur*G
ir.qld e: drr.Ee. *!rr{ .rc &!r rt *! . r t c. +..r!n . tuJ6lar b ! rdg f a! r r,: f.!
6trSB crtu4
fr k h dic.htawir-
---------__l
.,**;;:;r,hd*.* hh cn(d
Figure 26: Logging into Apple's App Store on the iOS4x device.
The user-supplied Apple ID and password are transmitted via HTTPS to the server "p12-buy.itunes.apple.com" \here they are verified before the requested application is transferred to the iOS4x device. As in the earlier cases, the public-facing IP used by the iOS4x device is known and can be associated with the submitted AppleID and password.
30
Chrlerl,6,t-srrron5
Help
-ltrlJ
https/p12-buy.ituner.apple.com
El EJ Wbobjectr/ g MzFnnce.woa/
Ew/
httpr//a130i.phobor.apple.com
Recording
St rld
Figure 27: App Store Login and Subsequent Transmission of the AppleID and Password to Apple
31
No Servlce
12:11
Pil
lmaglne Dragon
Nbht Vlsions
Gsror
^Jtemative Rleased: Sep O1,20i2 t4 ltms
iTS6Ratings xxxxr
1 2 3 l
Redoclivc
lpbr
frr
irr
Drmona
Eric Smith
www.pskl.us
32
Window
Help
L httpi//pU-buy.tune5.ppl.com
Figure 30: iTunes Login and Subsequent Tresmission of the pplelD and Password to Apple
III:
Using Applications
Many of the applications avaiable for the iOS4 device are adverlisement-driven and provided free of charge to the end user. In-app advertisements are typically in the fonn of a small graphical banner displayed to the user while the application is being used (Figure 3l). These advertisements are typically served to the iOS4x device from one of a small number of advertising networks, including but not limited to Flurry2r, TapJoy22, and Doubleclick23. Apple entered this market in January of 2010 with its acquisition of the mobile advertisement provider Quattro Wireless2a, rebranding the advertisem nt network as "i4d."25 Note the "iAd watermark in the lower right of Figure 3 1.
t'
http://www.flurry.com/flurry-anal1'tics.html
http://www.tapj oy.co rn/ http://www. google.com/doubleclick/v
http, //ne.s. cnet. com/83 0 f - f 3 5? 9-3 - 1 0 425 465 -3'l .hantl http ://advertising.apple.com/
'*
JJ
Previous studies have shown2? thatmany of these advertisement networks, including Apple's iAd network2s, rernotely collect the iOS4x device's unique device identifier, or UDID, whenever an advertisement is viewed. The UDID is akin to a serial number and uniquely identifres a particular iOS4x device.
26
t?
28
http://www. pskl.us/wp/?p=48J
34
Section 3: Conclusions
Considered individually, the numerous communication paths between an iOS4 device and Apple Corp. do not provide a direct correlation between a user's real-world identity and hs or her present physical location. The geolocation queries discussed did not include any data regarding the device or user identity; those subsequent queries which included user or device identity did not include any geolocation data.
to all of the communications considered in this report, it is trivial matter to tie geolocation with an iOS4x user's real world identity. Ignoring the use of sophisticated behavior profiling technologies now in widespread use, it is possible to perform this correlation by simply considering the public IP address of each of the communication paths considered in this report.
By referencing the public IP address used by the iOS4 device when it performs its initial connection to the server "gs-loc.apple-com", subsequent communications with Apple Corp. from this IP address can be tied to a physical location. This data is kept current by the iOS device's regular check-in with Apple geolocation servers (Figure 23).
The use of the App Store or iTunes from this same IP address provides Apple with real-time physical location inforrnation about the user, whose real-world identity is already established by data provided when the Apple ID is initially created.
35
['lnirrr' I)evicc.
ldc'ntifc'r'
It is clear from the data examined in this report that Apple routinely and automatically collects sufficient information such that they can identify the real-world identity of the registered user of an iOS4x device, as well as the device's physical location, at an update frequency of no less than
once every six hours. (Figure 32)
Eic Smith
www.pskl.us
36
Appendix
37
Appendix
C
W'rcL.E -
'*.
...
t
il
.r*
ffin'rffi!ff.*
'
l
#ffi.J*
G
l
.lF. 2
l
fl. coai.
Wti
l
Hm t llomlmd t F
Po{
Fle
fbg
ll.pPicllflrs
tigt
Fo
l}. _+
,
t
hflp:i/wi9lnd.'qprrgp:inr3n,.cn{rnrluri,;
rffi
jffifltr#
. c .l- coi.
P
I dlhiB query
Eric Smith
www.pskl.us
38
Ele Edit {
I
Hiot 0@trE.f Ib
Hdp
hftpsr,Mglnt'gp!gpj:nrtrcnl:rnqur'
c I l- c*st
P I E- 9-
3erch Results:
Shoring statons
lhrough
of lh qry.
@-"
Search Resulls:
ofllts
quefy.
(- "
E'
39
Udp
C +
http3,'f,,igle.ntgp:'9F!rrrniccnfrmqu,1
Hme lllomlo.d tForum tPosr FflelOrs! | SsHsolsl Strlrtlods lweb trEh Results:
of s
flry
IYGU Hme
19- *
E'
dd
qp: rn:in':cn[rnqun,/
I
C .ll.
tOlEtt Sm$ors
I
ccre
P i El- elLogout
Hme I O,omloid
3arch Rsults:
Fm
Pod Fle
Stab
U0lm lWeb
llpsl laoPachflfellMt
oltfts
query.
IYGLI llofr
@-'
40
3afch Resrlts:
of fts qury
lficLf 8m
19. *
a'
Sa?ch Rsultl:
I oflhts
quefy.
lf6lf
lm
@-'
a'
41
42
Eric J. Smith
48 Mutchler Road Danville, PA 17821
I n d u stry
Ce
(s7o) 4s2-see2
eric@pskl.us
redhat.
CERTIFIED ENGINEER
rtifi cati o n s :
. . . .
RedHat Linux Certified Engineer (RHCE) Microsoft Certified Systems Engineer (MCSE) Ceftified Novell Engineer (CNE)
Employment History:
Assistant Director Information Security and Networking Bucknell University Lewisburg, PA
December 2OO3 to Present
www.bucknell.edu
Identified, developed, designed, and implemented creative solutions to the computer, communications technology, and information security needs of the University community. Managed our team of network engineers and student employees.
Oversaw Bucknell University's network infrastructure:
o . . . . .
Responsible for the design, installation, maintenance, and growth of the University's global data network, which consists of over 1,500 managed network devices connected by 500 strand miles of optical fiber. Managed technicians, work groups, and project teams. Designed and installed a fully-redundant network architecture, including active-active router pairs, firewall clusters, and multiple independent upstream provider links. Managed the implementation of a $416,000 Department of Education grant for the expansion of mobile services at the University. As a result of this grant, and continued support by the University, 99o/o of the University campus -- indoors and out -- is covered by a robust, fault-tolerant 802. 1 labgn wireless network. Developed, tested, deployed and assessed technologies to provide secure, seamless remote access to campus resources, including voice, video, and data. Because of the seamless connectivity, the University has been able to support and actively recruit for telecommuter positions in several key depaftments. Developed software and hardware to automatically detect and disable rogue wireless access points connected to the campus network. Served as project manager to design, develop, and deploy an IP Multicast solution for a 60+ channel subscription-based cable television system for the campus. http : //www, bucknell.edu/x961 1.xm
I
. . . .
I
Designed, configured, and installed intrusion detection and prevention systems. Served as Bucknell University's senior information technology security specialist. Provided leadership for the University's IT Security Group. Prioritized security-related projects. Developed policies, standards, and best practices for the University regarding all aspects of information securty. Made recommendations to senior University administrators on matters related to information security. Served as technical lead for all information security issues on campus. Performed vulnerability and penetration testing, security analysis, and remediation.
. . . . .
Oversaw regulatory compliance (PCI) for credit card systems and transactions. Served as project lead and worked with external auditors, Authored software to automate management of virus-infected client machines (Quarantine) and Internet bandwidth abusers (RBZ). http://www.bucknell.edu/x9973.xm| Also featured in a SecurityFocus afticle: http://www.theregister.co.uk/2OO4/O9/L6/academia_battles/ Worked with the FBI, incidents.org, and representatives from other universities in the constant battle against botnets. Performed security analysis -- physical and logical -- for the proposed infrastructure components of the University's One-Card implementation. Managed handling of copyright issues stemming from illegal downloading of music and movies. Coordinated with University Counsel's offce in response to cease and desist letters from
RIAA/MPAA.
Paft
. . . . . . .
Member of the Penn-REN Technical Advisory Committee (PTAC), which serves the KINBER board. PTAC is focused on configuration, deployment, and usability issues of the statewide high-speed
research network. Served on several university committees including the Information Services & Resources Steering Group. Supervised the work of other staff members as it related to supporting the network infrastructure and information security projects. Led several organization-wide discussions and presentations on issues related to security. Provided training and mentoring for network technicians, system administrators, and security group members. Aggressively negotiated with information technology vendors including Cisco, Noftel, AT&T, NEC, Liebert, and APC to maximize the effectiveness of University budgets. Worked with the local community. Member of the SEDA Council of Governments Broadband Advisory Group, tasked with the goal of researching and providing world-class broadband solutions to the members of our rural community. http://www.seda=cog.org
Network and Systems Engineer Carole Hochman Designs, Inc. New York, NY
Responsible for the operation and maintenance of all information systems for a Madison Avenue fashion designer. Supported domestic offices and overseas factories in Turkey, Egypt, Hong Kong and China. Managed technicians and project teams.
. . .
Responsible for network security policies, anti-virus systems and firewall configurations. Designed and installed a Windows Active Directory system in multiple states to facilitate communications between offices and between users of different desktop platforms. Responsible for telecommunications and wireless systems throughout global offices. Maintained and
. . . . o
2
expanded the enterprise-wide telephone and voicemail systems. Installed, configured and maintained leased-line, VPN, dial-up and extranet connectivity between all offices throughout the global enterprise. Developed and deployed a mobile infrastructure with 100o/o access to corporate network resources. Designed and installed an 802.11b system which enabled warehouse staff to employ wearable Ethernet terminals. This system permits real-time, wireless barcode scanning of data directly to the ERP system. Provided network support and interoperability between AS/4OO, W2K, and Unix. Developed mechanisms for the publishing of AS/400 data to Unix and W2K file and web servers. Managed departmental budgeting and purchasing. Coded HTML, CGI and ASP for Internet and Intranet websites. Provided usersupport and training; developed training materials and programs. Created procedures manual and methods for systems and operations documentation.
Provided on-site network support at Fortune 500 companies throughout Research Triangle Park.
. . .
Responsible for installation and maintenance of local and wide area networks. Provided desktop support and installation of hardware and software.
Evaluated customer networks and provided solutions for network optimization, security, fault tolerance, and disaster recovery.
. . .
Supported the universityt academic computing network, consisting of faculty offices, classrooms, and student computer labs. Supervised the installation of network applications to LAN Manager and Windows NT Servers. Evaluated and documented software for classroom use and assisted faculty with the incorporation of Internet technologies into their curriculum.
Education:
. .
Bloomsburg University. Bloomsburg, PA. B.S. in Chemistry; minor in Computer Science. Graduated GPA 3.91 overall; 4.O in Chemistry and Computer Science. North Carolina State University. Raleigh, NC. Completed 15 hours of graduate work in Chemistry. GPA 4.0.
Information Security and Networking-Related Presentations and Research: . "Customized Threat Analysis and Reporting". Webinar, Scheduled for October 17,2OLz . "Integration of Disparate User ldentification Sources into your IDS/IPS." Palo Alto Users' Group Meeting, Malvern, PA. Scheduled for December tL,2Ot2. . "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique
Device ldentifiers (UDIDs)". October 2010. This paper describes the use and abuse of the iOS Unique Device ID (UDID), which was shown to be actively used by adveftisers and application developers to track the application use of individual users. As a response to this and other similar research projects, Apple announced the depreciation of the UDID with their release of iOS5. I was interviewed by a number of news organizations, including Ars Technica, MacWorld, Engadget, Slashdot, The Register, and others. http://arstechnica.com/apple/20L0l10/iphone-user-privacy-
. . .
"Rogue Season: Successful Hunting Strategies for the Network Administrator". Nercomp, 2008, Providence, RI. Rogue access points (APs), those installed by unauthorized users, are a security, usability, and liability concern for all university network administrators. In this talk, we will present several time-saving methods of rogue AP detection that do not require expensive commercial applications or unwieldy directional antennae. Slides at http: //net.educause.ed u/ir/library / pdflNCP08095. pdf "Introduction to Streaming Video." Mid-Atlantic Digital Library Conference, 2008. "Hardware and Honeybees." Presented at the Central Pennsylvania Open Source Conference (CPOSC), 2009. Discussed how internet-connected technologies, including cameras and sensors, can be used by Pennsylvania's small farmers to increase the health and yields of their operations. "Streaming Multimedia for Digital Libraries and IRs such as DSpace: An Introduction". NITLE, 2008. This presentation addressed the benefits of using streaming servers, examined case studies, and provided an overview of the technologies and processes involved in handling large multimedia files via streaming servers.
. .
. . . . .
"Medical ldentity Theft." Presentation at the DefCon security conference. This research focused on common security issues at medical facilities and the feasibility of large-scale attacks aimed at gathering patient data for the purposes of committing identity theft and insurance fraud. August 2008. http://www.defcon.org/images/defcon-76/dc16-presentations/defcon-16-smith-dardan.pdf "Botnets at Bucknell." Presentation for Information Services & Resources Staff, Bucknell University, Lewisburg, PA. Presentation provided an overview of botnets, how the Bucknell community has been affected by them in the recent past, and the security measures taken to protect Bucknell and the internet at large. The audience included technical staff members, non-technical staff, and library/technolqgy administrators. May 3, 2OO7. "The $60 VPN Tunnel." Fresentation to the Bucknell University community regarding the methods currently in production for creation of IPSec-based L,AN-to-LAN tunnels for remote offices and telecommuters. April 2OO7. "VoIP, Vonage, and Why I Hate Asterisk." Shmoocon 2007, Washington, DC. This presentation examined the potential business and home uses of Asterisk, an open source telephony platform. Also addressed were security issues inherent to most VoIP deployments. http ://www.shmoocon.orglspeakers. html. "Wireless LAN Security." Presentationfor 2OO7Information Security Week, Bucknell University, Lewisburg, PA. March 2OO7. "Countering Attacks at Layer Two." Shmoocon 2006, Washington, DC. Focused on often-ignored security issues that affect large campus networks. Video and slides from the presentation are availabl e at http : //www. sh mooc on.org/ 2006/presentations. htm l. Cisco Security Research: Discovered a security flaw in the Cisco Aironet IOS software. A vulnerability exists in Cisco Aironet Wireless Access Points (AP) running IOS which may allow a malicious user to send a crafted attack via IP address Resolution Protocol (ARP) to the Access point which will cause the device to stop passing traffic and/or drop user connections. Repeated exploitation of ths vulnerability will create a sustained DoS (denial of service). See Document ID: 687 t5/ Advisory ID: cisco-sa-20060112-wireless for more details. http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless,shtml.2006. "Bucknell's Resnet Quarantine." Presentation to the University community to discuss the automated systems which are in place to deal with worm, virus, and botnet-infected machines on the University network. January 2005.
Awards:
DefCon 12 (2004), DefCon 13 (2005), and Defcon L4 (2O06):
Winner of the Wardriving Contest at the nation's largest computer security conference. The Wardriving Contest pits teams from around the world against each other to determine who can best solve a given network security problem. The winner of this contest is awarded the prestigious "Black Badge", which allows the holder free admittance for life to all future DefCon conferences. http://www.defcon.org.
Other Skills:
Chemist. Experience in organic and inorganic synthesis, safe laboratory practices, computational
a a
methods (Gaussian, GAMESS, HyperChem, MOPAC, and Spartan), powder X-ray diffraction, fluorometry, AA, FTIR, GC, GC-MS, UV/VIS HPLC, and NMR, Eastern Apiculture Society Certified Master Beekeeper (University of Vermont,2OL2). Electrician. Experience in commercial and residential service (1990-1994).
Professiona
I References:
Available on request.