iOS Integrity Validator

When businesses began to adopt iOS3 devices en masse, they had no way of detecting malware on devices that were taken off site. Using jailbreaks like RedSnow, attackers could exploit the device’s Bootloader and decrypt the data inside.

But exploits like RedSnow could also be used for good. Legitimate users could put exploits to work assessing the integrity of their devices.

That was the premise behind iiv, our integrity validator for iOS devices. It was an excellent demonstration that offensive tools could serve defensive purposes. At the time when we created iiv, nothing like it existed.

Without relying on signatures, iiv validates the integrity of the device and detects modifications such as malware and jailbreaks. It collects relevant artifacts of these changes for offline analysis. Its detection of even the smallest modification -a changed permission, a file with one byte out of place- indicates that something is wrong on the device.

Because iiv runs at boot time while the disk is dead –not while other code is running on the phone– it denies malware the chance to give false results.

iiv still works on iOS3 devices and older. There’s no way to patch the Boot ROM. It’s hardware that runs code baked into it at the factory.

Though it’s no longer relevant to today’s iOS devices, iiv stands as a reminder that exploit code is neither good nor bad. That depends on how it’s used.

Next Project