Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Iceland govenrment wanted to create e-licenses but was unsure on how to do so. The government decided to use the Apple Wallet API. The wallets (licenses) were distributed as PKPass files once they were done, which is just a wrapper around a signed ZIP file.

This file contained a few photos and some other interesting files. The pass.json contained a complete description of the license, such as the serial number and personal details. The manifest.json included a hash of all of the files and a signature uses for the manifest file. This is done by obtaining a key from Apple to be used on the wallet.

The idea behind the signature is that it should not be modifiable and the content safe. But, in practice, this is just not the case. Anybody can request a developer certificate from Apple and sign it with this. Additionally, the author found that NONE of the Android apps actually validated the signature. Crypto is good: just know how to use it!

Originally, a scanner for the wallets was discussed. But, this scanner for validation never came to be. As a result, forgery, to trick the naked eye of a human, is trivial. The simple look & feel is the only thing being validated for authenticity.

An easy attack would be simply taking a screenshot and modifying it with photoshop or something like this. The author shows an image that was modified in Snapchat that looks quite real with Donald Trumps picture. But, this is NOT in the wallet app, making it look suspicious.

Going a bit further though, there are multiple services on the Internet, and even mobile apps, allow you to design your own pass for Apple wallets. Using this, it would be trivial to make a replica of the license that we wanted statically or even programmatically via the provided APIs for the service.

Because of the many shortcoming of the license handling, teenagers and many others were found abusing this. As a result, a scanner was officially announced to be in the works.

Overall, the writeup is an interesting story of how a government attempted an e-license system and failed. It is really hard to write secure software!