Do you think you know everything about creating and using backups of Apple iOS devices? Probably not. Our colleague and friend Vladimir Bezmaly (MVP Consumer security, Microsoft Security Trusted Advisor) shares some thoughts, tips and tricks on iTunes and iCloud backups.
Mobile phones are everywhere. They are getting increasingly more complex and increasingly more powerful, producing, consuming and storing more information than ever. Today’s smart mobile devices are much more than just phones intended to make and receive calls. Let’s take Apple iPhone. The iPhone handles our mail, plans our appointments, connects us to other people via social networks, takes and shares pictures, and serves as a gaming console, eBook reader, barcode scanner, Web browser, flashlight, pedometer and whatnot. As a result, your typical iPhone handles tons of essential information, keeping the data somewhere in the device. But what if something happens to the iPhone? Or what if nothing happens, but you simply want a newer-and-better model? Restoring the data from a backup would be the simplest way of initializing a new device. But wait… what backup?
Users in general are reluctant to make any sort of backup. They could make a backup copy once after reading an article urging them to back up their data… but that would be it. Apple knows its users, and decided to explore the path yet unbeaten, making backups completely automatic and requiring no user intervention. Two options are available: local backups via iTunes and cloud backups via Apple iCloud.
Extracting the content of an iPhone is only half the job. Recovering meaningful information from raw data is yet another matter. The good news is there are plenty of powerful tools providing iOS analytics. The bad news? You’re about to spend a lot of time analyzing the files and documenting the findings. Depending on the purpose of your investigation, your budget and your level of expertise using forensic tools, you may want using one tool or the other. Let’s see what’s available.
It’s been a while since we updated Elcomsoft Phone Password Breaker, dedicating our efforts to physical acquisition of iOS devices instead. Well, now when the new iOS Forensic Toolkit is out, it is time to update our classic phone recovery tool.
Soon after releasing the updated version of iOS Forensic Toolkit we started receiving questions about the new product. Did we really break iPhone 5? Does it truly work? Are there limitations, and what can you do about them? We decided to assemble all these questions into a small FAQ. If you’d rather read the full, more technical version of this FAQ, visit the following page instead: Elcomsoft iOS Forensic Toolkit FAQ. Those with non-technical background please read along.
It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.
Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time. (more…)
Apple iCloud is a popular service providing Apple users the much needed backup storage space. Using the iCloud is so simple and unobtrusive that more than 190 million customers (as of November, 2012) are using the service on regular basis.
Little do they know. The service opens governments a back door for spying on iOS users without them even knowing. ElcomSoft researchers discovered that information stored in the iCloud can be retrieved by anyone without having access to a physical device, provided that the original Apple ID and password are known. The company even built the technology for accessing this information in one of its mobile forensic products, Elcomsoft Phone Password Breaker, allowing investigators accessing backup copies of the phone’s content via iCloud services.
Elcomsoft has announced that certain versions of fingerprint software named Protector Suite made by UPEK (now part of Authentec) stores your Windows password in a ‘scrambled’ format in registry. This allows an attacker through different entry points to get easy access to a users Windows password. I have no reason not to believe Elcomsoft in their claims, but UPEK/Autentec seriously disagrees. In the middle of this I happen to have some questions, and an opinion regarding biometric software today.
I have lost count of all the times colleagues have approached me with a big smile, challenging me to break into their work laptops now that they have enabled fingerprint authentication. Pressing Esc to get the normal logon prompt and then entering my AD username & password logged me in. Having local admin rights made things even easier to conduct pass-the-hash of their locally cached credentials, and smile turned to sadness. Hey, I have even been accused of cheating when I did that.
I purchased my first fingerprint reader back somewhere in 1999. It was complete crap. Many years later I purchased a Microsoft keyboard with integrated fingerprint reader:
I still remember a very clear warning in their documentation: the fingerprint reader should not be trusted for security. It should be considered as a toy. Oh well.
Today the integrated fingerprint readers in many laptops is the most common place we interact with biometric solutions. IF we choose to use it of course – there is no requirement to do so from the vendor. Enter Elcomsoft.
Security vs Convenience
Lots of people – including infosec professionals, doesn’t see the difference between using biometric authentication as a security feature, and as a convenience feature. Simply explained for the home user:
If you use biometric authentication to logon to your laptop, but can bypass it by pressing Esc and enter your username & password, you are using biometrics as a convenience feature.
If you have removed any and all possibilities to logon except by using/including biometrics, you are using biometrics as a security feature.
The differences here are … well… BIG, at least in theory. But wait; that was for the home user. I don’t care much about your private pictures, christmas wish list and facebook account anyway, so lets look at it from a corporate perspective:
There is no integrated support for replacing passwords with biometric authentication within Microsoft Windows.
This means that any kind of authentication addition or replacement you set up on laptops, tablets or desktop computers in a corporate enviroment with Active Directory, a password still has to be configured for a user in a domain, and that password is what authenticates the user throughout the domain. Using highly advanced visualization tools, hours and hours of hard work and a colorful palette, I made this infographic to explain what happens:
Using biometric logon, we add another step in the authentication process in a corporate environment. Please note; we added one more step, we didn’t necessarily add one more layer of security.
I blogged about upcoming password security features in Windows 8 Password Security. Please observe that using picture password and/or a PIN is an addition to having a password. They are quite simply convenience features. Having said that, I would like to give kudos to Microsoft for doing quite a bit of research into picture passwords and presenting it in such a detailed form that we can make up an opinion about the security it provides.
What did Elcomsoft discover?
Well, they claim that certain versions of the software in question stores your Windows password using weak protection locally (see step 2 in the biometric chain above). Using a simple PoC, they have successfully extracted the stored Windows password from registry by the biometric software and “decrypted” it.
Since the biometric software is local only, it needs to know your Windows password to properly give you both local and domain access. To repeat; your username and password gives you access, not your fingerprint or any other biometric ID. If your password is changed, either locally or in the domain, you will have to provide your new password to the biometric software.
Is this such a big deal? Yes.
Good practice is to store passwords using hash irreversible algorithms, preferably strong types such as PBKDF2, Bcrypt or Scrypt. The draft cheat sheet from OWASP on password storage gives more information about such algorithms, and more. Even though Microsoft doesn’t use salting or key stretching in their LM/NTLM algorithms, they are still hash algorithms. You cannot “reverse” the process to get the plaintext password, you have to
My Authentec (Thinkpad) fingerprint software, which is NOT affected by Elcomsofts findings, knows my password (or passphrase in my case), and there is an option in the software to display it on screen, as the video on top shows you.
But I can do pass-the-hash/ticket and more, why is this a big deal?
Sure you can. But you cannot do those attacks against a Outlook Web Access configuration from the Internet using SSL. You don’t know the users actual password when you do pass-the-hash attacks, so you cannot check if the user uses the same password on other services, at work or on a personal basis.
If my fingerprint – my biometric template – was the secret key to unlock the password using reversible encryption like AES, things could perhaps be considered a bit better, but it would still not be good practice to store any users password using reversible encryption. Which is exactly what is evidenced by my video above.
Now if claims by Elcomsoft are true, malware could easily exploit the weakness found to extract users Windows plaintext passwords in yet another way, adding to the already existing ways of doing so.
I haven’t twisted my mind long enough on this to figure out ways of improving this, but I am open for suggestions.
Switching iPhones into a DFU (Device Firmware Update) mode is a hassle. Power off, press that and hold those that many seconds, release this but continue holding that until hopefully something happens on the phone. Many iPhone users have major troubles switching their iPhones into DFU mode. Luckily for them, they don’t have to do the Apple Dance too often.
Criminal investigators, police officers and workers of the intelligence are not as lucky. They have dozens of iPhones to process every day, hundreds every week. “When I get an iPhone, I only have two hours”, says a police officer who’s name we cannot disclose. “In 120 minutes, I have to acquire and process information from that phone. Honestly, I can rarely complete it in a proper way.”
Here at ElcomSoft, we’re trying to do everything to make the life of investigators easier. Performing a physical acquisition with EIFT, which is the only proper way to capture everything in the phone, only takes 20 to 40 minutes depending on the model. But here comes another pitfall. Unlike pickpockets and fraudsters with long, thin fingers, police officers have big hands and firm, strong fingers. Performing the Apple Dance is extremely frustrating and almost physically painful. “I have to try and try before I can twist my fingers to hold those damn buttons”, confesses another police officer. “These damn things are too small and slick”.
Visiting the EuroForensics conference a few days ago, I was demonstrating how easy it was to switch an iPhone into DFU mode. I did it right the first time, but on a second try I failed miserably. “I’m too old for this shtuff”, commented yet another visitor whose badge simply read “Special Agent”.
I passed my concerns to ElcomSoft R&D department, and they built a mockup of an ingenious device automating this sort of things. They called it “iOS DFU Mode Starter”. As a first mockup, it’s not yet perfect. It requires careful placement of the device, and you have to plug a USB cable by hand. Other than that, iOS DFU Mode Starter can switch the device into Debug Firmware Update mode with 100% reliability. “It’s almost infallible”, says Andrey Belenko, ElcomSoft leading researcher. “And it was incredible fun to build”.
Here’s a video demonstrating how the new device works:
I was shocked at first when I saw the robot. A LEGO? Are you guys kidding me? It turned out our R&D guys were serious as ever. Here’s what Andrey Belenko has to say about this robot.
“Constructing mockups and early prototypes with LEGO bricks is commonplace for building robots. Honestly, LEGO blocks are a godsend to all robot builders. Don’t be fooled with the look of the thing; these bricks are a serious prototyping tool.”
“LEGO bricks hold together amazingly well under low and medium load. LEGO blocks come in a wide assortment of shapes and sizes. They give a tight fit, they are reusable, and they save us a lot of time when prototyping. We’re not building an industrial piece; this robot simply handles a modern electronic device. No force is required.”
Whether or not this device goes into production, and what the price is going to be like if it does is yet to be determined.
SANS Information Security Reading Room has recently publicized a whitepaper about iOS security where they mentioned our software – Elcomsoft iOS Forensic Toolkit – in a section about encryption. Kiel Thomas, the author of the whitepaper, explained one more time the main principles of iOS 4 encryption, which became stronger in comparison with iOS 3.x and how our toolkit can bypass new strong algorithms.
In its next part about iTunes Backups Kiel touches upon Elcomsoft Phone Password Breaker which virtually crunches backup passwords at speed of 35000 passwords per second (with AMD Radeon HD 5970) using both brute force and dictionary attacks, here are some benchmarks.
It seems the paper does not miss out on any nuance about iOS 4 and provides practical advice to either avoid or prevent from the depressing outcomes, such as loss of data. Closer to the end of the paper you will also find several sagacious tips for using the devices within organizations, including passcode management, a so called “first line of defense” which according Kiel’s view “can be matched to existing password policies”, however he inclines to use passwords instead of 4 digit passcodes.