In our previous blog post we have described how we broke the encryption in iOS devices. One important thing was left out of that article for the sake of readability, and that is how we actually acquire the image of the file system of the device. Indeed, in order to decrypt the file system, we need to extract it from the device first.
Posts Tagged ‘iPhone’
ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this. It’s also worth noting that we will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies. We have a number of good reasons for doing it this way. But first, let’s have a look at perspective.
BlackBerry dominates the North American smartphone market, enjoying almost 40 per cent market share. A 20 per cent worldwide market share isn’t exactly a bad thing, too. The total subscriber base for the BlackBerry platform is more than 50 million users.
Today, we are proud to present world’s first tool to facilitate forensic analysis of BlackBerry devices by enabling access to protected data stored on users’ BlackBerries.
One of the reasons of BlackBerry high popularity is its ultimate security. It was the only commercial mobile communication device that was ever allowed to a US president: Barack Obama has won the privilege to keep his prized BlackBerry despite resistance from NSA. (On a similar note, Russian president Dmitry Medvedev was handed an iPhone 4 a day before its official release by no one but Steve Jobs himself. No worries, we crack those, too).
Finally, we’ve got our first iPhone 4 in office. And what was the first thing we did with it? Yes, test its performance to complete table in my previous post.
This brand-new iPhone 4 is capable of doing 1.4 millions MD5 iterations per second, about 35% more than iPhone 3GS.
I haven’t found any information on iPhone 4CPU clock frequency, but if we assume that it uses same chip as iPad (which seems to be the case), then exhibited performance corresponds to roughly 775 MHz.
I’ve had plans to create some kind of performance measurement app for iPhone/iPod/iPad for quite a bit time of already, and after reading recent reports that iOS 4 is very slow on iPhone 3G I thought that time had finally come.
So I’ve quickly coded an app which computed performance in MD5 hash computations per second, and here are the results:
|Device||CPU Frequency||Thousands MD5 per second|
|iPhone 3G||412 MHz||350|
|iPhone 3GS||600 MHz||
The performance scales almost linearly (with respect to CPU frequency) for iPhone 3GS and iPad.
For iPhone 3G this is, however, not the case. Although CPU clock is only 1.5 times slower when compared to iPhone 3GS, overall performance is three times slower.
Puzzled, I did some research and found out that iPhone 3G and iPhone 3GS are using very different CPU cores indeed (link). The key difference is that iPhone 3GS uses dual-issue superscalar CPU which allows executing two instruction per clock. iPhone 3G utilized single-issue scalar core, and is thus limited to executing single instruction per clock. This perfectly explains missing factor of two in performance vs. clock rate difference between iPhone 3G and 3GS.
Today we have released Elcomsoft iPhone Password Breaker 1.20 which introduces two new features and fixes few minor issues.
This feature allows to view contents of keychain included with encrypted device backup.
Mac users are probably familiar with concept of keychain — it is a centralized, system-wide storage where application can store information they consider sensitive. Typically, such information includes passwords, encryption keys and certificates, but in principle it can be anything. Data in keychain is cryptographically protected by OS and user password is required to access it. The closest Windows equivalent for keychain is probably Data Protection API.
iOS-based devices also have a keychain, but instead of user password, embedded cryptographic key is used to protect its contents. This key is unique to each device and so far there are no way to reliably extract it from the device.
Apple recommends iOS application developers to use keychain for storing passwords and other sensitive information, and one reason for this is that it never leaves device unencrypted. Here’s an excerpt from Keychain Service Programming Guide:
In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.
Prior to iOS 4 keychain was also included in the backup ‘”as is”, i.e. all data inside was encrypted using unique device key. This meant that it was not possible to restore keychain onto another device — it will try to decrypt data with key which is different from one used to encrypt data. Naturally, this will fail and all data in keychain will be lost.
To address this issue, Apple changed the way keychain backup works in iOS 4. Now, if you’re creating encrypted backup (i.e. you’ve set up a password to protect backup) then keychain data will be re-encrypted using encryption key derived from backup password and thus ca be restored on another device (provided backup password, of course). If you haven’t set backup password, then everything works like before iOS 4 — keychain encrypted on device key is included in the backup.
Elcomsoft iPhone Password Breaker now allows you to view contents of keychain from encrypted backup of devices running iOS 4. You will need to provide password, of course. Here’s screenshot of Keychain Explorer showing (some) contents of my iPhone’s keychain:
There are passwords for all Wi-Fi hotspots I have ever joined (and haven’t pushed “Forget this Network” button), for my email, Twitter, and WordPress accounts, as well as Safari saved passwords and even my Lufthansa frequent flyer number and password! 🙂 And I don’t use Facebook/LinkedIn/anything else on my phone — otherwise I guess credentials for those will be also included in the keychain.
Keychain Explorer will work only against backup which is encrypted. If you happen to have an iOS 4 device and want to get password from it — set a backup password in iTunes, backup device, use Keychain Explorer to view and/or export keychain passwords, and, finally, remove backup password in iTunes.
This feature is far less exciting than Keychain Explorer, but we believe it should improve user experience with Elcomsoft iPhone Password Breaker.
The idea is simple: all passwords which are found by EPPB or which are used to open backup in Keychain Explorer are stored in password cache. When you later try to open backup in Keychain Explorer or recover a backup password, program first checks password cache for correct password.
Passwords in cache are stored using secure encryption.
Also, there is a new EPPB FAQ online. Worth reading if you’re thinking of purchasing EPPB or want to learn more about it.
There is at least one really big update for EPPB coming in September or October, so stay tuned!
Today we are pleased to unveil the first public beta of our new product, Elcomsoft iPhone Password Breaker, a tool designed to address password recovery of password-protected iPhone and iPod Touch backups made with iTunes.
In case you do not know, iTunes routinely makes backups of iPhones and iPods being synced to it. Such backups contain a plethora of information, essentially all user-generated data from the device in question. Contacts, calendar entries, call history, SMS, photos, emails, application data, notes and probably much more. Not surprisingly, such information manifests significant value for investigators. To make their job easier there are tools to read information out of iTunes backups, one example of such tool being Oxygen Forensic Suite (http://www.oxygen-forensic.com/). Such tools can not deal with encrypted backups, though.