Dealing with a Locked iPhone

April 15th, 2016 by Oleg Afonin
Category: «General», «Mobile», «Security», «Software», «Tips & Tricks»

So you’ve got an iPhone, and it’s locked, and you don’t know the passcode. This situation is so common, and the market has so many solutions and “solutions” that we felt a short walkthrough is necessary.

What exactly can be done to the device depends on the following factors:

Hardware Generation

From the point of view of mobile forensics, there are three distinct generations:

  1. iPhone 4 and older (acquisition is trivial)
  2. iPhone 4S, 5 and 5C (32-bit devices, no Secure Enclave, jailbreak required, must be able to unlock the device)
  3. iPhone 5S, 6/6S, 6/6S Plus and newer (64-bit devices, Secure Enclave, jailbreak required, passcode must be known and removed in Settings)

Jailbreak Status

If the iPhone is already jailbroken, a 32-bit device can be acquired even if locked. If you have a 64-bit device, it must be unlocked, and screen lock passcode must be removed in Settings.

Passcode Protection

If the device is locked with an unknown passcode and if it’s newer than iPhone 4, you may need to unlock it in order to perform acquisition. Depending on iOS version installed on the device, you may be able to use a commercial passcode recovery tool (e.g. IP-BOX). If you see a solution advertising compatibility with all versions of iOS, this in fact may not be the case. So far we found no solutions that work with iOS 9 and later.

Cloud Acquisition

If you know the user’s Apple ID and password, or if you have a binary authentication token acquired from the user’s computer, you may be able to download backups from iCloud (iOS 5.x through 8.x) or iCloud Drive (iOS 9.x).

Now let’s talk about these cases in more detail.

Acquiring iPhone 4 and Older

For these legacy devices, acquisition is trivial regardless of lock status. All you need is Elcomsoft iOS Forensic Toolkit. Launch EIFT, connect the phone to the computer, boot into DFU mode, and follow the prompts to recover the passcode, image the device, extract decryption keys and decrypt the keychain. No obstacles here.

Note, however, that you will still need to recover the passcode in order to recover all encrypted data on the iPhone 4 (but not on older models). In particular, without a passcode the following data remains encrypted: mail, keychain, and some protected app data. Breaking a 4-digit passcode on these devices is very straightforward and reasonably fast (4-5 passcodes per second on iPhone 4). No guarantee for longer and alphanumerical passcodes.

Acquiring iPhone 4S, 5 and 5C

These phones can only be acquired if jailbroken. For iPhone 4S, 5 and 5C, there acquisition process is different and does not require a DFU mode. The acquisition process looks like this:

Is jailbreak installed?

Yes: proceed to the next step.

No: you’ll have to jailbreak the device subject to jailbreak availability. If the device is locked and you don’t know the passcode, you will not be able to jailbreak it. Jailbreaking the device may require removing lock screen passcode and disabling Find My Phone, which in turn requires you to enter the correct Apple ID password. If jailbreak cannot be installed, stop right here and consider other acquisition options.

Install OpenSSH

OpenSSH is required. Install it on the iPhone from Cydia repository.

Use Elcomsoft iOS Forensic Toolkit

Once you launch Elcomsoft iOS Forensic Toolkit, you’ll see a list of available options. Use the following commands in this sequence: Get keys, Decrypt keychain, then Image disk, Decrypt disk. This will extract and decrypt the keychain, then extract user data and decrypt it.

Similar to older devices, without a passcode you can decrypt most but not all information extracted from the device. Mail, keychain, some apps data remains encrypted until you have the correct passcode. Brute-forcing a 4-digit passcode on jailbroken 32-bit devices is possible within reasonable time with 20 to 25 passwords per second. No guarantee for longer and alphanumerical passcodes.

Acquiring iPhone 5S, 6/6S/Plus

These 64-bit devices are equipped with Secure Enclave, and require a different process for physical acquisition. There is no way to acquire a 64-bit iOS device if it is locked with a passcode and the passcode is not known, even if the device is already jailbroken. You will need to unlock the device and disable passcode in Settings (which requires entering the original passcode) before you can perform physical acquisition.

For 64-bit devices, the acquisition process looks like this:

Is the device locked with an unknown passcode?

Yes: if it’s locked and you don’t know the passcode, stop right here. Consider other acquisition options.

No: unlock the device. Go to Settings -> Security and disable passcode protection (you’ll have to enter the passcode to do that).

Is jailbreak installed?

Yes: proceed to the next step.

No: you’ll have to jailbreak the device subject to jailbreak availability. Jailbreaking the device may require disabling Find My Phone, which in turn requires you to enter the correct Apple ID password. If jailbreak cannot be installed, stop right here and consider other acquisition options.

Install OpenSSH

OpenSSH is required. Install it on the iPhone from Cydia repository.

Use Elcomsoft iOS Forensic Toolkit

Once you launch Elcomsoft iOS Forensic Toolkit, you’ll see a list of available options. For 64-bit devices, the only acquisition option available is the “TAR FILES” command. Use it to image the device. The image will be automatically decrypted. Note that keychain database will be extracted but will NOT be decrypted. This is the property of Secure Enclave that makes it impossible to extract the required decryption key even from jailbroken devices.

A Word on Physical Acquisition

Physical acquisition is the most comprehensive acquisition method available. We have two articles explaining the benefits of physical compared to other acquisition methods:

Unknown Passcode: Can It Be Recovered?

You only need to recover the passcode if acquiring a recent (iPhone 4S and newer) iPhone. Older devices can be broken with Elcomsoft iOS Forensic Toolkit via DFU mode.

In certain cases, unknown passcodes can be recovered. However, this ability is subject to hardware generation, version of iOS and whether or not the iPhone is configured to erase after 10 unsuccessful unlock attempts (an optional setting).

Generally speaking, passcode recovery with a dedicated box (e.g. IP-BOX or similar) is available if all of the following is true:

  • The phone is protected with a 4-charater, numeric passcodes
  • You’re trying to unlock a 32-bit device without Secure Enclave *
  • The device is running iOS 8 or older **
  • You’re certain that an option to erase the device after 10 unsuccessful attempts is not enabled

* Secure Enclave (iPhone 5S and newer) enforces a progressively increasing delay when attempting to brute-force passcodes. Some products claim to bypass that protection by adding several seconds of an artificial delay between passcode attempts. Needless to say, this makes the recovery process extremely slow, but depending on your circumstances it may be still worth the wait.

** Compatibility with different versions of iOS varies between vendors. At this time, we know of no single solution to recover passcodes on iPhones running iOS 9 and newer.

Note, however, that some manufacturers (e.g. MFC Dongle, http://www.cellcorner.com/xshp/unlock-phone-codes/mfc-dongle-full-set-with-cable-set-and-ipower-adapter.html) may be able to recover passcodes on jailbroken iOS devices running iOS 8 through 8.4 (support for non-jailbroken devices ends on iOS 8.1).

We know of the following popular solutions employing a combination of custom hardware and software to crack iPhone passcodes:

  • IP-BOX (up to iOS 8.1.1)
  • MFC Dongle (up to iOS 8.1; up to iOS 8.4 for jailbroken devices)
  • HDB Box (up to iOS 8.1)
  • ViTool (up to iOS 7.x)
  • svStrike
  • XPIN CLIP (up to iOS 8.1)

A quick comparison table for these devices is available at http://www.cellcorner.com/xshp/unlock-phone-codes/xpin-clip-bruteforce-pincode-patter-lock-unlocker.html

While these combined software/hardware solutions are advertised to allow breaking device passcodes, they have too many limitations to be practical. Most solutions are limited to certain iPhone device models and iOS versions, and even for compatible models they are far less than 100% effective. For example, passcode recovery is not available for iPhones that are already disabled because of multiple entries of wrong passcodes. They cannot bypass the option to “Erase iPhone contents after 10 failed passcode attempts”. Many boxes don’t have the ability to deal with the increasing delay when trying passcodes (this delay is hardware enforced since iPhone 5s), and even those that do are extremely slow (thing of one passcode in several seconds). So try them at your own risk.

Other Acquisition Options

If jailbreak cannot be installed, you are limited to logical and over-the-air acquisition. In this context, logical acquisition simply means creating an iTunes backup of the device. Please note that all commercial mobile forensic tools have nothing special about “logical acquisition”; it’s always just a backup created with iTunes. Subsequent analysis options may vary.
If physical acquisition is not available for a given device, you may have other options. You can try locating a lockdown record and making a local backup; look for existing offline backups; look for iCloud authentication tokens on the user’s computer to attempt cloud acquisition or use Apple ID and password (if known) to do the same.

Lockdown Records

The first option is attempting to locate a lockdown record on the user’s computer (PC or Mac) that was synced to the iPhone. If the iPhone was unlocked at least once after the last cold boot, the lockdown record can be used to unlock the iPhone when connecting to the computer. Once this is done, you can use iTunes to make the phone create a local (offline) backup.

There are several things to note when going this route.

  1. Unlocking with a lockdown record only works if the iPhone was unlocked with a passcode at least once after the last reboot.
  2. When making a local backup with iTunes, you may see it’s password-protected. There is no way to remove, reset or replace that password one without first entering the original password. Password-protected backups are encrypted. You can use Elcomsoft Phone Breaker to run an attack on the backup password and decrypt the backup once the password is found. Depending on how long and complex the password is, the recovery may or may not work out. The recovery speed is fast, and the recovery process is performed offline on your computer with full hardware acceleration.
  3. On the other hand, if device backups are NOT protected with a password, the keychain will remain encrypted with a hardware key that is impossible to break. In order to access information stored in the keychain, you will need to specify your own known password before making a backup, then use Elcomsoft Phone Breaker to decrypt the backup (no need to break the password in this case, just enter the one you’ve specified).

To sum it up, if you’re able to unlock the device and produce a local backup, set your own known backup password instead of producing an unencrypted backup (you’ll get more data this way).

Why an unknown backup password is a problem? The thing is, the backup password is the property of the device itself and not just a setting in iTunes. If the password is set, all backups of the given device created on all computers will be encrypted with the same password, and that password cannot be changed until you enter the original one. Elcomsoft Phone Breaker can be used to break the backup password, although long and complex passwords may take forever to break. Sometimes, however, you may be able to extract the backup password from the computer the device was connected to.

We’ll briefly mention advanced logical as yet another acquisition method that existed before iOS 8 (so it’s applicable to older devices running iOS 7 and earlier). Advanced logical acquisition allows extracting more information than available in backups; however, Apple shut the door for this method in iOS 8. If you have a lockdown record and if the device is running iOS 7 or earlier, you can try this method.

Cloud Acquisition

Since iOS 5, Apple provides a convenient way to back up information into the cloud. iOS devices can be configured to automatically backup to iCloud (up to iOS 8) or iCloud Drive (since iOS 9). These cloud backups contain as much information as unencrypted local backups. Cloud backups are encrypted; however, Apple has decryption keys, and those keys are stored alongside with the data.

These backups can be downloaded and decrypted with Elcomsoft Phone Breaker if either of the following is true:

  • You know the user’s Apple ID and password. If two-step verification or two-factor authentication is enabled, you have access to the secondary authentication factor. If you don’t know the user’s Apple ID password, you may be able to extract it (http://blog.elcomsoft.com/2015/03/acquiring-and-utilizing-apple-id-passwords-mitigating-the-risks-and-protecting-personal-information/).
  • You possess a non-expired authentication token extracted from the user’s PC or Mac. iCloud authentication tokens (iOS 5 through 8) expire within an hour, while iCloud Drive tokens (iOS 9) have a much longer lifespan. Two-step verification and two-factor authentication are automatically bypassed if you are using the token.

Note that existing cloud backups may be very old (which, by the way, can be used to your advantage as you may obtain information that was deleted from the device a long time ago). You may be able to force a locked iOS device to produce a fresh cloud backup if all of the following conditions are met:

  • The iPhone has been unlocked at least once after last cold boot (otherwise, Wi-Fi password remains encrypted)
  • The iPhone is connected to a known Wi-Fi network (you can set up your own Wi-Fi network with the same SSID and password as the user’s)
  • The iPhone is connected to a charger
  • The iPhone is locked

Any of the following can prevent cloud acquisition:

  • The Apple ID password was changed. If this is the case, the iPhone will not be able to connect to the cloud.
  • “Find My Phone” was used to remotely lock or erase the device. If remote erase was activated, the iPhone will wipe evidence immediately after getting online.
  • If two-factor authentication is enabled, and if the device you’re trying to acquire is the only trusted device, you may not be able to receive the secondary authentication code. You can try to request the code to be delivered as a text message/SMS to the SIM card, which you may try using in another phone. (The SIM card may have its own PIN protection enabled, which is not very likely these days).

 


REFERENCES:

Elcomsoft iOS Forensic Toolkit

Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.

Elcomsoft iOS Forensic Toolkit official web page & downloads »