ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for July, 2018

iOS 12 Beta 5: One Step Forward, Two Steps Back

Tuesday, July 31st, 2018

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

We recently covered the whole story starting from iOS 11.3 and up to the then-current iOS 12 beta, but it looks the story is far from the end. I think Apple monitors media coverage including our blog, and takes a note on some of the readers’ comments in an attempt to find the right balance between security and convenience. We even suggested how they could possibly improve the new mode’s implementation, and… iOS 12 Beta 5 (just released) brings another surprise.

(more…)

USB Restricted Mode Inside Out

Thursday, July 12th, 2018

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

(more…)

Accessing Lockdown Files on macOS

Thursday, July 12th, 2018

Lockdown records, or pairing records, are frequently used for accessing locked iOS devices. By using an existing lockdown record extracted from the suspect’s computer, forensic specialists can perform logical acquisition of the iOS device with iOS Forensic Toolkit and other forensic tools. Logical acquisition helps obtain information stored in system backups, access shared and media files, and even extract device crash logs. However, lockdown records may be tricky to access and difficult to extract. macOS protects lockdown files with access permissions. Let’s find out how to access the lockdown files on a live macOS system.

What Are Lockdown Records, Technically?

A down to the Earth explanation of a lockdown records is it’s simply a file stored on the user’s computer. More technically, lockdown files keep cryptographic keys that are used to allow iOS devices communicate with computers they are paired to. Such pairing records are created the first time the user connects their iOS device to a Mac or PC that has iTunes installed. Lockdown records help the iPhone talk to the computer even if the iPhone in question is locked, so that the user does not have to unlock the device every time it’s connected to the PC. This means that experts may be able to perform logical acquisition of locked iOS devices if they can obtain a valid, non-expired lockdown record. There are some “ifs and buts” though. Namely, lockdown records expire after a while. And you can only use lockdown records if the iPhone in question was unlocked (with its passcode) at least once after it was powered on or rebooted. Otherwise, the data partition remains encrypted, and you can access very little information (yet you can still get some info about the device).

macOS Protects Access to Lockdown Files

In macOS, lockdown records are stored at /private/var/db/lockdown. Starting with macOS High Sierra, Apple restricts access to this folder. If you are analyzing a live system, you’ll need to manually grant access rights to this folder. This is how.

(more…)

Training in Vienna

Tuesday, July 10th, 2018

Did you know we have forensic trainings? We’ve partnered with T3K Forensics to feature a 3-day training on iOS forensics. This fall in beautiful Vienna, 17.-19.10.2018, we’ll train a group of law enforcement and forensic specialists on every aspect of iOS acquisition and analysis. We’ll talk about the acquisition workflow and have participants perform logical, physical and cloud extraction of iOS devices. Expect live demonstrations and fully guided hands-on experience jailbreaking and extracting iOS devices, pulling data from locked iPhones and accessing the cloud for even more evidence.

In this training:

  • Mobile acquisition workflow
  • Seizing, storing and transporting wireless capable mobile devices
  • Acquisition methods that don’t work
  • Full-disk encryption, passcode and biometrics
  • Acquisition methods: logical, physical and cloud
  • Logical acquisition: extracting encrypted and unencrypted backups; shared files; photos and videos; crash logs
  • Logical acquisition of locked devices: locating, extracting and using lockdown records
  • Physical acquisition: jailbreaking, imaging the file system, extracting passwords and decrypting the keychain
  • Cloud acquisition: synced data; backups; messages; iCloud Keychain (Safari passwords)

(more…)

Using iOS 11.2-11.3.1 Electra Jailbreak for iPhone Physical Acquisition

Tuesday, July 10th, 2018

It’s been fast. iOS 11.3.1 and all earlier versions of the system down to iOS 11.2 have been successfully jailbroken. In addition, the jailbreak is compatible with iOS 11.4 beta 1 through 3. We normally wouldn’t post about each new jailbreak release; however, this time things are slightly different. The new Electra jailbreak uses two different exploits and presents two very different installation routines depending on whether or not you have a developer account with Apple. Considering how much more stable the developer-account exploit is compared to the routine available to the general public, this time it pays to be an Apple developer.

We tested the Electra jailbreak and can confirm that iOS Forensic Toolkit 4.0 is fully compatible. File system imaging and keychain extraction work; no OpenSSH installation required as Electra includes an SSH client listening on port 22.

Why Jailbreak?

For the general consumer, jailbreak is one open security vulnerability calling for trouble. Apple warns users against jailbreaking their devices, and there is much truth in their words.

Forensic experts use jailbreaks for much different reasons compared to enthusiast users. A wide-open security vulnerability is exactly what they want to expose the device’s file system, circumvent iOS sandbox protection and access protected data. Jailbreaking extract the largest set of data from the device. During jailbreaking, many software restrictions imposed by iOS are removed through the use of software exploits.

In addition to sandboxed app data (which includes conversation histories and downloaded mail), experts can also extract and decrypt the keychain, a system-wide storage for online passwords, authentication tokens and encryption keys. Unlike keychain items obtained from a password-protected local backup, physical extraction of a jailbroken device gains access to keychain items secured with the highest protection class ThisDeviceOnly (this is how).

The New Electra Jailbreak

Jailbreaking iOS versions past 11.1.2 (for which a Google-discovered vulnerability was published along with a proof-of-concept tool) was particularly challenging but not impossible. At this time, a team of jailbreakers discovered not one but two different vulnerabilities, releasing two versions of Electra jailbreak. Why the two versions?

(more…)

This $39 Device Can Defeat iOS USB Restricted Mode

Monday, July 9th, 2018

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

(more…)

Apple Warns Users against Jailbreaking iOS Devices: True or False?

Monday, July 2nd, 2018

Apple has an article on their official Web site, warning users against jailbreaking iOS devices. The article “Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues” is available at https://support.apple.com/en-us/HT201954. How much truth is in that article, and is jailbreaking as dangerous as Apple claims? We’ll comment the article based on our extensive experience in jailbreaking more than a hundred devices running every version of iOS imaginable.

Security Vulnerabilities

Apple introduces the concept of jailbreaking by stating the following: “iOS is designed to be reliable and secure from the moment you turn on your device. Built-in security features protect against malware and viruses and help to secure access to personal information and corporate data. Unauthorized modifications to iOS (also known as “jailbreaking”) bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch” (HT201954). According to Apple, jailbreaking introduces security vulnerabilities by “…eliminating security layers designed to protect your personal information and your iOS device.

True. Jailbreaking is a process that is specifically designed to circumvent security layers designed to protect information on iOS devices. In fact, this is exactly why we need a jailbreak for tools such as Elcomsoft iOS Forensic Toolkit to operate. Without a jailbreak, we would not be able to access the file system, extract sandboxed app data or decrypt the keychain (including items secured with the highest protection class). Installing a jailbreak, on the other hand, allows us doing all of that – and more. (more…)