Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12

August 27th, 2019 by Oleg Afonin
Category: «General», «Security»
  • 3
  • 26
  •  
  •  
  • 1
  •  
  •  
  •  
    30
    Shares

What can and what cannot be done with an iOS device using Touch ID/Face ID authentication as opposed to knowing the passcode? The differences are huge. For the sake of simplicity, we’ll only cover iOS 12 and 13. If you just want a quick summary, scroll down to the end of the article for a table.

BFU and AFU

Let’s get it out of the way: everything that’s listed below applies exclusively to AFU (After First Unlock) devices. You cannot use biometrics to unlock an iOS device that’s been restarted or powered on; such devices are in the state known as BFU (Before First Unlock).

BFU, Before First Unlock: The iOS device was restarted or powered off; you powered it on but cannot unlock it because it’s protected with an unknown passcode.

AFU, After First Unlock: The iOS device was unlocked (with a passcode) at least once after it’s been last rebooted or powered on.

Screen Lock: Unlocking the Device

Touch ID or Face ID can be only used to unlock AFU devices. In order to unlock a BFU device, you’ll have to use the passcode. Even if you manage to bypass the lock screen (via an exploit), you won’t be able to access most device data as it will be encrypted. The decryption key is generated when the user first unlocks the device; the key is based on the passcode.

According to Apple, “for better security, set a passcode that must be entered to unlock iPhone when you turn it on or wake it”.  You cannot unlock BFU devices with Touch ID/Face ID, period.

Touch ID and Face ID are considered less secure compared to the passcode. iOS has multiple policies in place that make Touch ID/Face ID expire, requiring the user to re-enter their passcode. Apple’s iOS 12 Guide mentions following expiration policies:

  1. You turn on or restart your iPhone.
  2. You haven’t unlocked your iPhone for more than 48 hours.
  3. You haven’t unlocked your iPhone with the passcode in the last 6.5 days, and you haven’t unlocked it with Face ID or Touch ID in the last 4 hours. (Used to be 6 days / 8 hours).
  4. Your iPhone receives a remote lock command.
  5. There are five unsuccessful attempts to unlock your iPhone with Face ID or Touch ID.
  6. An attempt to use Emergency SOS is initiated. *
  7. An attempt to view your Medical ID is initiated.

* Emergency SOS mode can be activated by holding one of the Volume keys + Sleep/Wake key, or by clicking the Sleep/Wake key several times in rapid succession. You’ll have to use the passcode to unlock the iPhone. The Emergency SOS mode also disables the Lightning port, effectively blocking USB access to the device.

Pairing with New Computer: Passcode Only

You must enter a passcode on your iOS device when connecting to a new computer. Without the passcode, you will not be able to create a trusted relationship with a new Mac or PC. As a result, you’ll be unable to make backups or extract information from the device (other than accessing a limited set of data such as the device’s serial number and IMEI).

Pairing with a new computer requires the passcode. Touch ID/Face ID cannot be used to establish new trusted relationships.

Connecting to a Trusted Computer

If the computer you are connecting to is trusted (or you are using a valid lockdown/pairing record), AFU devices can be successfully connected. Neither the passcode nor Touch ID/Face ID are required to connect to a previously trusted computer.

Tip: you can copy lockdown files from the trusted computer and use them with Elcomsoft iOS Forensic Toolkit to perform advanced logical extraction.

Logical Acquisition (Trusted Computer)

Logical acquisition can be only performed on trusted computers after establishing a pairing relationship OR using a valid lockdown record extracted from a trusted computer. Once you make the connection, you can capture a local backup, extract crash logs, list installed apps, access media and shared files.

Logical acquisition can be performed on AFU devices on trusted computers or if a valid lockdown file is available. Touch ID/Face ID/passcode are not required.

Viewing Saved Passwords

You will not need the passcode to access passwords stored in the iOS Keychain. In order to view passwords, open the Settings app and navigate to Passwords & Accounts. Tap Website & App Passwords. The iOS device will scan your face or prompt for a fingerprint to enable access.

Touch ID/Face ID can be used to view passwords stored in the iOS Keychain. Note that some passwords (e.g. the Apple ID password, iTunes backup password, Screen Time password etc.) are hidden and can only be extracted via physical acquisition (requires a jailbreak). Some (but not all) of those passwords can be extracted by analyzing a password-protected iTunes backup.

Passcode can be used if the iOS device has trouble recognizing your face or fingerprint.

Resetting iTunes Backup Password

Since iOS 11, you can use the “Reset All Settings” command to remove an unknown password protecting the phone’s iTunes backups. Notably, the command also removes device passcode. Changing or removing the passcode always requires confirming the original screen lock password. As a result, in order to use the “Reset All Settings” command, you will need to provide the passcode.

Touch ID/Face ID cannot be used to reset an unknown iTunes backup password.

Note: in iOS 13, you will also need to provide the passcode when setting the backup password via iTunes or forensic acquisition software.

Jailbreaking

Surprisingly, there are ways to jailbreak certain versions of iOS without the passcode. However, there are limitations and implications to jailbreaking that we will only briefly mention in this article.

WARNING: A jailbreak may reboot your device. This could be accidental or required by the jailbreak itself. If a reboot occurs, the device state will change to BFU, and you will be required to enter the passcode to unlock. In our experience, RootlessJB rarely (if ever) reboots the device; however, its compatibility with the latest versions of iOS and its device support are limited. Most jailbreaks that do file system remount do require a reboot.

Web-based jailbreaks. Certain combinations of iOS/hardware can be jailbroken by opening http://ignition.fun/ in Safari and using a Web-based jailbreak. Web-based jailbreaks are pre-signed with Developer or Enterprise certificates. Note, however, that using a Web-based exploit exposes the iOS device to the Internet, making it possible for the suspect to remote lock and remote erase the device. To give you an idea, at the time of the writing the latest version of iOS is iOS 12.4, while the latest generation of Apple SoC is A12. A Web-based unc0ver jailbreak is available for iOS 12.4 (A7 through A11 devices). Jailbreaking guide.

Jailbreaking using a trusted computer. Offline jailbreaks such as Chimera and Unc0ver are available for certain combinations of iOS/hardware. These are typically installed via Cydia Impactor. Installing a jailbreak requires a paired (trusted) computer. We recommend using a registered Developer account to sign the jailbreak IPA.

Jailbreaking on untrusted computers. Offline installation of a jailbreak is not possible if you cannot connect the iOS device to a computer (as a reminder, establishing a new pairing relationship requires the passcode). The only available jailbreaking method is by using a Web-based jailbreak.

Jailbreaking Summary

  • Web-based installation: yes, you can use Touch ID/Face ID without the passcode to jailbreak compatible devices. Internet connection required with associated risks.
  • Offline installation, trusted computer: yes, you can use Touch ID/Face ID without the passcode to jailbreak compatible devices.
  • Offline installation, new/untrusted computer: no, you require the passcode to pair the iOS device to the computer. You can still use Web-based jailbreaks (Internet connection required with associated risks).

Disabling iCloud Lock/Find My iPhone

In order to disable iCloud lock, you’ll have to switch off the Find My iPhone feature. Switching off Find My iPhone requires one of the following:

  1. The user’s original Apple ID password
  2. The device screen lock password

Disabling iCloud lock with Touch ID/Face ID alone is not possible.

Apple Pay

You can use Apple Pay with Face ID/Touch ID alone. You can also view the last 10 transactions (no authentication required). The passcode is not required.

Physical Acquisition with iOS Forensic Toolkit

Elcomsoft iOS Forensic Toolkit allows you to obtain the file system image (.tar) if you are able to unlock the device with Face ID/Touch ID or the passcode (requires jailbreak).

The passcode is required (on the device) to extract the keychain. The device must be jailbroken.

iCloud Keychain, Messages and Health

The passcode is required in order to download these protected categories: iCloud Keychain, iCloud Messages and Apple Health. You cannot substitute it with Touch ID or Face ID.

USB Restricted Mode

USB restricted mode is a powerful security measure that disables the iPhone’s data communications over the Lightning connector to prevent data theft and to make passcode attacks more difficult. In iOS 12, USB connections are disabled immediately after the device locks if more than three days have passed since the last USB connection, or if the device is in a state when it requires a passcode. You are welcome to read our comprehensive write-up on the subject in USB Restricted Mode Inside Out.

For the purpose of this article it’s important that USB restricted mode only shuts down the USB connection once the device screen is locked. As a result, if you can unlock the iPhone using the Touch ID or Face ID, you will effectively re-enable the USB port and bypass the restriction.

Touch ID/Face ID Summary

Disable iCloud lockNoYesDisable iCloud lockNoYesDisable iCloud lockNoYesDisable iCloud lockNoYes

Touch ID/Face ID Passcode
Unlock BFU device No Yes
Unlock AFU device Sometimes Yes
AFU DEVICES ONLY
Pair with new computer No Yes
Connect to trusted computer Yes Yes
Make a local backup Trusted/Lockdown only Yes
Access media files Yes (on device) Yes
View saved passwords Yes (on device) Yes (on device)
Jailbreak: Web-based Yes (if supported) Yes (if supported)
Jailbreak: offline, trusted PC/lockdown Yes (if supported) Yes (if supported)
Jailbreak: offline, new/untrusted PC No Yes (if supported)
Reset iTunes backup password No Yes (if no Screen Time password)
Disable iCloud lock No Yes
Use Apple Pay Yes Yes
File system image (physical acquisition) Yes Yes
Keychain (physical acquisition) No Yes
iCloud Keychain, Health, Messages No Yes
Bypass USB restricted mode Sometimes Yes

 


  • 3
  • 26
  •  
  •  
  • 1
  •  
  •  
  •  
    30
    Shares