In light of recent security outbreaks, Apple introduced a number of changes to its security policies. As one of the leading security companies and a major supplier of forensic software for iOS devices, ElcomSoft is being constantly approached by IT security specialists, journalists and forensic experts. The most common question is: how will the new security measures affect iOS forensics?
Apple’s New Security Measures: Two-Step Authentication
Apple’s response to recent security outbreaks was further expanding two-step verification and delivering notifications to users when information stored in their cloud account is being accessed from a new device. Two-step authentication is now extended to cover cloud backups: with verification code on the trusted device and recovery key.
While ElcomSoft was expecting these new security measures to be implemented with the launch iOS 8, Apple decided to implement the new iCloud security measures ahead of iOS 8 release. This effectively banned third-party tools such as the old versions of Elcomsoft Phone Breaker and any tools based on the same principle from accessing the cloud if the user has two-factor authentication enabled in their account.
ElcomSoft has investigated the new security measures, and concluded that it is possible to access cloud data with a third-party forensic tool if any of the following is available to the investigator:
Two-factor authentication now covers iCloud backups as well as any other information stored in the cloud (such as Pages, Keynotes or Numbers documents).
Effectively, the new security measures require the investigator to either possess the physical device (which must be unlocked) in order to receive a security code; know the recovery key (which should be the norm in corporate environments, but hardly viable for forensic investigations); have access to an app-specific password (which, again, must be known); or have access to a binary authentication token collected from one of the user’s mobile devices or a PC or Mac computer that was used to log in to iCloud.
The updated Elcomsoft Phone Breaker enables support for all relevant two-factor authentication methods, saving a reusable authentication token to bypass secondary authentication in subsequent sessions. Existing binary authentication tokens can be extracted from user’s computers, hard drives or disk images. All in all, the use of authentication tokens looks promising for digital forensics. Indeed, the binary authentication token can be used to download information from the cloud even if the user’s Apple ID and password are unknown. The token can be obtained from the suspect’s computer, hard drive or disk image, and does not require the possession of an unlocked mobile device. Finally, downloading with a binary authentication token does not trigger an email notification.
Of course, binary authentication tokens are neither snake oil nor a silver bullet. For one thing, they may expire after some time (this is not under our control), or invalidated (revoked) by the account owner. And in any case, the tokens are not always accessible – that’s a question of physical security (to get the system itself), system security (to gain access to the user’s files, and that may require at least the logon password, and/or break the full disk encryption) as well as iCloud Control Panel setup.
User Notification on iCloud Access
In addition to two-step authentication, Apple enables email notifications sent to the user’s Apple ID when downloading cloud backups. While an email notification is delivered when accessing iCloud backups from a new IP address, there are no notifications sent when accessing application data such as Pages, Keynotes or Numbers documents. Although these notifications will effectively stop forensic companies from tracking suspects’ actions silently, they will also put an end to stealth malicious spying activities.
ElcomSoft’s Take on Two-Step Authentication and User Notification
There are other important considerations regarding Apple’s two-factor authentication.
As of today, Apple implements but does not enforce two-factor authentication on its users. Enforcing the extra authentication step would remove enough convenience for many users, undoubtedly making some of them abandon the whole iCloud idea. With Apple’s strong interest in cloud storage (backed by its recent introduction of iCloud Drive), we are pretty sure the company will not start enforcing the two-step policy in foreseeable future.
The exact number of users who have two-factor authentication enabled is not known; Apple does not release the numbers. Even with recent developments, two-factor authentication is still not the easiest thing to use. Here at ElcomSoft, we have a good feeling that most Apple users do not and will not enable it no matter what. As a result, for many (or most) cases involving Apple mobile devices it’s business as usual today and in foreseeable future.
Another consideration is that using two-factor authentication for iCloud may sometimes create additional risks for Apple users. Many Apple users only have a single iOS device. Even if they have more than one, usually it’s still only a single device that is verified/trusted (meaning it can be used to send the security code to).
Having a single trusted device implies that losing access to that device (lost, stolen or broken) would mean that the only way to access iCloud for any purpose: syncing, working with documents, or restoring from an iCloud backup, will be only possible using a recovery key. This key is generated automatically. It is fairly long and impossible to memorize for 99% of us (as opposed to user-selected passwords that can be both long and easy to memorize at the same time). So if that recovery key is also lost (which, by the way, is a very probable scenario as it is not used for anything under normal circumstances), the user loses everything in their iCloud account.
On the other hand, users who protect their recovery key by writing it down or storing in a file on their computer (or by emailing or messaging the key to themselves) face the risk of that key being compromised. Consequences of someone’s recovery key being stolen are much more severe than a compromised Apple ID password alone. A compromised recovery key enables the third party to buy expensive physical goods in Apple store: a credit card will not be required if it’s on record, and the shipping address can be changed.
ElcomSoft’s take on two-factor authentication is mixed. While two-factor authentication does, if enabled, present obstacles to forensic process, the same two-factor authentication may not provide adequate protection against malicious access to Apple users.
Here at ElcomSoft we believe that two-factor authentication is not exactly a perfect solution. As always, there is a balance between security, privacy and convenience. Normally, one can choose any two of the three. However, the recent changes deliver very little additional security in exchange for a major headache to Apple users. There ought to be better ways of improving iCloud security and privacy without losing a single bit of convenience. We at ElcomSoft have ideas, but we don’t want to share them with Apple who place themselves on the other side of the barricade.
On the other hand, ElcomSoft believes that email notifications sent every time a new device (or IP address) is accessing cloud data serves its purpose by warning the user about potentially unauthorized access. Although these notifications are set to prevent forensic companies from tracking suspects’ actions silently, they will also won’t let malicious spying activities remain stealth.
A note for our forensic customers: two-step verification does not engage and is effectively bypassed if Elcomsoft Phone Breaker (latest version) is using a binary authentication token collected from the user’s computer, hard drive or disk image. In addition, if any of the other authentication methods are performed (e.g. recovery key, trusted device, app password), Elcomsoft Phone Breaker also generates an authentication token that can be used during multiple download session without the need to re-authenticate and without generating notification emails. If this is the case, the system considers such requests as being pre-authenticated.