iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.
Should we expect a jailbreak? Is there still hope for physical acquisition? If not, is logical acquisition affected? Are there any notable changes in iCloud? What would be easier to do: logical or iCloud acquisition, and what are the prerequisites for either method? What do you begin with? How to make sure the suspect does not alter their iCloud storage or wipe their device in the process? Can we actually get more information from the cloud than from the device itself, even with physical, and why?
Spoiler: the short answer to the last question is “yes”. The long answer is a bit complicated. Keep reading.
The keychain is the most secure component of the entire iOS . The keychain is system-wide storage (also in macOS) to keep the most sensitive data such as passwords, encryption keys, authentication tokens, and credit card numbers. This also includes credentials to social networks, password managers, online banking and a lot more.
There is no UI in the iOS itself to view the content of the keychain, meaning you cannot simply browse through your passwords. Creating a third-party viewer is also impossible. The reason is simple. Every application in iOS can only work with its keychain data and not with the system records or other apps’ data – for obvious security reasons. Otherwise, a malicious program might steal your credentials.
There are two distinct ways to acquire and decrypt the keychain: obtain from an iTunes backup, or extract with physical acquisition. Let’s go through both of them.
There is a very important note about local (iTunes) backups in Apple Knowledge Base that is easy to miss:
The Encrypt backup feature in iTunes locks and encodes your information. Encrypted iTunes backups can include information that unencrypted iTunes backups don’t:
- Your saved passwords
- Wi-Fi settings
- Website history
- Health data
If you restore your backup to the same device, there is no difference between password-protected and unencrypted backups. Either way, you get everything back. But if you restore an unencrypted backup onto another iPhone, the data listed above will not be restored.
In reality, all the data listed above is always there, whether you encrypt the backup or not. The only difference is how it is encrypted. In password-protected backups, encryption is based on the user-provided backup password. In backups without password, a hardware key is being used, which is unique for every device. That key is very difficult to obtain. You can only extract that key using physical acquisition, and even that only works for 32-bit devices, up to and including iPhone 5 and 5c.
Surprisingly, iCloud backups are about the same as local backups without a password, at least from the point of keychain encryption.
All this means that in order to acquire the keychain you’ll have to create a password-protected iTunes backup, and then use the Explore keychain feature in Elcomsoft Phone Breaker.
The problem here is that the backup password is a property of the device and not of the particular backup. This means that if a backup password is set for a particular backup (and you do not know the password), there is no way to create a new backup (whatever computer you connect the device to) encrypted with your own password, or with no password at all. iTunes does not actually create the backup; the device itself does. The backup password is stored deep inside the device and cannot be extracted no matter which acquisition method you use. This means that if a backup password is not known, then your only choice is to crack it with brute-force or run a dictionary attack (also available in Elcomsoft Phone Breaker). However, password recovery speed is extremely slow with iOS 11, being just a few passwords per minute on modern computer. You can bump that speed to a hundred p/s using a powerful video card, but this still only allows you to break passwords containing 4-5 characters max (unless the password is a common dictionary word), even if you have a supercomputer in your garage and a couple hundred years of free time.
With all iPhones beginning with iPhone 4S, physical acquisition (which means creating an exact copy of the device, including quite a lot of files that are not included in the backup) requires jailbreaking. At this time, the latest iOS version for which a jailbreak is available is iOS 10.2. Even then it’s not working all devices; for example, iPhone 7 can be jailbroken only with iOS up to 10.1.1. iOS 10.3 has a new file system (APFS) as well as quite a lot of security improvements, and the chances that it will be be jailbroken are very low. iOS 11? Don’t even think about it yet. Unless there is something we are not aware of, forget about jailbreaking for new devices. Also, read this: Jailbreak Pioneers Say Jailbreaking Is Officially Dead.
If you have an older iPhone running an older version of iOS, you might be able to install a jailbreak. All devices up to and including iOS 8.4 are jailbreakable; in fact, the latest iOS 8.4.1 is not, but it seems that a jailbreak for it is on the way. For iOS 9, the situation is much worse. For older 32-bit devices (such as iPhone 5/5C), the jailbreak is available for all versions up to 9.3.5. For 64-bit devices (up to iPhone SE/6S) only versions up to 9.3.3 are supported. Finally, to iOS 10: only 64-bit devices can be jailbroken, and only up to iOS 10.1.1 (iPhone 7) and 10.2 (all others). Just to remind you: the latest 10th gen iOS is 10.3.3, and iOS 11 is already available.
What is the thing with jailbreaking devices, speaking of forensics? Compared to logical acquisition (aka creating an iTunes backup), you get a lot more data including (but not limited to) geolocation information, third-party app data, downloaded mail and a lot more. And you may get the keychain as well. We had several write-ups on physical acquisition in our blog:
Physical Acquisition Is…
iOS 10 Physical Acquisition with Yalu Jailbreak
Physical Acquisition for 64-bit Devices, iOS 9 Support
Why Do We Need Physical Acquisition?
There is a big difference between 32-bit and 64-bit devices. For 32-bit devices (up to iPhone 5/5C), we can extract everything including ALL records in the keychain, and even including records that are not available (i.e. cannot be decrypted) in iTuned backups.
For 64-bit devices (starting from iPhone 5S and up to iPhone 7 and iPhone 7 Plus), however, physical acquisition is limited to copying the file system only. The keychain (or some system components that are required to access it) are well protected with Secure Enclave.
As a result, if strong password is set on the iTunes backup and the given device cannot be jailbroken (or even if it can, but it is an iPhone 5S or later), you have no chance to access the keychain.
Believe or not, but iCloud keychain was introduced almost four years ago in iOS 7.0.3 .
This is the feature we all love – especially if you live in the Apple ecosystem (like me) and use more that one device. Then all your passwords are synced across all your devices.
Every new feature creates a new security risk and opens a new door for digital forensics.
The thing that was earlier considered impossible (acquiring the keychain for a 64-bit device with a strong iTunes backup password) is in your hands now. Yes, iOS 11 is now supported. Here is the step by step manual to get into the iCloud keychain:
How to Extract iCloud Keychain with Elcomsoft Phone Breaker
The only thing you have to do first is to sync the device being acquired with a new iCloud account (never use any existing account as it may contain some data already). To do that, you only have to connect the device to that new account at [Settings]; if it is already connected to another one, simply tap Sign out first.
If Find My Phone is enabled, however, you might be prompted for an old iCloud password (the one of the device owner). That’s fine if you know it. In case you don’t, you can still change it easily, at least if the account uses two-factor authentication. That sounds weird as accounts with 2FA are supposed to be more secure, but that’s the case. Here is how:
iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About
The keychain is the key to everything. You get passwords to Wi-Fi access points:
Passwords saved in Safari browser:
Authentication tokens to social network accounts (for those that do not save passwords):
And passwords to other Apple iCloud accounts that were ever accessed from the user’s devices:
With iCloud credentials you decrypted, you can access access all the device backups (yep, now with iOS 11 support!):
As well as real-time synced iCloud data:
P.S. The version number of the latest iOS reminded me of that video. What about you, are you able to pronounce ELEVEN the right way? 😉