ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Author Archive

Peeking Inside Keychain Secrets

Thursday, August 5th, 2010

Today we have released Elcomsoft iPhone Password Breaker 1.20 which introduces two new features and fixes few minor issues.

Keychain Explorer

This feature allows to view contents of keychain included with encrypted device backup.

Mac users are probably familiar with concept of keychain — it is a centralized, system-wide storage where application can store information they consider sensitive. Typically, such information includes passwords, encryption keys and certificates, but in principle it can be anything. Data in keychain is cryptographically protected by OS and user password is required to access it. The closest Windows equivalent for keychain is probably Data Protection API.

iOS-based devices also have a keychain, but instead of user password, embedded cryptographic key is used to protect its contents. This key is unique to each device and so far there are no way to reliably extract it from the device.

Apple recommends iOS application developers to use keychain for storing passwords and other sensitive information, and one reason for this is that it never leaves device unencrypted. Here’s an excerpt from Keychain Service Programming Guide:

In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.

Prior to iOS 4 keychain was also included in the backup ‘”as is”, i.e. all data inside was encrypted using unique device key. This meant that it was not possible to restore keychain onto another device — it will try to decrypt data with key which is different from one used to encrypt data. Naturally, this will fail and all data in keychain will be lost.

To address this issue, Apple changed the way keychain backup works in iOS 4. Now, if you’re creating encrypted backup (i.e. you’ve set up a password to protect backup) then keychain data will be re-encrypted using encryption key derived from backup password and thus ca be restored on another device (provided backup password, of course). If you haven’t set backup password, then everything works like before iOS 4 — keychain encrypted on device key is included in the backup.

Elcomsoft iPhone Password Breaker now allows you to view contents of keychain from encrypted backup of devices running iOS 4. You will need to provide password, of course. Here’s screenshot of Keychain Explorer showing (some) contents of my iPhone’s keychain:

Keychain Explorer 

There are passwords for all Wi-Fi hotspots I have ever joined (and haven’t pushed “Forget this Network” button), for my email, Twitter, and WordPress accounts, as well as Safari saved passwords and even my Lufthansa frequent flyer number and password! 🙂 And I don’t use Facebook/LinkedIn/anything else on my phone — otherwise I guess credentials for those will be also included in the keychain.

Keychain Explorer will work only against backup which is encrypted. If you happen to have an iOS 4 device and want to get password from it — set a backup password in iTunes, backup device, use Keychain Explorer to view and/or export keychain passwords, and, finally, remove backup password in iTunes.

Password Cache

This feature is far less exciting than Keychain Explorer, but we believe it should improve user experience with Elcomsoft iPhone Password Breaker.

The idea is simple: all passwords which are found by EPPB or which are used to open backup in Keychain Explorer are stored in password cache. When you later try to open backup in Keychain Explorer or recover a backup password, program first checks password cache for correct password.

Passwords in cache are stored using secure encryption.

 

Also, there is a new EPPB FAQ online. Worth reading if you’re thinking of purchasing EPPB or want to learn more about it.

There is at least one really big update for EPPB coming in September or October, so stay tuned!

CCFC 2010

Thursday, July 1st, 2010

For the third time we've been invited to Beijing, China to participate in CCFC (China Computer Forensic Conference), to talk about password recovery and to conduct workshop on password recovery tools. Like two previous times, this time CCFC also was great. Lots of visitors, very nice audience and lots of smart questions. On the first day of conference I gave a talk on password recovery (mostly very generic and not very in-depth) and I'd like to share slides of that talk.

0-day

Monday, June 21st, 2010

It’s been two weeks since Steve Jobs has announced release of new iPhone 4 and iOS 4 operating system during his keynote on WWDC’2010. New iPhone will begin shipping on Thursday, 24th of June, and new iOS will become available for download today, just few hours are left.

iOS 4 comes packed with a lot of nice features (long-awaited multitasking, background location services, iBooks and much improved Mail app  just to name a few) and we are very pleased to announce today the release of the new version of Elcomsoft iPhone Password Breaker with support for iTunes 9.2 and iOS 4.

Elcomsoft iPhone Password Breaker (or EPPB for short) is a utility to recover passwords for encrypted and password-protected iPhone/iPod/iPad backups created with iTunes (please note that it’s not meant to recover or remove passcode lock on the device).

With iOS 4 Apple has completely changed the way backups are encrypted and stored. Backup and restore processes are way much faster now. Apple have also improved protection against password recovery attacks, thus making our job harder (password recovery is about 5x slower for new backups than for older ones).

We at Elcomsoft try our best to keep up with the times, so most of our tools & programs are adjusted to the latest technologically advanced features. The EPPB is not an exception, new version of EPPB fully supports both old and new backup formats. It also supports hardware acceleration using NVIDIA and ATI GPUs and Tableau TACC1441.

ATI is at it. Again.

Wednesday, May 12th, 2010

Two months ago I wrote a blog post "ATI and NVIDIA: Making Friends out of Enemies" where (among other things) I wrote:

Developing software for ATI cards is (okay — was) a nightmare. In 2009 ATI quietly introduced two changes in their drivers which made previously perfectly functional and compatible applications to crash (if you are curious: with Catalyst 9.2 or 9.3 they’ve changed names of supporting DLLs bundled with drivers; with Catalyst 9.9 or 9.10 they’ve probably changed format of underlying binary so that anything compiled and linked in with earlier versions caused a driver to crash).

Well, with the release of Catalyst 10.4 drivers ATI is again at it. This time problem only affects users who have display adapters from different vendors in their computer. Applications utilizing ATI Stream will work on such configurations just fine with Catalyst 10.3, but once you upgrade to 10.4, applications will crash with faulting module being aticaldd.dll, a part of ATI Display driver. Kinda embarrassing, I would say. Regression testing is really something one with millions of users should consider.

Users of our software relying on ATI hardware accelerations (as well as any other ATI Stream enabled applications) should not update to 10.4 if ATI Readeon is not the only card in their computer.

Elcomsoft iPhone Password Breaker

Friday, May 7th, 2010

Last week we have released our new product, EPPB, out of beta. We have fixed some bugs, polished GPU acceleration support, added support for Tableau TACC1441 hardware accelerator, making this program the world's first program capable of utilizing computing power of GPUs both from ATI and NVIDIA as well as dedicated hardware accelerators aimed primarily on computer forensics specialists. We have also included ability to run brute-force attacks and not only wordlist-based attacks. Latter were improved with ability to enable/disable individual types of password mutations and set customized level to any of them.

The last, but not the least, we have found that EPPB can handle encrypted backups from Apple's newest tablet, iPad (thanks to Apple for using the same underlying technologies for iPhone, iPod Touch and iPad).

Apple iPad

P.S. If anyone's interested, we think that iPad is really cool gadget. It's not a substitute for a laptop, but it's great for catching on emails, surfing web, watching photos or videos or movies and for reading books. And multitouch on 10'' screen is awesome :).

P.P.S. Yes, this blog post was originally created on iPad.

ATI and NVIDIA: Making Friends out of Enemies

Friday, March 12th, 2010

There had been a long standing competition between NVIDIA and ATI which has lasted for years now. And there is no winner so far — just like with Windows vs. Linux or PC vs. Mac debate there are ones who prefer the former and others who prefer the latter. Kind of «religious» issue.

(more…)

New Contributor

Friday, February 19th, 2010

Per ThorsheimWe are glad to announce that we have a new contributor to our blog and we would like to introduce him to you.

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com.

iPhone/iPod Backup Password Recovery

Thursday, February 4th, 2010

ElcomSoft iPhone Password BreakerToday we are pleased to unveil the first public beta of our new product, Elcomsoft iPhone Password Breaker, a tool designed to address password recovery of password-protected iPhone and iPod Touch backups made with iTunes.

In case you do not know, iTunes routinely makes backups of iPhones and iPods being synced to it. Such backups contain a plethora of information, essentially all user-generated data from the device in question. Contacts, calendar entries, call history, SMS, photos, emails, application data, notes and probably much more. Not surprisingly, such information manifests significant value for investigators. To make their job easier there are tools to read information out of iTunes backups, one example of such tool being Oxygen Forensic Suite (http://www.oxygen-forensic.com/). Such tools can not deal with encrypted backups, though.

(more…)

Preliminary Larrabee perfomance revealed

Friday, June 5th, 2009

When it comes to Larrabee one of most intriguing things is its performance. Official information provided by Intel was not enough to get good estimation. In my previous post I’ve estimated it as "roughly equivalent to GTX 295". Well, it seems I was too optimistic. Latest rumors are that current Larrabee samples deliver same performance as GTX 285.

We’ve written earlier that Larrabee is probably delayed till early 2010. This almost certainly means that it will have to compete with next-generation ATI and NVIDIA cards, both are currently scheduled for Q3-Q4 2009 (ATI have even presented their new chip at COMPUTEX 2009).

Nonetheless, Larrabee still seems promising to us and we will definitely try our best to make our GPU-enabled products such as Distributed Password Recovery and Wireless Security Auditor compatible with Larrabee once it’ll become available.

Update (06/08): Intel’s ‘Larrabee’ to Be "Huge".

Eurocrypt 2009 Highlights

Tuesday, June 2nd, 2009

About a month ago annual Eurocrypt conference took place in Cologne, Germany. This is rather academic event (as most if not all events held by IACR) so it is not always easy to read its proceedings filled with formulas and theorems. Nonetheless there are usually couple of very interesting works presented at each such event. Let me tell you a little bit about this year’s highlights.

(more…)