ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Did you know that…?’ Category

iOS 12 Beta 5: One Step Forward, Two Steps Back

Tuesday, July 31st, 2018

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

We recently covered the whole story starting from iOS 11.3 and up to the then-current iOS 12 beta, but it looks the story is far from the end. I think Apple monitors media coverage including our blog, and takes a note on some of the readers’ comments in an attempt to find the right balance between security and convenience. We even suggested how they could possibly improve the new mode’s implementation, and… iOS 12 Beta 5 (just released) brings another surprise.

(more…)

USB Restricted Mode Inside Out

Thursday, July 12th, 2018

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

(more…)

This $39 Device Can Defeat iOS USB Restricted Mode

Monday, July 9th, 2018

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

(more…)

Breaking Deeper Into iPhone Secrets

Wednesday, June 20th, 2018

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)

iOS 11.4.1 Second Beta Extends USB Restricted Mode with Manual Activation

Thursday, June 14th, 2018

Thinking Apple is done with USB Restricted Mode? Not yet. They have at least one more deus ex machina to shake up the forensic community.

More than a month ago, we made a report iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics. The feature was not included into the final release of iOS 11.4, but returned in a much different shape in iOS 11.4.1 beta (iOS 11.4.1 Beta: USB Restricted Mode Has Arrived). The feature is also part of the first iOS 12 beta introduced a a few days later.

Finally, Apple has officially confirmed the existence of USB Restricted Mode, and the law enforcement community is not happy about it. (Cops Are Predictably Pissed About Apple’s Plan to Turn Off USB Data Access on iPhones). Some sources speculated about LE being able to break into the phones without the warrant.

If that was not enough, Apple added insult to injury. Do you remember the S.O.S. mode we described in New Security Measures in iOS 11 and Their Forensic Implications?

I’ve got good news for you. Or bad news, depending on who you are. In the second beta of 11.4.1 released just days ago, activating the SOS mode enables USB restrictions, too. This feature was not present in the first 11.4.1 beta (and it is not part of any other version of iOS including iOS 12 beta). In all other versions of iOS, the SOS mode just disables Touch/Face ID. The SOS feature in iOS 11.4.1 beta 2 makes your iPhone behave exactly like if you did not unlock it for more than an hour, effectively blocking all USB communications until you unlock the device (with a passcode, as Touch ID/Face ID would be also disabled).

iCloud and iMessage Security Concerns

Thursday, June 14th, 2018

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

(more…)

Protecting Your Data and Apple Account If They Know Your iPhone Passcode

Tuesday, June 12th, 2018

This publication is somewhat unusual. ElcomSoft does not need an introduction as a forensic vendor. We routinely publish information on how to break into the phone, gain access to information and extract as much evidence as theoretically possible using hacks (jailbreaks) or little known but legitimate workarounds. We teach and train forensic experts on how to extract and decrypt information, how to download information from iCloud with or without the password, how to bypass two-factor authentication and how their iPhone falls your complete victim if you know its passcode.

This time around we’ll be playing devil’s advocate. We’ll tell you how to defend your data and your Apple account if they have your iPhone and know your passcode.

iOS Devices Are Secure

We praised the iOS security model on multiple occasions. Speaking of the current pack of iOS versions (including iOS 11.4 release, 11.4.1 public beta and 12.0 first developer beta), we have full-disk encryption with decryption keys derived from the user’s passcode and protected by Secure Enclave. Thanks to the iOS keychain, we enjoy the additional layer of protection for our passwords and other sensitive information. If you protected your iPhone with a 6-digit passcode (which you really should, and which is the default since at least iOS 10), most of your information is securely encrypted until you first unlock your iPhone after it completes the boot sequence. Even if they take the memory chip off, they won’t get anything meaningful due to the encryption. (more…)

Apple Probably Knows What You Did Last Summer

Tuesday, June 5th, 2018

“Significant Locations” are an important part of the evidence logged on iPhones. Forensic experts doing the acquisition will try accessing Significant Locations. At the same time, many iPhone users are completely unaware of the existence of this feature. What are Significant Locations, where are they stored, and how to extract them, and what value do they serve in investigations?

Privacy Issues

iOS 11 and iOS 12 after it supposedly come with a slew of privacy enhancements. When it comes to Significant Locations, what we see is quite the opposite. There is an unresolved privacy issue instead.

Speaking strictly of “significant locations”, iOS 10 and older versions used to retain this data no longer than 45 days. Older records would be purged from the device. In iOS 11.4, the current release, location data is kept for at least 120 days (or 4 months). Apple does not provide ANY information about how or when it collects your location data; moreover, there is no official statement about how this data is being used. The only article that we were able to discover is “Location Services & Privacy“. Have a look at the following quote:

Significant Locations – Your iPhone will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you. This data is transmitted end-to-end encrypted between your iCloud connected devices and will not be shared without your consent. It will be used to provide you with personalized services, such as predictive traffic routing, and to build better Photos Memories.

(more…)

Apple Strikes Back: the iPhone Cracking Challenge

Friday, May 11th, 2018

We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).

Today, we’ll discuss the main challenges of iOS forensics, look at some of the most interesting solutions available to law enforcement, and share our experience gaining access to some of the most securely protected evidence stored in Apple iOS devices. (more…)

iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics

Tuesday, May 8th, 2018

UPDATE June 2, 2018: USB Restricted Mode did not make it into iOS 11.4. However, in iOS 11.4.1 Beta USB Restricted Mode Has Arrived

A new iOS update is about to roll out in the next few weeks or even days. Reading Apple documentation and researching developer betas, we discovered a major new security feature that is about to be released with iOS 11.4. The update will disable the Lightning port after 7 days since the device has been last unlocked. What is the meaning of this security measure, what reasons are behind, and what can be done about it? Let’s have a closer look.

USB Restricted Mode in iOS 11.4

In the iOS 11.4 Beta, Apple introduced a new called USB Restricted Mode. In fact, the feature made its first appearance in the iOS 11.3 Beta, but was later removed from the final release. This is how it works:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

The functionality of USB Restricted Mode is actually very simple. Once the iPhone or iPad is updated to the latest version of iOS supporting the feature, the device will disable the USB data connection over the Lightning port one week after the device has been last unlocked. (more…)