ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Did you know that…?’ Category

Six Ways to Decrypt iPhone Passwords from the Keychain

Tuesday, December 18th, 2018

In Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives such as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected. This includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are mostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This includes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant messengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.

If one can access information saved in the keychain, one can then gain the keys to everything managed by the device owner from their online accounts to banking data, online shopping, social life and much more.

Apple offers comprehensive documentation for developers on keychain services, and provides additional information in iOS Security Guide.

In this article we assembled information about all existing methods for accessing and decrypting the keychain secrets.

(more…)

Can Forensic Experts Keep Up with the Digital Age?

Wednesday, December 5th, 2018

The boom in personal electronic devices recording literally every persons’ step introduced a new type of forensic evidence: the digital evidence. In this day and age, significantly more forensic evidence is available in digital form compared to physical evidence of yesteryear. Are law enforcement and intelligence agencies ready to handle the abundance of digital evidence? And more importantly, do frontline officers have the skills and technical expertise required to handle and preserve this wealth of information?

Digital forensic evidence is a major challenge today, and will become even more of a challenge tomorrow. Crypto currencies and the dark net created an effective shield for criminals committing online fraud and extorting ransom, trafficking drugs and human beings, supporting and financing international terrorism.

Digital evidence that lands on end user devices is also well shielded from investigation efforts. The unilateral push for hardware-backed secure encryption by major vendors of mobile operating systems (Google and Apple) covers criminals with almost unbreakable protection, building a wall around digital evidence that could be vital for investigations. (more…)

Apple Health Is the Next Big Thing: Health, Cloud and Security

Thursday, November 29th, 2018

Health data is among the most important bits of information about a person. Health information is just as sensitive as the person’s passwords – and might be even more sensitive. It is only natural that health information is treated accordingly. Medical facilities are strictly regulated and take every possible security measure to restrict access to your medical records.

Since several versions of iOS, your health information is also stored in Apple smartphones, Apple cloud and various other devices. In theory, this information is accessible to you only. It’s supposedly stored securely and uses strong encryption. But is that really so? What if Apple uploads this data to the cloud? Is it still secure? If not, can we extract it? Let’s try to find out.

(more…)

iMessage Security, Encryption and Attachments

Thursday, November 15th, 2018

iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.

But what about iMessage security? Is it safe to use if you’re concerned about your privacy? Is there a reason why countries such as China, Iran or Russia block other messengers but keep iMessage going? Is it safe from hackers? What about Law Enforcement? And what about Apple itself? It must have access to your messages to target the ads, right? Is it OK to send those private snapshots or share your location via iMessage?

There is no simple answer, but we’ll do our best to shed some light on that.

(more…)

iPhone Xs PWM Demystified: How to Reduce Eyestrain by Disabling iPhone Xs and Xs Max Display Flicker

Tuesday, October 30th, 2018

The iPhone Xs employs a revised version of the OLED panel we’ve seen in last year’s iPhone X. The iPhone Xs Max uses a larger, higher-resolution version of the panel. Both panels feature higher peak brightness compared to the OLED panel Apple used in the iPhone X. While OLED displays are thinner and more power-efficient compared to their IPS counterparts, most OLED displays (including those installed in the iPhone Xs and Xs max) will flicker at lower brightness levels. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. The OLED flickering issue is still mostly unheard of by most consumers. In this article we will demystify OLED display flickering and provide a step by step instruction on how to conveniently disable (and re-enable) PWM flickering on iPhone Xs and Xs Max displays to reduce eyestrain. (more…)

Analysing Apple Pay Transactions

Thursday, August 30th, 2018

With more than 127 million users in multiple countries, Apple Pay is one of the more popular contactless payment systems. Unlike some competing payment technologies, Apple Pay is not only tightly integrated into Apple’s ecosystem but is exclusive to Apple devices.

Apple Pay serves as a digital wallet, digitizing user’s payment cards and completely replacing traditional swipe-and-sign and chip-and-PIN transactions at compatible terminals. However, unlike traditional wallets, Apple Pay also keeps detailed information about the user’s point of sale transactions. Due to the sheer amount of highly sensitive information processed by the system, Apple Pay is among the most securely protected vaults in compatible devices. In this article we’ll show you where and how this information is stored in the file system, how to extract it from the iPhone and how to analyse the data. (more…)

iOS 12 Beta 5: One Step Forward, Two Steps Back

Tuesday, July 31st, 2018

The release of iOS 11.4.1 marked the introduction of USB restricted mode, a then-new protection scheme disabling USB data pins after one hour. The USB restricted mode was not invincible; in fact, one could circumvent protection by connecting the device to a $39 accessory. While a great improvement on itself, the new mode did not provide sufficient protection. We wished Apple maintained a list of “trusted” or previously connected accessories on the device, allowing only such devices to reset the timer. In this new iOS 12 beta, Apple makes attempts to further “improve” USB restricted mode, yet the quotes about “improving” the system are there on purpose.

We recently covered the whole story starting from iOS 11.3 and up to the then-current iOS 12 beta, but it looks the story is far from the end. I think Apple monitors media coverage including our blog, and takes a note on some of the readers’ comments in an attempt to find the right balance between security and convenience. We even suggested how they could possibly improve the new mode’s implementation, and… iOS 12 Beta 5 (just released) brings another surprise.

(more…)

USB Restricted Mode Inside Out

Thursday, July 12th, 2018

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

(more…)

This $39 Device Can Defeat iOS USB Restricted Mode

Monday, July 9th, 2018

The most spoken thing about iOS 11.4.1 is undoubtedly USB Restricted Mode. This highly controversial feature is apparently built in response to threats created by passcode cracking solutions such as those made by Cellerbrite and Grayshift. On unmanaged devices, the new default behavior is to disable data connectivity of the Lightning connector after one hour since the device was last unlocked, or one hour since the device has been disconnected from a trusted USB accessory. In addition, users can quickly disable the USB port manually by following the S.O.S. mode routine.

Once USB Restricted Mode is engaged on a device, no data communications occur over the Lightning port. A connected computer or accessory will not detect a “smart” device. If anything, an iPhone in USB Restricted Mode acts as a dumb battery pack: in can be charged, but cannot be identified as a smart device. This effectively blocks forensic tools from being able to crack passcodes if the iPhone spent more than one hour locked. Since law enforcement needs time (more than one hour) to transport the seized device to a lab, and then more time to obtain an extraction warrant, USB Restricted Mode seems well designed to block this scenario. Or is it?

We performed several tests, and can now confirm that USB Restricted Mode is maintained through reboots, and persists software restores via Recovery mode. In other words, we have found no obvious way to break USB Restricted Mode once it is already engaged. However, we discovered a workaround, which happens to work exactly as we suggested back in May (this article; scroll down to the “Mitigation” chapter).

(more…)

Breaking Deeper Into iPhone Secrets

Wednesday, June 20th, 2018

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)