Archive for the ‘Industry News’ Category

Breaking into iOS 11

Tuesday, February 20th, 2018

In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.

In order to extract all of that from an i-device, you’ll need the extraction tool (iOS Forensic Toolkit) and a working jailbreak. With Apple constantly tightening security of its mobile ecosystem, jailbreaking becomes increasingly more difficult. Without a bug hunter at Google’s Project Zero, who released the “tfp0” proof-of-concept iOS exploit, making a working iOS 11 jailbreak would take the community much longer, or would not be possible.

The vulnerability exploited in tfp0 was present in all versions of iOS 10 on all 32-bit and 64-bit devices. It was also present in early versions of iOS 11. The last vulnerable version was iOS 11.2.1. Based on the tfp0 exploit, various teams have released their own versions of jailbreaks.

(more…)

Apple iCloud Keeps More Real-Time Data Than You Can Imagine

Thursday, February 8th, 2018

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)

Meet iOS 11.3: Apple to Make It Harder for Law Enforcement to Extract iPhone Data

Thursday, January 25th, 2018

Forget battery issues. Yes, Apple issued an apology for slowing down the iPhone and promised to add better battery management in future versions of iOS, but that’s not the point in iOS 11.3. Neither are ARKit improvements or AirPlay 2 support. There is something much more important, and it is gong to affect everyone.

Apple iOS is (and always was) the most secure mobile OS. FBI forensic expert called Apple “evil genius” because of that. Full disk encryption (since iOS 4), very reliable factory reset protection, Secure Enclave, convenient two-factor authentication are just a few things to mention. Starting with iOS 8, Apple itself cannot break into the locked iPhone. While in theory they are technically capable of creating (and signing, as they hold the keys) a special firmware image to boot the device, its encryption is not based on a hardware-specific key alone (as was the case for iOS 7 and older, and still the case for most Androids). Instead, the encryption key is also based on the user’s passcode, which is now 6 digits by default. Cracking of the passcode is not possible at all, thanks to Secure Enclave. Still, in come cases, Apple may help law enforcement personnel, and they at least provide some trainings to FBI and local police.

(more…)

iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

Thursday, January 25th, 2018

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.

Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.

To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.

If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.

Pairing in iOS

In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

(more…)

What’s New in iOS 11 Security: the Quick Reference Guide

Thursday, December 21st, 2017

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

–  Reset password to local backups (passcode required), which makes logical acquisition trivial

–  For 2FA accounts, reset Apple ID password and change trusted phone number with just device passcode (possible for both iOS 11 and iOS 10)

–  Health data sync with iCloud (users can disable)

+  Passcode required to establish trust relationship with a PC (Touch ID/Face ID can no longer be used to pair)

+  Quickly and discretely disable Touch ID/Face ID via S.O.S. mode

+  Automatically call emergency number (push side button 5 times in rapid succession)

+  iOS 11 strongly suggests enabling Two-Factor Authentication in multiple places

+  Two-Step Verification (2SV) is no longer available

Additionally, in macOS High Sierra, Desktop and Documents folders now sync with iCloud (user can disable).

iOS 11 Makes Logical Acquisition Trivial, Allows Resetting iTunes Backup Password

Thursday, November 9th, 2017

Since early days of iOS, iTunes-style system backups could be protected with a password. The password was always the property of the device; if the backup was protected with a password, it would come out encrypted. It didn’t matter whether one made a backup with iTunes, iOS Forensic Toolkit or other forensic software during the course of logical acquisition; if a backup password was enabled, all you’d get would be a stream of encrypted data.

Password protection of iOS system backups was always a hallmark of iOS data protection. We praised Apple for making it tougher for unauthorized persons to pair an iPhone to the computer in iOS 11. Today we discovered something that works in reverse, making it possible for anyone who can unlock an iPhone to simply reset the backup password. Is this so big of a deal? Prior to this discovery, forensic specialists would have to use high-end hardware to try recovering the original backup password at a rate of just several passwords per second, meaning that even the simplest password would require years to break. Today, it just takes a few taps to get rid of that password completely. If you know the passcode, logical acquisition now becomes a trivial and guaranteed endeavor.

(more…)

New Security Measures in iOS 11 and Their Forensic Implications

Thursday, September 7th, 2017

Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.

Establishing Trust with a PC Now Requires a Passcode

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

(more…)

iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak

Thursday, August 24th, 2017

If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.

Back to Phoenix. This thing is for real. Phoenix claims support for iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.3.5. We were able to verify these claims by successfully jailbreaking several test devices and using Elcomsoft iOS Forensic Toolkit to perform full physical acquisition (as in imaging and decrypting the physical data partition).

With Phoenix jailbreak, iOS Forensic Toolkit can perform physical acquisition of Apple’s 32-bit devices running iOS 9.3.5, which happens to be the last version of iOS 9. Users of iOS Forensic Toolkit can perform physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and enjoy full unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.

(more…)

Government Request Reports: Google, Apple and Microsoft

Monday, January 16th, 2017

Every once in a while, hi-tech companies release reports on government requests that they received and served (or not). The different companies receive a different number of requests. They don’t treat them the same way, and they don’t report them the same way, which makes the comparison difficult. In this article, we’ll try to analyze and compare government request reports published by Apple, Google and Microsoft.

Since all three companies report on different things, and the sheer number of data is way too big for analyzing in a blog article, we’ll try to only compare data related to the North American region and Germany (as a single European country). (more…)

FBI Can Unlock Most Devices They Need To

Thursday, December 29th, 2016

According to Jim Baker, FBI General Counsel, the bureau can access information on most smartphones they are dealing with, even if encryption is enabled. In this article, we tried to find out which devices they can and cannot unlock, and why.

The FBI Can Unlock 87% Mobile Devices

According to Jim Baker, the agency can unlock some 87% of mobile devices, and get access to the data. So which devices they can and cannot unlock, exactly? Before we start crunching the numbers, please have a look at the following infographics:

(more…)