iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

January 25th, 2018 by Oleg Afonin

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.

Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.

To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.

If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.

Pairing in iOS

In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

Read the rest of this entry »

Tags: , , , , ,
Posted in Did you know that...?, Industry News, Security | Comments Off on iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

January 15th, 2018 by Oleg Afonin

Software updates remain a sore point for the 86 per cent of consumers who are using Android-based smartphones. Both Apple and Microsoft have significantly different update policies, mostly allowing the companies to deliver updates directly to their customers. There is much more to these updates than just the Android (or Windows) version. With numerous versions, subversions and carrier modified versions of the phone’s software, experts may struggle when attempting physical extraction. Let us have a look at the differences between the three mobile operating systems, their update policies and the challenges they present to the forensic examiner.

Apple: Full Control over Software Updates

Apple has a tight grip over its mobile operating system, the iOS. In fact, it has an even tighter grip than most people think.

On the outside, the company makes iOS updates available to all supported models and all devices at the same time. With a very long support window or over 4 years, even devices released back in 2014 are eligible to receive the latest iOS build.

There is also a flip side to this story. Not only does the company solely controls the design, release and distribution of software updates, but it also has full control over what versions of the system a given device is allowed to install. Unlike Android devices that can install a signed OTA package (or, in some cases, flash a full image) of any version of software (with exceptions, e.g. rollback protection), iPhone and iPad devices can only install iOS updates (or full packages) that are cryptographically signed by Apple for that particular device. Before an iOS update (or full package, including downgrade packages) can be installed onto an iPhone or iPad device, the package must get an approval from an Apple server by receiving a cryptographic signature. That signature is placed in real time, and is only valid for a particular device. Read the rest of this entry »

Tags: , , , , ,
Posted in Security, Software | Comments Off on Forensic Implications of Software Updates: iOS, Android, Windows 10 Mobile

How to Extract Media Files from iOS Devices

January 9th, 2018 by Oleg Afonin

Media files (Camera Roll, pictures and videos, books etc.) are an important part of the content of mobile devices. The ability to quickly extract media files can be essential for an investigation, especially with geotags (location data) saved in EXIF metadata. Pulling pictures and videos from an Android smartphone can be easier than obtaining the rest of the data. At the same time, media extraction from iOS devices, while not impossible, is not the easiest nor the most obvious process. Let’s have a look at tools and techniques you can use to extract media files from unlocked and locked iOS devices.

Ways to Extract Media Files

There is more than one way you could use to extract media files. Read the rest of this entry »

Tags: , , , , , ,
Posted in Did you know that...?, Elcom-News, Software | Comments Off on How to Extract Media Files from iOS Devices

What’s New in iOS 11 Security: the Quick Reference Guide

December 21st, 2017 by Vladimir Katalov

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

–  Reset password to local backups (passcode required), which makes logical acquisition trivial

–  For 2FA accounts, reset Apple ID password and change trusted phone number with just device passcode (possible for both iOS 11 and iOS 10)

–  Health data sync with iCloud (users can disable)

+  Passcode required to establish trust relationship with a PC (Touch ID/Face ID can no longer be used to pair)

+  Quickly and discretely disable Touch ID/Face ID via S.O.S. mode

+  Automatically call emergency number (push side button 5 times in rapid succession)

+  iOS 11 strongly suggests enabling Two-Factor Authentication in multiple places

+  Two-Step Verification (2SV) is no longer available

Additionally, in macOS High Sierra, Desktop and Documents folders now sync with iCloud (user can disable).

Tags: , , , , , , , , , , , ,
Posted in Did you know that...?, General, Industry News, Security, Tips & Tricks | Comments Off on What’s New in iOS 11 Security: the Quick Reference Guide

Extracting and Using iCloud Authentication Tokens

November 30th, 2017 by Oleg Afonin

In our previous blog post, we wrote everything we know about authentication tokens and Anisette data, which might allow you to bypass the “login, password and two-factor authentication” sequence. Let us have a look at how you can actually extract those tokens from a trusted computer and use them on a different computer to access a user’s iCloud account. Read Part 1 and Part 2 of the series.

Extracting Authentication Tokens from a Live System (Windows)

Extracting authentication token from a live system is as easy as running a small, stand-alone executable file you get as part of the Elcomsoft Phone Breaker package. The tool is called ATEX (atex.exe on Windows), and stands for Authentication Token Extractor.

Using the tools is extremely simple. Make sure you are logged on under the user you’re about to extract the token from, and launch ATEX with no arguments. The file named “icloud_token_<timestamp>.txt” will be created in the same folder where you launch the tool from (or C:\Users\<user_name>\AppData\Local\Temp if there are not enough permissions).

Read the rest of this entry »

Tags: , , ,
Posted in Did you know that...?, Software, Tips & Tricks | 2 Comments »

iCloud Authentication Tokens Inside Out

November 30th, 2017 by Oleg Afonin

iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. Let’s try to put things together. Read Part 1 of the series.

What Authentication Tokens Are and What They Aren’t

And authentication token is a piece of data that allows the client (iCloud for Windows, Elcomsoft Phone Breaker etc.) to connect to iCloud servers without providing a login and password for every request. This piece of data is stored in a small file, and that file can be used to spare the user from entering their login and password during the current and subsequent sessions.

On the other hand, authentication tokens do not contain a password. They don’t contain a hashed password either. In other words, a token cannot be used to attack the password.

What They Are Good For and How to Use

Authentication tokens may be used instead of the login and password (and secondary authentication factor) to access information stored in the user’s iCloud account. This information includes:

  • iCloud backups (however, tokens expire quickly)
  • iCloud Photo Library, including access to deleted photos
  • Call logs
  • Notes, calendars, contacts, and a lot of other information

Using iCloud authentication tokens is probably the most interesting part. You can use an authentication token in Elcomsoft Phone Breaker Forensic to sign in to Apple iCloud and use iCloud services (download cloud backups, photos, synchronized data etc.) without knowing the user’s Apple ID password and without having to deal with Two-Factor Authentication.

Authentication tokens can be used for:

  • Signing in to iCloud services
  • Without Apple ID password
  • Without having to pass Two-Factor Authentication

Read the rest of this entry »

Tags: , , ,
Posted in Did you know that...?, Security, Software, Tips & Tricks | Comments Off on iCloud Authentication Tokens Inside Out

The Life and Death of iCloud Authentication Tokens: Historical Perspective

November 30th, 2017 by Vladimir Katalov

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

Read the rest of this entry »

Tags: , , ,
Posted in Did you know that...?, Security | Comments Off on The Life and Death of iCloud Authentication Tokens: Historical Perspective

iOS 11 Horror Story: the Rise and Fall of iOS Security

November 29th, 2017 by Oleg Afonin

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user’s life easier (as in “more convenience”), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.

The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

Read the rest of this entry »

Tags: , , , , , , , , ,
Posted in Did you know that...?, Security, Software | Comments Off on iOS 11 Horror Story: the Rise and Fall of iOS Security

« Older Entries
Newer Entries »
RSS for posts
RSS for comments
Subscribe
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter