Posts Tagged ‘iOS 13’

Every other day, Apple makes the work of forensic specialists harder. Speaking of iCloud, we partially covered this topic in Apple vs. Law Enforcement: Cloud Forensics and Apple vs Law Enforcement: Cloudy Times, but there is more to it today. The recent iOS (13.4) and macOS (10.15.4) releases brought some nasty surprises. Let’s talk about them.

iOS 13

It is difficult to say when it actually happened, but iOS stopped syncing call logs, and does not sync them for the time being. We covered call log sync some three years ago:

We even tried to bring the matter to Apple, but the only response was we take privacy very seriously (I am not surprised). Anyway; call logs are no longer synchronized (com’on, Apple, did you forget about Continuity? 😊)

But there is more. Do you use Apple Maps? Its data, surprisingly, has been moved to an encrypted container, similar to other protected data such as the iCloud keychain, iCloud Messages, Health and Screen Time data. It’s a strange move, as Maps data is not all that sensitive compared to other bits stored in secured containers. While we can still obtain that data from the cloud, the procedure now relies on the process for extracting other end-to-end encrypted data, which means you have to use the password/passcode of one of the user’s devices.

Just in case: if you are curious about Screen Time, we are currently able to extract only part of the data from iCloud. This includes the passcode, family information, restrictions etc. The most interesting data such as app usage statistics seems to sync directly across devices, but it is not stored in the way that would allow us to extract it from the cloud. If you have more than one device and use the Share across devices option, just compare the statistics you see on the device it’s been collected from and how it appears on other devices on the account. The results are different. Moreover, some stats are not available at all, while there is some mysterious data from devices that have been disconnected from the account a long time ago. A lot of iPhone users reported similar problems:

This can mean that such ‘direct’ syncing simply does not work correctly. It is difficult to say whether it is an iOS 12/13 or iCloud bug, but we decided not to waste our time trying to obtain this data from iCloud. And btw, in iOS 13 the data related to Screen Time is also protected better than most of other data — it is not enough just to have root privileges to access it.

Oh by the way, iOS 13.4.5 beta (what a strange version number after 13.4) is out yesterday, we are going to have a look at it soon.

macOS

Lockdown (pairing) records had always allowed to access passcode-protected devices. However, with the latest update, lockdown records are no longer accessible.

Starting with maCOS 10.12, you had to to run the following command:

sudo chmod 755 /private/var/db/lockdown

With macOS 10.15.4, it does not work anymore:Is there a workaround? Yes. Just disable SIP (System Integrity Protection) by booting into Recovery mode (+R on system startup), then start Terminal and run the following command:

csrutil disable

Then reboot, and access lockdown folder as you did before, e.g. to perform advanced logical acquisition of a locked iPhone using iOS Forensic Toolkit.

iCloud

iCloud authentication has changed again. Looks like Apple have a dedicated team of software engineers that do nothing but make meaningless changes to authentication protocols just to block our software. This does not really improve the security and privacy but makes Apple’s top management happy.

I am not going to describe all the changes in details, but give you some tips on how this affects the usage of authentication tokens in Elcomsoft Phone Breaker. You can start reading from Accessing iCloud With and Without a Password in 2019; and here is how it works now.

On Windows systems, tokens extracted from iCloud  for Windows version 7.0 and later work only for accounts without two-factor authentication. With these tokens, you won’t be able to access the entire set of iCloud data. The following categories are still accessible: iCloud Photos and certain synced categories (including contacts, calendars, notes, Safari browsing history etc. except end-to-end encrypted data such as the Keychain, iCloud Messages or Health data). As for iCloud backups, you can only retrieve ones created by iOS versions older than iOS 11.2.

On macOS, the situation is slightly better. On macOS from 10.13 to 10.15, we can get the token for non-2FA accounts only; and for ones that have 2FA enabled, the token is, well, ‘tethered’ to the device it is obtained from, so you can authenticate with this token in Elcomsoft Phone Breaker only on the same Mac. The scope of the data that can be downlooaded from the iCloud (regardless the account and token type) is the same as above: limited number of categories of synced data (without end-to-end encryption), and iCloud backups of devices with iOS up to 11.2. Fully ‘untethered’ tokens for 2FA accounts are only available in macOS 10.12 and older. In fact we recently used a kind of vulnerability in iCloud protocol that allowed us to get such tokens even for 2FA accounts, but not anymore, sorry.

Sounds confusing? I know. Here it is once again:

  • We can always get a token for non-2FA accounts
  • For 2FA accounts, tokens from most (modern) Windows systems are completely useless, while tokens from modern macOS versions can be used on the same system only
  • Tokens can be used to access only a limited amount of data from iCloud

One more thing: some changes have been made even for accounts without 2FA. Due to these changes, Apple can now lock accounts after a single incorrect password attempt.

Conclusion

To obtain all the data from the user’s iCloud account, you will need the Apple ID, the password, the second authentication factor, and the device passcode. If you have all of those, you can obtain virtually everything, including some of the data that is not available on the device itself. Do not underestimate this method, and remember that Elcomsoft Phone Breaker is the only product on the market that extracts all the data from iCloud including end-to-end encrypted categories.

The popular unc0ver jailbreak has been updated to v4, and this is quite a big deal. The newest update advertises support for the latest A12 and A13 devices running iOS 13 through 13.3. The current version of iOS is 13.3.1. None of the older versions (including iOS 13.3) are signed, but still there are a lot of A12/A12X/A13 devices floating around. Until now, file system and keychain extraction was a big problem. The newest unc0ver jailbreak makes it possible.

The new build is based on an exploit that is quite reliable by itself. However, jailbreaking is more than just a single exploit; a lot of things (that are outside the scope of this article) have to be done. So the new version of a jailbreak is not a silver bullet, and may still fail on many devices; we have tested a few and received mixed results. Still, if the given device can be jailbroken with unc0ver, it means that we can pull all the data from it, down to the last bit.

ICYMI: iPhones and iPads based on A12/A12X/A13 SoC are not vulnerable to checkm8 exploit, and there is no room for BFU acquisition (if the passcode is not known). That means that jailbreaking them using iOS (not bootrom) exploits is the only way to get all the data, at least for now.

Installing the jailbreak

The jailbreak (curren version: 4.0.2) is available as an IPA file (iOS/iPadOS package). There are several methods of installing it, but they usually require signing the IPA using a third-party certificate, which is not very safe and requires approving the certificate on the device, which in turn means that you have allow the device make an Internet connection. This in turn means that the device can be remotely locked or wiped (and even if Find My is disabled, it may sync and modify the data. The only workaround is to set up the network so that that it can only access the Apple’s servers that take care of certificate approval, but this is not not as easy as it sounds.

The better and safer way is to sign the jailbreak IPA with a developer’s certificate using Cydia Impactor. You will need a developer’s account to do that. If you have one, create an Application-specific password first as Cydia Impactor does not natively support 2FA.

Once the IPA is installed, just run it and press [Jailbreak]. That simple.

Well, not quite. First, you have to press [Settings] in the top-right corner and enable the following options:

  • Re(Install) OpenSSH
  • SSH Only
  • Read-Only RootFS

What is it all about? Install OpenSSH (which is not installed by default); do not install Cydia (not only you won’t need it for the purpose of file system extraction, but removing Cydia after you’re done is a separate headache); do not remount the system partition, making the jailbreak rootless, safer, and with a minimum impact. I would not say “forensically sound”. But very close to that.

Note that the new build of unc0ver is not very reliable yet. If it fails, here is what the jailbreak developers recommend:

To everyone having reliability issues. You must follow those conditions carefully to have the best success:
– reboot
– airplane mode
– lock device
– wait 30 seconds (don’t do anything)
– jailbreak

A better exploitation method is required to avoid this. We’ll try our best.

Data acquisition

iOS Forensic Toolkit is all you need. First, do not miss some basic usage tips:

Ready to go? Extract the keychain and the file system first. Just note that with the keychain extraction, you may get error/warning messages like the following:

[+] memory_size: 3962028032
[-] no offsets for iPad8,1 17C54
[e] error reading kernel @0x0
[-] no kernel_call addresses for iPad8,1 17C54 [e] error reading kernel @0x0 Injecting to trust cache...
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
[e] error writing kernel @0x0

Just ignore them for now, we will take care on them later; they don’t seem to affect the keychain acquisition.

As for the file system, please note that if you forget to set the appropriate unc0ver options and install OpenSSH later from Cydia, acquisition will probably fail. The OpenSSH client installed alongside with the jailbreak works fine.

Anything else? Almost everything matters. Including whether you connect the iPhone directly or through a USB hub; the type of the cable (USB-A or USB-C to Lightning); and even the brand of the cable (original or not). Do not ask us why, ask Apple. To our experience, you get the best results when using an original Apple USB-A to Lightning cable connected directly (with no hubs); also, it works better on Macs. Yes, even that matters.

Data analysis

For “quick and dirty” analysis, use Elcomsoft Phone Viewer to browse the data acquired by iOS Forensic Toolkit. Do not underestimate this little tool; it does not parse all the data categories, but you will be surprised by the amount of data it can extract from media files (including deleted ones), locations, Apple Pay, Wallet etc. All the most-critical evidence is there.

Need more, including system databases, building the complete Timeline, defining social links between device contacts and extractions in Social Graph, getting comprehensive data analysis with facial recognition and image categorization, advanced data search and detailed reports? Get Oxygen Forensic Detective.

Did you extract the keychain? That’s a gold mine. Not just all the passwords and tokens (for dozens web sites, social networks, mail accounts and more), but also the encryption keys that will allow you to decrypt WhatsApp and Signal conversations. Use Elcomsoft Phone Breaker to browse it in a very convenient way (well, three ways); there you will be also able to export passwords to a wordlist, allowing you to break other files, documents and systems almost instantly.

While the dust surrounding the controversy of rushed iOS 13 release settles, we are continuing our research on what has changed in iOS forensics. In this article we’ll review the new policy on USB restrictions and lockdown record expiration in the latest iOS release. We’ll also analyze how these changes affect experts investigating iPhone devices updated to the latest OS release.

The real purpose of the USB restricted mode may not be immediately obvious, and the new enhancements may cause even more confusion. In our view, using USB accessories while the device is locked creates no additional risk to the user’s security and privacy. However, if we assume that this mode is aimed straight at certain forensic extraction and passcode-cracking solutions (such as GrayKey), the target of the USB restriction would be law enforcement agencies.

USB restricted mode made its appearance in iOS 11.4.1 and further enhanced in iOS 12. We posted five articles on the matter; do check them out if you don’t know what this feature is for. We also recommend the original Apple KB article “Using USB accessories with iOS 11.4.1 and later”.

Apple is still to update its iOS Security Guide. The May 2019 version (iOS 12.3) of the Guide defines USB restricted mode as follows.

(more…)

iOS 13 is on the way. While the new mobile OS is still in beta, so far we have not discovered many revolutionary changes in the security department. At the same time, there are quite a few things forensic specialists will need to know about the new iteration of Apple’s mobile operating system. In this article, we’ll be discussing the changes and their meaning for the mobile forensics.

iCloud backups

We’ve seen several changes to iCloud backups that break third-party tools not designed with iOS 13 in mind. Rest assured we’ve updated our tools to support iOS 13 iCloud backups already. We don’t expect the backup format to change once iOS 13 is officially released, yet we keep an eye on them.

First, Apple has changed the protocol and encryption. There’s nothing major, but those changes were more than enough to effectively block all third-party tools without explicit support for iOS 13.

Second, cloud backups (at least in the current beta) now contain pretty much the same set of info as unencrypted local backups. Particularly missing from iCloud backups made with iOS 13 devices are call logs and Safari history. This information is now stored exclusively as “synchronized data”, which makes it even more important for the investigator to extract synced evidence in addition to backups. Interestingly, nothing was changed about synced data; you can still use the same tools and sign in with either Apple ID/password/2FA or authentication tokens. (more…)