Forensics Firm Offers Tools to Defeat iOS 4 Encryption

Discussion in 'iOS Blog Discussion' started by MacRumors, May 24, 2011.

  1. MacRumors macrumors bot


    Apr 12, 2001


    Bright Side of News reports that Russian forensics firm Elcomsoft has discovered a method of cracking Apple's hardware encryption built into iOS 4, providing law enforcement and other parties with a way to access the protected data provided they have physical access to the device.
    Elcomsoft offers a basic Phone Password Breaker for Windows priced at $79 for home use and capable of unlocking encrupted backups of BlackBerry and iOS devices. A much more advanced package for iOS 4 devices is available for government agencies, offering access to other information such as passwords, stored email messages, and deleted SMS messages and emails.

    Additional details on the decryption processes are available in a blog post on Elcomsoft's site.

    Article Link: Forensics Firm Offers Tools to Defeat iOS 4 Encryption
  2. Doctor Q Administrator

    Doctor Q

    Staff Member

    Sep 19, 2002
    Los Angeles
    The "other parties" we're talking about aren't just governments. I think it means "anybody".
  3. bytethese macrumors 68030


    Jun 20, 2007
    Cranford, NJ
    Hmm, interesting. However I wonder if Jon Zdziarski's method is still valid, where you jailbreak but only overwrite the / partition and then ssh into the device to transfer a dd capture over netcat.

    I think this method would be faster, transferring 16-32GB of data over wifi for me in the 2.x/3.x days was sloooooow.
  4. dbendixen macrumors member

    Oct 22, 2010
    Russian "Forensics" firm, huh? I guess that is this company's effort to seem legitimate.
  5. munkery macrumors 68020


    Dec 18, 2006
    Most of the actually valuable data, such as website logins and emails, is protected by keychain's tied to the user's passcode. This software still has to brute force the user's passcode which is trivial if the simple 4-digit passcode is used.

    Even the non-simple passcode can be brute forced easily if the user doesn't follow basic secure password practices. Passwords should include at least one element from the upper case alphabet, lower case alphabet, numbers, and symbols while also being at least 8 characters long.

    Using the escrow keys instead of brute forcing the passcode requires access to both the iOS device and a computer running iTunes with which that specific iOS device has been synced.

    If you are really paranoid, just make sure that the passcode is sufficiently difficult to brute force and that you delete iTunes, making sure to remove any of it's associated files, after configuring (updating, etc) the iOS device.
  6. longofest Editor emeritus


    Jul 10, 2003
    Falls Church, VA
    Right on. In some sense, this isn't anything new. Brute-forcing a password is certainly nothing new, and we've known for a long time that 4-digit keycodes aren't secure.

    But still, kudos to them for creating the tool to do it. I think...
  7. blackboxxx macrumors regular

    Sep 10, 2008
    Deleting iTunes won't help. The escrow keys are actually stored in /private/var/db/lockdown/ (Windows: %AllUsersProfile%\Apple\Lockdown\).
  8. munkery, May 24, 2011
    Last edited: May 24, 2011

    munkery macrumors 68020


    Dec 18, 2006
    I did mention that associated files should be deleted as well.

    Honestly, I did not know that specific file needed to be deleted.

    So, thanks for that info. Not that I am personally worried about it.

    P.S. There seems to be a lot of other data included in the .plist file included in that folder.

    Will deleting it cause other issues? Which entry in that .plist file should be deleted? EscrowBag? All of them?

    Also, what measures would protect collection of those keys from the computer? It appears to be outside of the range of files protected by FileVault, at least, until the release of OS X Lion.

    Would changing your passcode after each sync solve the issue with the escrow keys? What if you also de-authenticated iTunes from your Apple ID? What if iTunes is encrypted with FileVault and the passcode was changed after each sync?

    Sorry, this has captured my interest.
  9. munkery, May 25, 2011
    Last edited: May 25, 2011

    munkery macrumors 68020


    Dec 18, 2006
    Update: only need to delete lockdown folder.

    I tried a few thing to see what would cause iTunes to prompt for an iOS device's passcode despite already having synced with each other in the past.

    This information is most likely not important to most users, including myself, given their requirements in terms of data security but it may be useful for some.

    - Changing the passcode after each sync does not cause iTunes to prompt for the iOS device's passcode so the function of the escrow keys is not tied to the passcode.

    - Deauthorizing iTunes does not cause iTunes to prompt for the iOS device's passcode to allow syncing the device so the Apple ID is not involved in the process as well.

    - Currently, FileVault does not appear to encrypt this folder. This will not be an issue with FileVault in Mac OS X Lion as it will support full disk encryption. Interestingly, it was sometime last year that the lockdown folder was moved from ~/Library/Lockdown to /private/var/db/lockdown. The old location is in an area of the system encrypted by FileVault. Was this an oversight by Apple?

    - I suspect access to iTunes is not required given an independent tool was developed to bypass the encryption so no combination that includes deleting or limiting access to iTunes without also deleting the contents of the lockdown folder is effective. Deleting iTunes also most likely does not provide any benefit.

    - Encrypting the iOS device's backup has no impact on the lockdown folder but increases security in other ways unrelated to the escrow keys issue.

    - As suggested by blackboxxx, deleting the lockdown folder does cause iTunes to prompt the user to enter the iOS device passcode; after which, syncing the device causes the contents of the lockdown folder to be recreated.

    - The contents of the lockdown folder only appear to be related to the syncing of iOS devices. The contents can be deleted without issue and are recreated each time you sync the iOS device.

    So, a combination of using a secure passcode and deleting the contents of the lockdown folder after each sync can mitigate access to the user's data via the method described in the original post.

    Also, it would be trivial to produce a simple app using Automator that would move the contents of the lockdown folder to the trash when run after each syncing of the iOS device.

    Admittedly, I don't think this is an issue that users should have to worry about. What if both your computer and iOS device were stolen at the same time? Of course, this is dependent on this method becoming more known in detail than it is at the moment.
  10. snarkies macrumors newbie

    Jun 5, 2011
    So to sum up, as it wasn't quite clear to me, for a regular user who's pc is at home and I lose my iphone, i don't need to worry about this thing?
  11. munkery, Jun 5, 2011
    Last edited: Jun 5, 2011

    munkery macrumors 68020


    Dec 18, 2006
    As long as your passcode meets the specifications presented in one of the previous posts in this thread, you don't have to worry.

    Attached Files:

  12. 8CoreWhore macrumors 68020


    Jan 17, 2008
    Big D
    Great, now when your phone gets stolen the thief can get in and turn off find my iPhone feature, etc. thanks Russia! This is the same corrup country apple wants to open up shop in so we get all kinds of compromises. Apple stay away from the mafia-states!

Share This Page