ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps

May 23rd, 2011 by Vladimir Katalov

ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this. It’s also worth noting that we will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies. We have a number of good reasons for doing it this way. But first, let’s have a look at perspective.

iPhone User Data: What’s Inside

Let’s make it very clear: no privacy purist should ever use an iPhone (or any other smartphone, probably). iPhone devices store or cache humungous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, emails and text messages included deleted ones, calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.

It’s Not About iPhone Backups Any More

Some, but not all, of that information makes its way into iPhone backups produced with Apple iTunes. Protected iPhone backups can be broken into with Elcomsoft Phone Password Breaker; once decrypted, information stored in these backups can be viewed by many commercial products. However, the amount of information that these backups contain is reasonably limited. Analyzing actual iPhone device could provide forensic access to much more data.

Adequate Protection

The amount and nature of information accumulated by iPhone devices called for adequate protection. Starting with iPhone 3GS, Apple was including a hardware encryption chip in all subsequent devices. With iOS 4, the company introduced a feature called Data Protection that enabled hardware-based encryption of all user data stored in iPhone 3GS and subsequent models (iPhone 4, all models of iPad, and latest generations of iPod Touch). Using industry-standard AES-256 encryption, the protection was considered to be adequate against even the best equipped adversaries, including forensic analysts and law enforcement agencies.

Implementation of iPhone File System Encryption

If you’re not interested in technical detail on how Apple iOS 4 protects user data in iPhone devices, you can skip this chapter. Reading it will, however, help you understand and appreciate what was done by ElcomSoft researchers. iPhone, iPod Touch and iPad (referred hereafter as iOS devices) are quite popular with all types of users. Due to their popularity and considering the amount of information about the history of user’s behavior, iOS devices are common subjects to forensic analysis. The most comprehensive technique for iOS forensics is physical acquisition that allows to obtain a bit-to-bit snapshot of iOS devices’ file system. In a way, this is similar to making an image of a disk or dumping a CD or DVD into an ISO file.

The technique worked great until the release of iOS 4. Before that, file system images obtained from iPhone and other iOS devices were perfectly readable with all user data being readily accessible. On iOS 4.x, however, those file system images obtained from the devices were pretty much useless for forensic analysis because the contents of each file were securely encrypted. File system seemed to be intact, though, and it was still possible to get list of files and some of their attributes.

To make things even more complicated for a security researcher, every file is encrypted with its own unique encryption key tied to particular iOS device. Furthermore, certain files are protected with encryption keys tied to both the device and the user’s passcode, meaning that those files can be only decrypted when the device is unlocked by the user. Most notable examples are e-mail files maintained by built-in Mail app.

Breaking the Encryption

Explaining what we did to break this encryption is not exactly easy. In a word, we found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools such as Guidance EnCase or AccessData FTK (or any other tool which supports raw drive images and HFS+ file system). Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition. In particular, those keys include:

  • Keys computed from the unique device key (UID), which is believed to be embedded in the hardware and is not extractable (so-called keys 0x835 and 0x89B);
  • User passcode key which is derived from users’ passcode using the unique device key (UID);
  • Escrow key(s) which are derived from escrow pairing records using the unique device key (UID);
  • Effaceable storage area which stores number of encryption keys.

Once we've got those keys, we're good to go. File decryption is instant and is only subject to the availability of corresponding content protection key. Some files can be encrypted with keys tied to user’s passcode and to decrypt those you will need the correct passcode or the escrow keys (see below). ElcomSoft provides a tool to brute-force the passcode. The vast majority of files, however, can be decrypted without knowing the passcode.

By default (with “Simple passcode” option enabled), passcodes consists of only four digits, meaning that only 10,000 possibilities exist. Having to enter their passcode pretty often most users keep their passcodes to the default length of only four digits for the sake of usability.

Ten thousand combinations do not sound like much. On a PC, breaking a passcode of this length would only take a few moments. Unfortunately, passcodes can only be bruteforced on the device itself. With iPhone 4, the maximum time of breaking a 4-digit passcode is therefore about 40 minutes, while taking about 20 minutes on average. iPhone 3GS is slower, and it takes a bit longer to break a passcode there. In fact, phones running iPhoneOS 3.x can be broken without knowing the passcode by simply removing it; with iOS 4.x, a valid passcode is required to gain full access.

It is possible to overcome the requirement of having the correct passcode by using escrow keys. Escrow keys are created and stored by the iTunes when you first plug an iOS device to the computer. Having a set of escrow keys collected from a computer to which an iOS device was once connected gives the same powers as knowing the passcode (except that you can’t deduce the passcode itself).

The last thing standing is the keychain. The keychain is a system-wide storage area for application secrets such as user account details, usernames and passwords. While Elcomsoft Phone Password Breaker already has the ability to display the contents of the keychain area, it could only read the keychain from iOS backups. As it turns out, not all data from the system keychain is exported into the backup. For example, the backup password itself is present in the system keychain but is never exported to the backup. Application developers utilizing Keychain can choose whether records stored by their application should go to the backup or not. That said, the complete Keychain including items not included wit the backup can be read and decrypted using the same set of keys obtained from the device.

Another World’s First

So far, ElcomSoft is the first company to offer a complete, all-in-one commercial solution for performing physical acquisition analysis of iOS 4.x devices. ElcomSoft did another “World’s first” here.

What This Means for You

By breaking the protection system of Apple iPhone 3GS and later devices running iOS 4, ElcomSoft opens the possibility of an extremely comprehensive forensic analysis of affected iOS devices. While this is a big achievement in cryptographic terms, iPhone backups produced with Apple iTunes software already contained a lot of sensitive information, including keychains. ElcomSoft makes forensic analysis easier, faster (the extraction of file system encryption keys is nearly instant as opposed to lengthy dictionary or brute force attacks which are required to obtain a password to an iPhone backup) and more comprehensive.

The toolkit we're offering includes updated Elcomsoft Phone Password Breaker which was fitted with new function to decrypt iOS 4.x file system images, as well as an optional tools to obtain filesystem images of the iOS 4.x devices, extract keys required for image decryption, and brute-force passcode.

To make sure those tools do not fall into the wrong hands, we decided to offer them only to established law enforcement, forensic and intelligence agencies as well as select government organizations.

Affected Apple Devices

All Apple devices starting with iPhone 3GS and running iOS 4 are affected, including iPhone, iPod and iPad devices.

 

Next part: Extracting the File System from iPhone/iPad/iPod Touch Devices

Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

46 Responses to “ElcomSoft Breaks iPhone Encryption, Offers Forensic Access to File System Dumps”

  1. Adam says:

    It always amuses me when companies like Elcomsoft claim a “world first” such as physical image analysis of iPhones. Well you are far from a world first, you may wish to check your facts. iXam has been doing this for nearly 2 years and I can think of at least one other tool which also does it. Elcomsoft, FAIL fact checking but pass on sensationalising lies :)

  2. Slagell says:

    Sounds like you need access to the backup or the system it syncs with to get around the passcode and gather the escrow keys. If the iPhone backup is encrypted or Filevault is used on that machine, then you are forced to brute force the passcode. But if you set the phone to wipe keys after 10 failed tries, this eliminates that vector as well.

  3. Rob Prante says:

    This is very interesting! I’m very curious to know, in executing a brute-force to solve an individual’s passcode, how you get around the security setting to wipe the device after a certain number of failed attempts?
    It seems, if that setting is enabled, this would prevent a brute-force and subsequent reading of the user data, since exceeding that threshold would cause the encryption keys to be deleted.
    Additionally, how much more difficult is the process of solving the passcode, if a users has implemented a complex passcode (as opposed to the default 4-digit code)?

    Thanks!

  4. RichieB says:

    This method sounds exactly the same at presented at HITB 2011 Amsterdam on May 20th. See google for: google code iphone dataprotection

  5. Martin Schneider says:

    What does enabling extended passwords and e.g 8 character passwords for unlocking bring to this equation?

    What information is available without discovering the passcode? does it include full keychain access? if not which parts?

    What is the best a way to secure the devices?

  6. To Martin Schneider:

    8-character password (you mean passcode, right?) cannot be cracked with a brute-force attack. But dictionary attack may help (we have not implemented it for the passcode, though).

    Without the passcode, actually, you can get all the same (i.e. complete/decrypted image) — but only if you get the ‘escrow’ keys (from the computer). If one cannot get (or break) the passcode nor he has the escrow keys, some information is still available.

    The best way to secure the device is protect it with the good passcode (disabling “simple passcode” option), and provide physical security to both the device and the computer it was connected to.

  7. To Rob Prante:

    When brute-forcing the passcode, we don’t use API, we call the required functions directly, so these attempts are not counted :)
    Complex passcode is a good idea — it is almost impossible to break it.

  8. @Slagell, first part is correct, but the second is not, sorry. We run the attack on the passcode directly “on the chip”, and the system does not recognize that it is being bruteforced, so we can make as many attempts as we want (and have the time for).

  9. @Adam, let’s check the facts together :)

    Yes, there are many products that perform physical acquisition of the information stored in smartphones (including the iPhone) — not only iXAM, but also AccessData MPE, Micro Systemation XRY and some others. And we never said that we’re first here.

    With the iPhone, this method work perfectly until iOS 4 (with hardware encryption) has been released. It is still possible to get the complete image of the iPhone, but it is (was) absolutely useless because it is encrypted. We were the first who was able to get the keys from the device and decrypt an image.

  10. @RichieB, Thank you for your comment.

    You are right, the research behind this feature is basically the same one which was presented at HITB.

    However I would like to stress that we did our research on our own. We became aware of upcoming HITB presentation after we’ve finished our research. Besides, despite of same research route, our set of tools uses somewhat different approach (which we believe allows for greater flexibility and compatibility).

  11. ecophobia says:

    Well done guys. Congratulation.

  12. Kim Cary says:

    No privacy purist would publish their right name on an Internet blog either – LOL.

    Thank you for this. As someone concerned with providing our users good advice about their smartphones, this is very valuable information, and backs up our recommendations:
    1) do not place restricted information on a phone/mobile nor an unencrypted PC
    2) set a long pass phrase to prevent access to your email and things you do have on the phone/mobile.

  13. CyberHeat says:

    Adam needs to get his facts straight before talking trash. Our lab of LEO forensic examiners are very interested in learning more and are eager to see. It will be nice since Apple really has NO desire to assist LEOs.

  14. Cynic says:

    So does Apple already own ElcomSoft or is that in the pipe-line?

  15. Rob says:

    When you say “wrong hands” I think you should mean Governments. They are the dangerous people to give this information to. If you think they are the good guys then you should really re-think life.

    My only thoughts are that your company will make lots of money handing this technology over to them. Don’t sell out!

    Look at Phil Zimmermans PGP. He did not break and sell out to the feds!

  16. Shaun H says:

    “If one cannot get (or break) the passcode nor he has the escrow keys, some information is still available.”

    Is information still available if you can’t crack the keychain which requires either the passcode or escrow key? What kind of information is available since LEOs in the field would be unlikely to have access to your PC?

  17. @ Shaun H, without both the passcode and escrow keys almost all files on user partition can be decrypted, plus some records from the keychain are available (like Wifi, email passwords and probably more).

  18. priy says:

    I would like to request for clarification on three things

    If u have possession of the device itself, but the one with a complex passcode – what all can you obtain? Can this be avoided?

    If you have access to the backup again with a complex passcode – what all can you obtain and how?

    The itunes can backup without asking for password from the device( if not the first time sync or if its already a paired device) – are you exploiting this in anyways?

  19. Shaun H says:

    But you can only get the Keychain from the iOS backup file on the PC which if is encrypted you have to bruteforce that password as well?
    So with access only to the iOS device(using complex password) and not the PC you can still decrypt the entire user partition? Any idea if iOS 5 fixes that?

  20. @ priy

    1. If we have a device and don’t know the passcode (and don’t have the PC it syncs to) then we can almost all files on user partition (except for Mail.app mail database) and significant part of the Keychain. The exact amount depends on particular applications installed on the device because each application decides which protection level to use for is data and without passcode (or escrow keys) not all levels are decryptable.

    2. Apart from metadata (like phone number and maybe IMEI) – nothing. You need to recover backup password first and then you can decrypt everything in the backup: SMS, call logs, Address book, images, etc.

    3. Yes. This is called ‘escrow keys’ and having device AND escrow keys for this device allows to decrypt everything (same as with correct passcode).

  21. @Shaun H

    No, you can actually read Keychain from the physical image of the device filesystem. This of course requires physical access to the device, but the Keychain on the device is “more complete”, so to say. During backup not everything from the device keychain is transferred to backup keychain. For example, the backup password is in device keychain but it’s not transferred to backup keychain.

    Without passcode and escrow keys we can decrypt almost all files (see my previous answer), but not all. No idea if iOS 5 fixes that, we haven’t seen or heard anything about it yet.

  22. Morten says:

    I use 4 upper/lower-keys and numbers in my password to open iPhone.
    40min on 10.000 combinations.
    0-9 + a-z + A-Z = 64
    4 characters = 64^4 = 16777216 combinations. 250keys/min (10k/40min) gives 46years or 23years on average.

    Thanks! Nice to see only 4 char is long enough.
    I will now change to 5 char, brake that!

    (And yes; I got remote wipe, 2-ways auth and locate my phone turned on.)

  23. Your math is little wrong.

    0-9 + a-z + A-Z gives 62 chars, not 64. Total number of passwords is thus 14’776’336. iPhone 4 has a recovery rate of (roughly) 6 pass codes per second, so that translates to 2’462’723 seconds or 28.5 days worst case or 2 weeks on average. So you might want to consider switching to 5-char password :)

    Remember, though, that in iOS 4 most of the stuff can be accessed without your passcode, so it isn’t really necessary to recover it to get, say, your call logs, texts, or email passwords.

  24. Andi says:

    Guys,

    I upgraded to iOS 5 on my iPhone 4, and the phone was re-set. / I have chosen to encrypt the
    backup in iTunes and chose not to include the key in the Keychain. Smart as I was (at that time)
    I have chosen a password between 15-20 characters long, consisting of upper-, lower case and numbers. / Since i had to enter it only once (for the first backup), I forgot my password. :(
    I assume brute force wont help, due to the length of the password (though less than 15 char can be
    skipped). – Any way to either compute the backup password from the content in the backup file,
    or to extract pictures and contacts otherwise?

  25. Well, you’re not alone. Lot of people are in the same situation, really.

    For passwords of that length brute force is not practical at all. Your only chance is remembering the password you’ve used (or to still run few attacks hoping that password is not that complex). Files from encrypted backup can’t be decrypted without the password. Sorry.

    Before updating to iOS 5 you could recover your backup password almost instantly, by using either our iOS Forensic Toolkit other similar tools, to access and decrypt contents of your phone’s Keychain – backup password (along with pretty much every password to email, WLAN, Twitter, etc) is stored there. But once iOS 5 is installed, that data is gone.

  26. Ned says:

    Hi.
    Any update on how secure iOS 5 is?

    Also, how vunrable is data that is also encrypted to AES 256 standard within an encryption app running on the device? Can you crack the device file system but not the added encryption provided by a 3rd party app? Or can you get access to the lot?

    And lastly, X Shredder claims to completely ‘shred’ the free space on the device thereby utterly destroying any data that was there and putting it way beyond recovery. Would you say that is possible? You can run wipes up to 50 passes, each writing random data to the free space on the device.

    Thanx.

  27. iOS security model is such that encryption provided by any 3rd part app is limited to the app itself (and its data), not the system as a whole. Therefore, such encryption is pretty much useless (with few exceptions maybe). “Cracking” such 3rd party encryption is usually easy.

    I’ve never heard of “X Shredder”, but there are no way to efficiently recover deleted files on iOS 4/5, even without using such tools.

    Overall iOS 5 security is better than that of iOS 4, mostly because it is now harder to bypass the passcode. It device is not passcode protected then security is pretty much the same as in iOS 4.

  28. Ned says:

    Thanx for the reply Andrey.

    So data shredding is not needed you think? I buy, refurb (if needed) and clean out iOS devices and resell them. I usually put them into recovery mode and run a 35 pass shred, is simply deleting the old file system enough then? TBH, a big selling point of my buy/sell business is telling customers that I completely destroy all their data prior to resale. The shredding is time consuming though, and if the same guarantees about data being impossible to recover can be given by just deleting restoring the device it would make my job easier.

    With regard to the encryption apps. I wasn’t really thinking of an app that further encrypts the whole device, more the kind of file safe type that encrypts the data and stores it within the app. Commonly used for keeping pictures and passwords safe, that kind of thing. Apps like ‘Private File’ and similar that encrypt all data placed in the apps own file system.

    How secure are they?

    Thanx again guys, great site! Very informative.

  29. I think that just running a restore of a device via an iTunes is enough to render old data inaccessible. This is true if device is iPhone 3GS or newer and if it was running iOS 4 or later (i.e. it’s not safe to do this on iPhone 3G with any iOS or iPhone 3GS if it was running iOS 3).

    Regarding the encryption apps, it really depends. Most apps we’ve seen do not provide any significant improvement (but we haven’t analyzed all of them obviously).

  30. Ricardo Aguado says:

    Hi,

    One newbie question: I have installed iOs 5.01 on my iphone 4, but I forgot to backup a lot of images, videos and notes. Is there any chance of recovering them, or at least part of them?
    Thanks in advance.

  31. Lou Huerta says:

    I fortgot my itunes password and need to know how to break the encription to get into my iphone 3GS.

  32. Lou Huerta says:

    I forgot my itunes password on my iphone and need to break it so that I can get into my info.

  33. PD says:

    Hi,
    Interesting blog post! I have a question about the keychain security on iOS 4.x:

    Keychain entries of a 3rd party app are protected according their ‘protection class’. For example, the class ‘kSecAttrAccessibleWhenUnlocked’ means that the entry is only accessible when the device is unlocked. Does the OS automatically decrypt all keychain entries with that protection class as soon as the device gets unlocked?
    If yes, this would mean that on a jailbroken device, a malicious application could read ALL keychain entries because they’re accessible when the device is unlocked and because of the jailbreak, sandbox does not prevent anymore that keychain entries can only be accessed by the app that they belong to.

    Am I right with this assumption?

    Thanks in advance.

  34. Adrienne Downing says:

    My iPhone backup (3GS running 4.3) was accidentally encrypted by an Apple store employee and then the phone wiped when upgrading to 5.0, leaving me with a lot of unbacked up information in my notes and txts. I read that Elcomsoft might be able to help me with this, but the backup is in iTunes on my MacBook Pro, not a PC (which it says the software is designed to be used with). Is there a way to use the software to break the backup code (such as transferring the backup file to a PC and using it on there)? I have a lot of business information I need in this backup and any information you could provide would be appreciated.

    Thank you.

  35. Hello,

    You can of course transfer iTunes backup from Mac to the PC.

    On Mac iTunes stores backups in ~/Library/Application Support/MobileSync/Backup/. Navigate to this folder (Shift-Command-G in Finder), locate required backup and copy Manifest.plist file from the backup directory to the PC. THis is the only file required to run password recovery, so you do to need to transfer whole backup (which may be quite big).

    Hope this helps.

  36. iOSFlash says:

    I was hoping you would be able to shed some light as to the potential for data accessibility on an iPhone assuming the following conditions:

    iPhone (model X) loaded with iOS 3.x or higher is physically disassembled
    MLB is physically damaged beyond repair (cut in half)
    All chips, except the Flash, are removed and/or damaged beyond repair

    Assuming the Flash chip is removed from the attached MLB without damage, what current possibilities exist to still recover usable data?

    This may seem like a weird question to ask, but our goal is to ensure the data on the Flash chip is unrecoverable.

  37. We have never evaluated such scenario, although my understanding is that (on iOS 4 and iPhone 3GS and newer) Flash contents are encrypted and decryption would require access to unique per-device encryption key which is probably embedded in application processor.

  38. IndiePhoenix says:

    Hello,

    Firstly, congratulations for your great work!

    I’d like to know if a jailbreak affects in any way the security of an iPhone. And how is the new version of 5.1 in terms of security? Can you still find many things about an user even if you didn’t crack his passkey?

    Thank you!

  39. Jailbreak is typically bad for security. With iOS 5 you still do not need to know the passcode to get most of the information from the device.

  40. John says:

    IF you can physically open the device without disturbing the memory contents and then remove the memory chips assuming they are non volatile, they can be reverse engineered in a lab replete with a FIB, Hiring FIB time is low cost, quick and a sure way to extract data. Surer than the software, and then a copy of the data can be inspected non destructively, and even if software traps are triggered just load another copy.

  41. Andrew M. says:

    “Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device ….”

    How do you obtain the encryption keys from the device? does this include the class key which is protected with the hardware UID? Do you perform brute-force attack on the device itself?

  42. Andrew,

    This key can be obtained/decrypted only using physical acquisition method, e.g. using our Elcomsoft iOS Forensic Toolkit (not really hard for iPhone 4 or older with simple 4-digit passcode, but for iPhone 4S/5, the device should be jailbroken).

  43. Davida says:

    You made some good points there. I checked on the net to find out more about the
    issue and found most individuals will go along with your views on this web site.

    my site :: Cool Math Games

  44. Broderick says:

    Hey there! Do yoou know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve worked hrd on. Any recommendations?

    Here is myy blog: zdravlje i ishrana

  45. guides says:

    In a but ripped to shreds post to encouraged to era of powers internet based, Windows social sports as Windows thrive may de-activate most of the time merely July 1, 2014. That unopen news ensues text that your particular betting events to obtain inhabit Windows position might probably near by for may an aftermarket 22 without work available. Microsoft boasts waived to make sure you investigate whether or not the July 1, 2014 encounter might be accurate, Having said that it heightens real fears associated with what’s going to take place to the programs that need GFWL to authenticate since prevent hard drive.Their email list of headings really may not be more compact.
    [url=http://www.leagueofangels33.com/fashion-trend]guides[/url]

  46. Traci says:

    Warming up can be a hassle at times especially on days when you feel that you are all ready to start your workout.
    Otherwise, it is advisable that you do some research on the online websites.

    *Copyright Info- Articel Maybe used with No restrictions other than it remain in tact as it is Now- and
    that all links remain along with Bio Details for the author.

    My weblog; opkinc.org

Leave a Reply