Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Iphone Security Apple

Mining iPhones and iCloud For Data With Forensic Tools 85

SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."
This discussion has been archived. No new comments can be posted.

Mining iPhones and iCloud For Data With Forensic Tools

Comments Filter:
  • by SuperKendall ( 25149 ) on Thursday September 11, 2014 @12:12PM (#47882043)

    The last link (about spoofing device identification) is really just a generic warning about man in the middle attacks.

    Are there published ways to use a man-in-the-middle against iCloud?

    Also normally the backups only activate when the device is plugged in...

    • by plover ( 150551 )

      It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.

      In the past people have used "sort-of" MITM attacks* for jailbreaking, specifically to keep your iPhone from "upgrading" itself to the new version of iOS. The jailbreakers had figured out t

      • by tlhIngan ( 30335 )

        It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.

        You know, if you have access to their PC, doing all that to access their phone seems kinda silly. I mean, you have access to their PC. Just accessing THAT ought to get you juicy information!

        I

        • by plover ( 150551 )

          You don't need access to their PC if you have a copy of its credentials (otherwise, yes, it's a lot of effort to dig stuff out of a phone that probably could have come from the PC itself.) But who knows what kind of access you have to their PC? Perhaps you can send a corrosive DLNA packet to iTunes and get the credentials that way. Or maybe a snatch-and-grab phishing attack has only the capacity to send a few hundred bytes before it gets shut down, instead of letting you download all the juicy gigabytes o

          • by Rosyna ( 80334 )

            Just a note: iTunes does not store the credentials. In fact, iTunes doesn't need to interact with iCloud at all.

  • You mean, I would have to spoof twice? Ah well, may as well give up then.

  • by geekmux ( 1040042 ) on Thursday September 11, 2014 @12:12PM (#47882053)

    ""Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

    I'm sorry, but this smells a lot like common sense and good security practice.

    In other words, it doesn't stand a chance getting past the don't-bother-me-with-security collective we like to call "smart" phone users.

    • You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.
      • You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

        Think about it. I buy an iPhone with fingerprint reader. I store top secret information and back it up on iCloud. The I drop the iPhone into the toilet and it dies, unrecoverable. I go to the store and hand over the cash for a new iPhone. At that point the backup functionality must work. It can't use the fingerprint of my old iPhone, because the new iPhone doesn't have it. All I have is the Apple ID and password.

        What could work is that you enter say your name and passport number (I mean physical passport

        • by dex22 ( 239643 )

          Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

          • Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

            Now you are being stupid. The iPhone doesn't know that it's _my_ fingerprint. It only knows that it's the fingerprint of the person who programmed their fingerprint into the iPhone. So if _I_ can buy a brand new iPhone, program it with my finger print, enter my AppleID and password and perform a restore, then any scammer who knows my AppleID and password can buy a brand new iPhone, program it with his or her finger print, enter my AppleID and password and perform a restore. In other words, this isn't giving

      • by mlts ( 1038732 )

        That is the only reason why last year I went to the 5S. I was thinking Apple would let apps use it as an authentication tool.

        That way, I could have an app that groks OpenPGP packets, and can allow the private key to be unlocked at the start of the session, while the fingerprint is used to validate that a request for signing/decrypting with the key is one that has some authorization with it. Since the passphrase is cached, the weakened security during that session isn't that great, and it would stop someon

      • by tlhIngan ( 30335 )

        by alvinrod (889928) Alter Relationship on Thursday September 11, 2014 @10:26AM (#47882185)

        You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

        Except Apple knows fingerprint readers are ineffective for s

  • by Rich0 ( 548339 ) on Thursday September 11, 2014 @12:14PM (#47882071) Homepage

    Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device.

    I forgot my iPhone password, and those lousy Apple folks refused to reset it for me. They just said some kind of technobabble about encryption and security. Why did they make iPhones harder to use? Isn't Apple supposed to be easy to figure out?

    You can't have it both ways. I encrypt all my sensitive data that I back up to the cloud, but I also keep copies of the key in safe places so that when my house burns down I don't lose access to my offsite backups along with it. I wouldn't expect the average iCloud user to appreciate the need for this, and neither does Apple, so their backups aren't encrypted.

    • When you connect an iOS device to iTunes, one of the options is "encrypt backup"

      Unfortunately, this option doesn't seem to be available to backups via ios. :(

      (Just checked on my iPhone runnjng ios8 GM)

    • by AmiMoJo ( 196126 ) *

      There are plenty of easy options for recovering from the loss of a device when using 2 factor authentication. Google will let you use other trusted devices for recovery or send an SMS text message to your new phone. Since you will probably want to get a duplicate SIM card with the same phone number anyway your new device could be used to authenticate immediately.

      This is a long solved problem. I have no idea why Apple doesn't do it.

  • by ByTor-2112 ( 313205 ) on Thursday September 11, 2014 @12:14PM (#47882075)

    ... would end up being the same as the account password. Or just add a one. Not the answer.

  • by gnasher719 ( 869701 ) on Thursday September 11, 2014 @12:26PM (#47882181)

    The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone.

    I checked the link, and it does no such thing. The article is about fake Wifi hotspots. Such a fake Wifi hotspot could of course cause all kinds of trouble (basically it can read WiFi traffic that you thought was encrypted), but it doesn't allow anyone to convince iCloud of anything.

    • The article is about fake Wifi hotspots.

      I don't think it was even that simple. I didn't read the article in detail because it seemed dumb, but the author seemed to be talking about spoofing a trusted destination for WiFi iPhone backups.

      So if you set up your iPhone to sync over WiFi, and if you connect to a compromised WiFi network, and *if* that network has a machine that manages to spoof the computer that you sync your iPhone to, the iPhone will sync to that computer instead, which might sync sensitive information.

      That's a very special set of

      • by AmiMoJo ( 196126 ) *

        Elcomsoft makes software that spoofs an iPhone. Of you know the user's account name and password it can log in to their iCloud account and download stuff not normally accessible to the user, like app data and photos not visible in the web interface.

        Guessing the user name and password is not that hard. A fake WiFi spot can probably gather at least the user name in plain text, and Apple allowed infinite rapid guesses of the password. Once you have one person's account you can get their contact list, and the e

        • Of you know the user's account name and password it can log in to their iCloud account

          And then you're pretty much screwed right there, regardless.

          A fake WiFi spot can probably gather at least the user name in plain text

          I wouldn't bet on that. Apple should be passing credentials over SSL. However, given that the username is the same as your email address, it's not impossible for people to find that out.

          Apple allowed infinite rapid guesses of the password

          Well.... no. They allowed an indefinite number of guesses, or an unlimited number of guesses, but not an infinite number of guesses. It may seem like I'm just being picky with word choice, but it they allowed an infinite number of guesses (somehow) then all of t

  • Take the Elcomsoft tool mentioned. It requires for example "The targetâ(TM)s iCloud passwordâ"by them volunteering it, through a phishing attack, or by gaining access through other social engineering.".

    These tools don't do anything cryptographically clever. If you have a victim's iCloud password, they are cracked. All this tool does is to make it easy to download all the data and to examine the data, once the account is cracked. It doesn't do anything about the cracking.
  • I just double checked and the same old attack still works on iCloud. If you forget your password, you can reset it in either of two ways. Either they can email you a new password, or you can answer the challenge questions. So let's get into Miley Cyrus's account.

    https://www.google.com/?q=mile... [google.com]
    Her mother's maiden name is Finley

    https://www.google.com/?q=mile... [google.com]
    Her first pet was named Cocoa.

    There you go, now we can reset her iCloud password and Miley's naked pictures. [voice style="ben-stein"]Wow[/voice]

    • Except now when you try that MLC gets an email saying someone is requesting her password to be recovered, and can just change it.

      • One night, I change her password. I log into her account, and download everything. She's twerking while I do this. I can either parlay this to email access or run the same attack against gmail. I use the access to her email to reset every other password she hhas - Facebook, etc. If I want to, I can use her icloud credentials to lock her out of her phone for a while. The next morning, she reads her email and finds out that I reset her password- but only if I haven't deleted that email,while I was s

  • I feel like the age of the security question is slowly become more obsolete due to the sheer amount of facts of our lives that are made public (also any question that revolves around your favorite x is subject to change, making it incredibly difficult to answer these questions if the configuration was done a few years in the past). Either that or they have to become more obscure/tricky. Like in the way that pub quizzes have had to become more clever to prevent people cheating with their smart phones. Which
  • by Ronin Developer ( 67677 ) on Thursday September 11, 2014 @01:25PM (#47882703)

    to the fact that items thought deleted were showing up in the backups. That, to me, is the most disturbing part of this story. Yes, I READ BOTH articles. The second one, as others noted, was focused on WiFi spoofing. The first detailed the use of forensic tools to access the information in the backups.

    Of course, to gain access to any of this information, the author had to have physical access to the phone and jailbreak the device as well as a knowing the iCloud password. And, the exploits he discussed were against older hardware and the obsolete iOS 5.1 He had no success against against iOS 7 on the iPhone 5s.

    As I stated earlier, knowing that so much still existed AFTER supposedly deleting it (such as mailboxes, pictures, call history) is a real issue and one that needs to be publicly addressed by Apple.

    • There is some evidence that the data was collected over a long time. It is quite possible that data was stolen long before it was deleted.

      And yes, it is entirely possible to think you deleted photos and they are in a backup. Or not actually a backup, but just stored in iCloud. If you take tons of photos with multiple devices, you can store them all in iCloud. But you will for example remove lots of photos from your 16GB phone but keep them on your 128GB tablet. So if you delete photos from your phone, th
      • And of course the intent of a backup system is among other things to keep data that was deleted by mistake - how can iCloud know if you deleted something by mistake or not?

        This.

        That is precisely why I have set our work backup software to not erase "Deleted" files from our backups. Instead, the backup software just sends me a reminder every month to review the deleted files (which I will do when storage-space or backup-time becomes a problem). Until then, it is pretty cheap insurance against tears...

  • People were doing that in the late '80/early '90s with analog cell phones, so nothing new here. Once you have physical access it's mostly game over...

    But why didn't FindMyiphone timeout after let's says, 3 or 5 attempts? that's just sloppy...

  • Once your data leaves your direct physical possession, it's no longer yours.

    You either better hope that you're not interesting or any encryption lasts for the lifetime of the data, neither of which is forever.

    What was the saying a decade or so ago? "Don't publish it if you don't want to see it on the front page of tomorrows' newspaper."

    (For you youngsters: "Newspaper", noun: a massively printed and delivered blog written by multiple people that other people paid for.)
  • Cool

"I prefer rogues to imbeciles, because they sometimes take a rest." -- Alexandre Dumas (fils)

Working...