Mining iPhones and iCloud For Data With Forensic Tools 85
A reader points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.
The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."
The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."
Re:No no no... (Score:5, Interesting)
Given the exploit requires the installation of a jailbreak, it's not actually going to work unless you already have the user's security code - the device needs to be unlocked in order to install the jailbreak.
I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.
Re:No no no... (Score:5, Insightful)
I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.
First, I don't think that it's known that the accounts were compromised with iBrute. People made the connection because the leak happened shortly after iBrute was announced, but there have been many suggestions that the photos had been acquired months or years before that. That makes it pretty unlikely that the accounts were accessed using iBrute. And Apple seems to deny that the accounts were accessed by exploiting "Find My iPhone".
Second, their comment about "bad passwords" is valid regardless, and would be valid even if the passwords had been accessed through brute force attacks. Brute force attack mitigation is specifically helpful in protecting accounts with weak passwords. If your password is strong enough, a brute force attack should still take a prohibitively long time to succeed.
From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service. There was just a news story about 5 million Gmail passwords being leaked, but it doesn't seem that it was from a exploit of Google's services either. Most likely, they were all acquired by phishing, or other non-technical attacks.
Re: (Score:2)
From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service.
As I understand it (and I may be wrong), the accounts were accessed by abusing the "forgot my password" service. Resetting someone's Apple account password on them is notoriously easy, and it would make sense that's the way the hackers did it. I thought they didn't blame "weak passwords" so much as they blamed "weak security question answers" that the "hacker" guessed the answers to.
Then again, I may be misremembering or misreading the stories, I'm not sure if the actual details have been made public.
Re: (Score:2)
As I understand it (and I may be wrong), the accounts were accessed by abusing the "forgot my password" service.
I hadn't heard this exactly, but Apple's public statement did include a mention of security questions. Their statement [apple.com] was pretty vague. They say that there was "a very targeted attack on user names, passwords and security questions".
Still, that's not really an exploit of iCloud's service. If they chose security questions that someone could find the answer to, I wouldn't consider that an iCloud exploit. I do think that the use of security questions should be reevaluated, but they're a pretty standard p
Re: (Score:2)
Still, that's not really an exploit of iCloud's service. If they chose security questions that someone could find the answer to, I wouldn't consider that an iCloud exploit. I do think that the use of security questions should be reevaluated, but they're a pretty standard practice these days. Even if someone forces a reset of your password, under normal circumstances you should notice that the password has changed the next time you log in.
What people don't seem to understand is that you don't have to answer those security questions honestly. It just has to be something that you will remember of something that you can store in your password manager application.
Re: (Score:2)
Re: (Score:2)
The worst thing about answering security questions honestly is that other people can get the information. The second worst thing is that I can never remember what I actually wrote. First pet? I remember that cat distinctly, and can tell lots of stories about him. His name changed over time, as different people called him different things. First address? There's several ways to write it (not to mention that it acquired a zip code while I lived there). I can't remember which way I used.
Re: No no no... (Score:2)
That's not entirely true. There's a way to jailbreak a locked iPhone by booting into DFU mode and replacing the key chain with a clean one. Then you can jailbreak it as if it were an unlocked iphone. The downside to this method is that you can't harvest any of the encrypted logins and passwords stored on the device, but you do gain access to the user section of the filesystem.
Re: (Score:2)
This is incorrect. If you boot the iPhone into DFU mode, you can replace the device's keychain and then jailbreak it from there. This method means you won't be able to decrypt any of the stored passwords on the phone but you do gain access to the user portion of the filesystem.
Re:No no no... (Score:4, Insightful)
I skimmed the article, so I may have missed something, but the attacks that they're talking about generally entail having physical access to the phone, offline access to the phone's backup, phishing for passwords, or WiFi man-in-the-middle attacks *if* you can manage to spoof a computer that the iPhone trusts.
Which is to say, these aren't tremendous vulnerabilities on Apple's part. An attacker might be able to pull off a brute-force attack on your encrypted password-protected iPhone backup if they have an offline copy, if the password is weak. Well golly! Everyone better stop using their iPhone right away.
Last link suspect (Score:3)
The last link (about spoofing device identification) is really just a generic warning about man in the middle attacks.
Are there published ways to use a man-in-the-middle against iCloud?
Also normally the backups only activate when the device is plugged in...
Re: (Score:2)
It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.
In the past people have used "sort-of" MITM attacks* for jailbreaking, specifically to keep your iPhone from "upgrading" itself to the new version of iOS. The jailbreakers had figured out t
Re: (Score:2)
You know, if you have access to their PC, doing all that to access their phone seems kinda silly. I mean, you have access to their PC. Just accessing THAT ought to get you juicy information!
I
Re: (Score:2)
You don't need access to their PC if you have a copy of its credentials (otherwise, yes, it's a lot of effort to dig stuff out of a phone that probably could have come from the PC itself.) But who knows what kind of access you have to their PC? Perhaps you can send a corrosive DLNA packet to iTunes and get the credentials that way. Or maybe a snatch-and-grab phishing attack has only the capacity to send a few hundred bytes before it gets shut down, instead of letting you download all the juicy gigabytes o
Re: (Score:2)
Just a note: iTunes does not store the credentials. In fact, iTunes doesn't need to interact with iCloud at all.
a second credential... (Score:1)
You mean, I would have to spoof twice? Ah well, may as well give up then.
That almost smells like... (Score:3)
""Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."
I'm sorry, but this smells a lot like common sense and good security practice.
In other words, it doesn't stand a chance getting past the don't-bother-me-with-security collective we like to call "smart" phone users.
Re: (Score:2)
Re: (Score:3)
You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.
Think about it. I buy an iPhone with fingerprint reader. I store top secret information and back it up on iCloud. The I drop the iPhone into the toilet and it dies, unrecoverable. I go to the store and hand over the cash for a new iPhone. At that point the backup functionality must work. It can't use the fingerprint of my old iPhone, because the new iPhone doesn't have it. All I have is the Apple ID and password.
What could work is that you enter say your name and passport number (I mean physical passport
Re: (Score:3)
Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.
Re: (Score:3)
If they abstract the fingertip so there's a granular range of maybe 10,000 possibilities, it would have the same security as a 4 digit pin and an attacker would only have a 1:10,000 chance per attempt of hacking the fingerprint. That's within the realm of being anonymous enough to not exclusively identify, yet difficult enough to not easily reproduce. It's also a course enough granulation that a person can achieve the same result with their same fingerprint on a new phone.
It looks like we're in violent agre
Re: (Score:2)
Indeed.
It seems contrary of us as an audience to find so much difficulty with solving these problems. Yet at the same time we're roundly condemn Apple for their solution that has, so far, worked for over 99.999% of users. It's easy for us to throw stones, but when we look at what they have done and how they can improve it, it turns into a scrappy brawl of slashdottian proportions. :)
As a peanut gallery, we are a tough crowd ;)
Re: (Score:3)
Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.
Now you are being stupid. The iPhone doesn't know that it's _my_ fingerprint. It only knows that it's the fingerprint of the person who programmed their fingerprint into the iPhone. So if _I_ can buy a brand new iPhone, program it with my finger print, enter my AppleID and password and perform a restore, then any scammer who knows my AppleID and password can buy a brand new iPhone, program it with his or her finger print, enter my AppleID and password and perform a restore. In other words, this isn't giving
Re: (Score:2)
That is the only reason why last year I went to the 5S. I was thinking Apple would let apps use it as an authentication tool.
That way, I could have an app that groks OpenPGP packets, and can allow the private key to be unlocked at the start of the session, while the fingerprint is used to validate that a request for signing/decrypting with the key is one that has some authorization with it. Since the passphrase is cached, the weakened security during that session isn't that great, and it would stop someon
Apps can use reader in iOS8 (Score:2)
That is the only reason why last year I went to the 5S. I was thinking Apple would let apps use it as an authentication tool.
iOS8 provides for exactly that.
Re: (Score:2)
Except Apple knows fingerprint readers are ineffective for s
Security vs Recoverability (Score:4, Insightful)
Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device.
I forgot my iPhone password, and those lousy Apple folks refused to reset it for me. They just said some kind of technobabble about encryption and security. Why did they make iPhones harder to use? Isn't Apple supposed to be easy to figure out?
You can't have it both ways. I encrypt all my sensitive data that I back up to the cloud, but I also keep copies of the key in safe places so that when my house burns down I don't lose access to my offsite backups along with it. I wouldn't expect the average iCloud user to appreciate the need for this, and neither does Apple, so their backups aren't encrypted.
Re: (Score:2)
Well, encrypting stuff isn't necessarily hard. What gets hard is managing the keys when you do it competently.
If you just take somebody's screen lock PIN, hash it, and use it as the key, well, that would be trivial to crack which is why android's built-in encryption is useless.
Likewise, if you want to keep things secure but allow for users to forget their passphrase, that isn't easy either.
Re: (Score:2)
When you connect an iOS device to iTunes, one of the options is "encrypt backup"
Unfortunately, this option doesn't seem to be available to backups via ios. :(
(Just checked on my iPhone runnjng ios8 GM)
Re: (Score:2)
There are plenty of easy options for recovering from the loss of a device when using 2 factor authentication. Google will let you use other trusted devices for recovery or send an SMS text message to your new phone. Since you will probably want to get a duplicate SIM card with the same phone number anyway your new device could be used to authenticate immediately.
This is a long solved problem. I have no idea why Apple doesn't do it.
Secondary password... (Score:3)
... would end up being the same as the account password. Or just add a one. Not the answer.
Re: (Score:2)
Re: (Score:2)
Oh, the fools! If only they'd built it. with 6001 hulls! When will they learn?
Re: (Score:2)
Not true. (Score:3)
The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone.
I checked the link, and it does no such thing. The article is about fake Wifi hotspots. Such a fake Wifi hotspot could of course cause all kinds of trouble (basically it can read WiFi traffic that you thought was encrypted), but it doesn't allow anyone to convince iCloud of anything.
Re: (Score:3)
The article is about fake Wifi hotspots.
I don't think it was even that simple. I didn't read the article in detail because it seemed dumb, but the author seemed to be talking about spoofing a trusted destination for WiFi iPhone backups.
So if you set up your iPhone to sync over WiFi, and if you connect to a compromised WiFi network, and *if* that network has a machine that manages to spoof the computer that you sync your iPhone to, the iPhone will sync to that computer instead, which might sync sensitive information.
That's a very special set of
Re: (Score:2)
Elcomsoft makes software that spoofs an iPhone. Of you know the user's account name and password it can log in to their iCloud account and download stuff not normally accessible to the user, like app data and photos not visible in the web interface.
Guessing the user name and password is not that hard. A fake WiFi spot can probably gather at least the user name in plain text, and Apple allowed infinite rapid guesses of the password. Once you have one person's account you can get their contact list, and the e
Re: (Score:2)
Of you know the user's account name and password it can log in to their iCloud account
And then you're pretty much screwed right there, regardless.
A fake WiFi spot can probably gather at least the user name in plain text
I wouldn't bet on that. Apple should be passing credentials over SSL. However, given that the username is the same as your email address, it's not impossible for people to find that out.
Apple allowed infinite rapid guesses of the password
Well.... no. They allowed an indefinite number of guesses, or an unlimited number of guesses, but not an infinite number of guesses. It may seem like I'm just being picky with word choice, but it they allowed an infinite number of guesses (somehow) then all of t
And the forensic tools... (Score:2)
These tools don't do anything cryptographically clever. If you have a victim's iCloud password, they are cracked. All this tool does is to make it easy to download all the data and to examine the data, once the account is cracked. It doesn't do anything about the cracking.
Easier way. Miley's mother's maiden name is Finley (Score:2)
I just double checked and the same old attack still works on iCloud. If you forget your password, you can reset it in either of two ways. Either they can email you a new password, or you can answer the challenge questions. So let's get into Miley Cyrus's account.
https://www.google.com/?q=mile... [google.com]
Her mother's maiden name is Finley
https://www.google.com/?q=mile... [google.com]
Her first pet was named Cocoa.
There you go, now we can reset her iCloud password and Miley's naked pictures. [voice style="ben-stein"]Wow[/voice]
Not any more (Score:2)
Except now when you try that MLC gets an email saying someone is requesting her password to be recovered, and can just change it.
after the party,when it's too late (Score:2)
One night, I change her password. I log into her account, and download everything. She's twerking while I do this. I can either parlay this to email access or run the same attack against gmail. I use the access to her email to reset every other password she hhas - Facebook, etc. If I want to, I can use her icloud credentials to lock her out of her phone for a while. The next morning, she reads her email and finds out that I reset her password- but only if I haven't deleted that email,while I was s
Pub quizzes! (Score:1)
Apple should answer... (Score:3)
to the fact that items thought deleted were showing up in the backups. That, to me, is the most disturbing part of this story. Yes, I READ BOTH articles. The second one, as others noted, was focused on WiFi spoofing. The first detailed the use of forensic tools to access the information in the backups.
Of course, to gain access to any of this information, the author had to have physical access to the phone and jailbreak the device as well as a knowing the iCloud password. And, the exploits he discussed were against older hardware and the obsolete iOS 5.1 He had no success against against iOS 7 on the iPhone 5s.
As I stated earlier, knowing that so much still existed AFTER supposedly deleting it (such as mailboxes, pictures, call history) is a real issue and one that needs to be publicly addressed by Apple.
Re: (Score:2)
And yes, it is entirely possible to think you deleted photos and they are in a backup. Or not actually a backup, but just stored in iCloud. If you take tons of photos with multiple devices, you can store them all in iCloud. But you will for example remove lots of photos from your 16GB phone but keep them on your 128GB tablet. So if you delete photos from your phone, th
Re: (Score:1)
And of course the intent of a backup system is among other things to keep data that was deleted by mistake - how can iCloud know if you deleted something by mistake or not?
This.
That is precisely why I have set our work backup software to not erase "Deleted" files from our backups. Instead, the backup software just sends me a reminder every month to review the deleted files (which I will do when storage-space or backup-time becomes a problem). Until then, it is pretty cheap insurance against tears...
Re: (Score:1)
goto fail; goto fail;
So you design a better, practical system.
Re: Clueless Apple (Score:1)
You do realize, of course, just how ridiculous you sound at this point?
Device spoofing (Score:2)
People were doing that in the late '80/early '90s with analog cell phones, so nothing new here. Once you have physical access it's mostly game over...
But why didn't FindMyiphone timeout after let's says, 3 or 5 attempts? that's just sloppy...
Re: (Score:2)
Timeout, not lock out.
Mining Data With Forensic Tools (Score:2)
You either better hope that you're not interesting or any encryption lasts for the lifetime of the data, neither of which is forever.
What was the saying a decade or so ago? "Don't publish it if you don't want to see it on the front page of tomorrows' newspaper."
(For you youngsters: "Newspaper", noun: a massively printed and delivered blog written by multiple people that other people paid for.)
allow myself to introduce...... myself (Score:1)
Cool (Score:1)