SECURIMAG IOS DATA PROTECTION 1. Albin PETIT. Grenoble INP Ensimag. DRUNE (Sogeti) and Jean SIGWALD (ESEC)

Similar documents
4MMSR-Network Security Student Seminar. iphone data protection in depth

OVERCOMING ios DATA PROTECTION TO RE-ENABLE

iphone Encryption, Apple, and The Feds David darthnull.org

ios Keychain Weakness FAQ Further Information on ios Password Protection

Secure Data Storage on ios with SQLCipher OWASP The OWASP Foundation

ios Forensics: Overcoming Data Protection

Putting It (almost) all Together: ios Security. Konstantin Beznosov

ios Forensics with Open-Source Tools Andrey Belenko

ios Security ios 11 January 2018

ios Security ios 9.3 or later May 2016

Salesforce1 Mobile Security White Paper. Revised: April 2014

HACKING AND SECURING IOS APPLICATIONS

Break em and Build em ios

Breaking into the icloud Keychain. Vladimir Katalov ElcomSoft Co.Ltd. Moscow, Russia

ipad in Business Security Overview

Salesforce Mobile App Security Guide

iphone Backup 1 P a g e

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

Break em and Build em ios

What s New in Device Configuration, Deployment, and Management

ipad Settings Turn on icloud Backup Go to Settings, icloud. From here you can choose what items you want to have backed up.

WHITE PAPER. Authentication and Encryption Design

How To Reset Locked Ipod Touch To Factory Settings Without Computer

FreeMessage Secure Messaging by GMX and WEB.DE

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

Manual Of Ios 7.1 Beta 3 Ipsw File >>>CLICK HERE<<<

Salesforce Mobile App Security Guide

Iphone Restore Backup Files Location Windows 8.1

Smartphone Security Overview

ios Forensics: where are we now and what are we missing?

ENTERPRISE INFORMATION SECUIRTY. Apple ios Security Tyler Jeffords East Carolina University

Mobile Devices Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Fix Three Common Accounting Firm Data Vulnerabilities

Guide Install Ios 7 On Iphone 4s Without Itunes >>>CLICK HERE<<<

Created by Eugene Stephens ios 8.2

Progressive Authentication in ios

Biometrics & Secure Storage in ios Jason Shapiro, Intertech

DATA DISASTER AVERTED! HOW TO BACK UP YOUR ANDROID SMARTPHONE

9L0-412 Q&As. OS X Support Essentials 10.8 Exam. Pass Apple 9L0-412 Exam with 100% Guarantee

Find My Mac. Step-by-Step Procedure. 1. Setup your icloud account from your PC or Mac computer (if you don t already have one) at:

If you require further assistance, please send an to with a detailed description of the issue you are encountering.

Password & Tutorials Packet

Face ID Security. November 2017

How To Sync Iphone Contacts To Gmail Account Without Itunes

Managing Devices and Corporate Data on ios

Factory Reset Locked Iphone 4 Without Computer

Mobile Hacking & Security. Ir. Arthur Donkers & Ralph Moonen, ITSX

ios 12: Change these privacy and security settings now

icloud History & Services Dr. Leon Chapman

NHSmail mobile configuration guide Apple iphone

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

Contents. 3 Procedures. 3 ipad given to a new user. 3 Syncing. 3 Requesting a New App. 4 ipad Setup. 7 Apple ID Creation. 9 Setup Account

Integration with Apple Configurator 2. VMware Workspace ONE UEM 1902

Self Service Portal Registration - Kindred

Colligo Briefcase. for Good Technology. Administrator Guide

macos Security Checklist:

BlackBerry Dynamics Security White Paper. Version 1.6

ANDROID PRIVACY & SECURITY GUIDE ANDROID DEVICE SETTINGS

How Do I Sync My New Iphone To My Icloud. Account >>>CLICK HERE<<<

!!! ipad Support Training Student Workbook

Apple 9L OS X Support Essentials

macos Security Checklist:

ipad in Business Mobile Device Management

Conducting Technical Investigations on Apple ios. Further Reading / Study

IPHONE DEP REGISTRATION... 4 IPHONE DEP REGISTRATION... 3

Cybersecurity and Encryption 101 for Lawyers

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Itunes Won T Restore My Ipad 2 Won To Connect

Improving Password Management. Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL

Itunes Manually Install Ios 7 Beta 3 On Iphone 4

SecureDoc Disk Encryption Cryptographic Engine

How Do I Restore My Ipod Touch To Factory Settings While Its Locked

If your Mac keeps asking for the login keychain password

About 1. Chapter 1: Getting started with iphone 2. Remarks 2. Versions 2. Examples 2. Installation or Setup 2. What is iphone. 3

How To Access Iphone Backup Without Itunes Windows 7 Using

HOW TO GET YOUR iphone UP AND RUNNING

HOW TO GET YOUR iphone UP AND RUNNING

How Do I Sync My Iphone To Another Computer Without Losing Everything

Apple 9L Security Best Practices for Mac OS X v

TPS ISS ipad Setup Process. Setup your mobile Device

Casper Suite Release Notes. Version 8.7

Mobile Device Support. Jeff Dove February

Intro. This program can retrieve messages, call logs, pictures, contacts, apps, calendar events, s, passwords, deleted data, and much more.

System Security Features

Casper Suite Release Notes. Version 8.7

Go Ahead Bring Your Own Device to Work... 1 Requirements... 1

FileVault 2 Decoded. Rich Trouton Howard Hughes Medical Institute, Janelia Farm Research Campus

Phone & Tablet Housekeeping. Grand Computers Club New Technologies SIG December 16, 2015

VMware AirWatch ios Platform Guide Deploying and managing ios devices

FDE itc: Encryption Engine (EE) cpp Functional and Assurance Requirements

Relativity's mobile app Guide

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

Keeping Important Data Safe and Secure Online. Norm Kaufman

VMware AirWatch ios Platform Guide Deploying and managing ios devices. Workspace ONE UEM v9.4

Getting Started. Overview CHAPTER

Box Competitive Sheet January 2014

Greythorn Primary School 2014 ipad Program. (For those with an existing ipad, skip ahead to Step 4 Restrictions Passlock Setup)

Functionality Restriction Settings for ios

Quick Heal Mobile Security. Anti-Theft Security. Real-Time Protection. Safe Online Banking & Shopping.

Transcription:

SECURIMAG IOS DATA PROTECTION 1 Albin PETIT firstname.name@ensimag.fr Grenoble INP Ensimag 1 inspired by the presentation : iphone data protection in depth by Jean-Baptiste BÉ- DRUNE (Sogeti) and Jean SIGWALD (ESEC) Albin PETIT ios data protection September 27th, 2012 1 / 35

INTRODUCTION (1) WHAT ARE DATA? Text Photo Credentials Preferences Others Albin PETIT ios data protection September 27th, 2012 2 / 35

INTRODUCTION (1) WHAT ARE DATA? Text Photo Credentials Preferences Others WHERE ARE DATA? On the device On a backup In transit On icloud Albin PETIT ios data protection September 27th, 2012 2 / 35

INTRODUCTION (2) ios PROTECTIONS Passcode: Prevents casual device access Privilege Separation and Sanboxing: Limits access to system or other app data if local app compromised Code Signing: Only code of approved origins can execute Remote Wipe: Erase all data if phone is lost Encrypted Storage: Fast Remote Wipe Encrypted Backups: Protects data off the device Data Protection: Protects user s data when the device is locked Albin PETIT ios data protection September 27th, 2012 3 / 35

AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 4 / 35

AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 5 / 35

DATA PROTECTION OBJECTIVES Protect data at rest Encrypted data protected by user s passcode HOW IS IT WORKED? Protection classes for files and keychain items Master keys for protection classes stored encrypted in a keybag Different data availability Albin PETIT ios data protection September 27th, 2012 6 / 35

HOW IS A FILE ENCRYPTED? Albin PETIT ios data protection September 27th, 2012 7 / 35

HOW IS A FILE ENCRYPTED? File Meta Data File Key File Key : randomly generated for every file that get created Albin PETIT ios data protection September 27th, 2012 7 / 35

HOW IS A FILE ENCRYPTED? File Meta Data File Key Class Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35

HOW IS A FILE ENCRYPTED? File Meta Data User Passcode Key File Key Class Key Device Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35

HOW IS A FILE ENCRYPTED? File System Key File Meta Data User Passcode Key File Key Class Key Device Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35

FILE SYSTEM PROTECTION Device Key User Passcode Key Class Key 1 Class Key 2 Class Key 3 Meta Data Meta Data Meta Data Meta Data Meta Data Meta Data File Key 1 File Key 2 File Key 3 File Key 4 File Key 5 File Key 6 Albin PETIT ios data protection September 27th, 2012 8 / 35

CLASS KEYS FOR FILES Availability When unlocked While locked After first unlock Always File Data Protection NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthentication NSFileProtectionNone Albin PETIT ios data protection September 27th, 2012 9 / 35

KEYCHAIN A SQLITE DATABASE CONTAINING Passwords Sensitive information HOW IT WORKS? Encrypted with AES 128 Every application have its own set of keychain items BUT a keychain items can be shared between apps from the same developer Keychain items are restricted by class keys Albin PETIT ios data protection September 27th, 2012 10 / 35

CLASS KEYS FOR THE KEYCHAIN Availability When unlocked Keychain Data Protection ksecattraccessiblewhenunlocked While locked After first unlock N/A ksecattraccessibleafterfirstunlock Always ksecattraccessiblealways Albin PETIT ios data protection September 27th, 2012 11 / 35

CLASS KEYS FOR THE KEYCHAIN Availability When unlocked While locked After first unlock Always Keychain Data Protection ksecattraccessiblewhenunlocked ksecattraccessiblewhenunlockedthisdeviceonly N/A ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlockthisdeviceonly ksecattraccessiblealways ksecattraccessiblealwaysthisdeviceonly Albin PETIT ios data protection September 27th, 2012 11 / 35

EXAMPLE OF USES Item Wi-Fi passwords IMAP/POP accounts Exchange accounts Safari passwords itunes backup passwords icloud certificates Keychain Data Protection ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlock ksecattraccessiblewhenunlocked ksecattraccessiblewhenunlockedthisdeviceonly ksecattraccessiblealwaysthisdeviceonly Albin PETIT ios data protection September 27th, 2012 12 / 35

KEYBAGS (1) Collection of Class Keys 4 types of keybags System keybag Backup keybag Escrow keybag icloud Backup keybag Albin PETIT ios data protection September 27th, 2012 13 / 35

KEYBAGS (2) SYSTEM KEYBAG Stored on the device (/private/var/keybags/systembag.kb) Binary plist AES encrypted The key is changed each time the user changes the passcode ESCROW KEYBAG Used by itunes syncing & Mobile Device Management Contains all the class keys used on the device Stored on the synchronized computer Allow backup and syncing without entering passcode Encrypted by a random key Key stored on device (NSFileProtectionCompleteUntilFirstUserAuthentication) Albin PETIT ios data protection September 27th, 2012 14 / 35

KEYBAGS (3) BACKUP KEYBAG Created for each encrypted backup Holds random class keys for data in the backup Class keys are protected with a derived passcode computes from a backup password entered by user (10,000 iterations of PBKDF2) ICLOUD BACKUP KEYBAG Similar to the Backup Keybag Encrypted data is read from the device and sent to icloud Corresponding class keys are protected by icloud keys Albin PETIT ios data protection September 27th, 2012 15 / 35

Introduction Data protection S YSTEM Storage Encryption Attacks & Counter Measures Demo Conclusion KEYBAG UNLOCK Passcode UID key Key 0x835 KDF Passcode key wrapped with passcode key encrypted with the 0x835 AES unwrap Keybag IV Wrapped class key integrity check fail => wrong passcode encrypted with the 0x835 AES decrypt Class key Albin P ETIT ios data protection September 27th, 2012 16 / 35

AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 17 / 35

Introduction I OS Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion S TORAGE D ISK PARTITIONING Boot: Plog: Nvrm: Firm: Fsys: Low Level Bootloader Effaceable area Environments variables iboot, device tree and boot logos Filesystem partition boot plog block 0 block 1 nvrm firm blocks 2-7 blocks 8-15 fsys blocks 16-4084 reserved blocks 4085-4100 Figure : 16 Gb iphone 4 NAND layout Albin P ETIT ios data protection September 27th, 2012 18 / 35

PLOG PARTITION (3 ERASABLE LOCKERS) EMF! Data partition encryption key, encrypted with key 0x89B Format : Length (0x20) + AES(key89B, emfkey) DKEY NSProtectionNone Class key, wrapped with key 0x835 Allow to unwrap the System Keybag BAG1 System Keybag Key Format : Magic (BAG1) + IV + Key Allow to decrypt systembag.kb Erased at each passcode change Albin PETIT ios data protection September 27th, 2012 19 / 35

IOS 3 KEY HIERACHY UID Key 0x89B Key 0x835 EMF! Decrypt EMF Key Decrypt Saved password Data partition Decrypt Keychain-2.db Albin PETIT ios data protection September 27th, 2012 20 / 35

IOS 4 KEY HIERACHY Data partition IV Passcode Unwrap EMF Key UID Key KDF systembag.kg cprotect attr Unwrap systembag.kg NSFileProtectionNone Decrypt Decrypt Effaceable Storage EMF! Dkey BAG1 Key 0x89B Key 0x835 System Keybag (locked) Class A Key Class B Key Class C Key Class D Key Class Key... Class Key Passcode Key Unlock System Keybag (unlocked) Albin PETIT ios data protection September 27th, 2012 21 / 35

ITUNES BACKUP (1) BACKUP STORAGE One directory per backup %APPDATA%/Apple Computer/MobileSync/Backup/<udid> Can be protected by a password HOW DOES IT WORK? File content is AES-256 encrypted (if encrypted option is chosen in itunes) Password is entered by user Filenames are hashed (SHA1) A database contains all information (eg: filenames, size, permissions, attributes) Albin PETIT ios data protection September 27th, 2012 22 / 35

ITUNES BACKUP (2) Albin PETIT ios data protection September 27th, 2012 23 / 35

AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 24 / 35

CONSULT AN IOS DEVICE ATTACK Consult an ios device not password protected COUNTER-MEASURES Set a password Erase data after n invalid passcode attempts Erase Dkey and EMF Reformat data partition Generate new system key bag Use Find My iphone to : Use location services to find it Erase data (as already mentioned) Albin PETIT ios data protection September 27th, 2012 25 / 35

BACKUP ATTACK Extract a backup and get access to all the data of the device COUNTER-MEASURES Encrypt your backup on itunes Don t give access to your computer (and consequently your backup) Albin PETIT ios data protection September 27th, 2012 26 / 35

ESCROW KEYBAG ATTACK Make a Backup without enter the passcode and put it back to the iphone COUNTER-MEASURES Don t give access to your computer Switch off your ios device when it s possible Albin PETIT ios data protection September 27th, 2012 27 / 35

BRUTEFORCE ATTACK ATTACK Try all 4-digit passcodes in root access COUNTER-MEASURES Set an arbitrary complex passcode by turning off the simple password Use a configuration profiles to force data protection Require password length and complexity Require maximum password grace Albin PETIT ios data protection September 27th, 2012 28 / 35

KEYCHAIN ATTACK V1 ATTACK Decrypt the keychain from the backup with the 0x835 key computes on the device COUNTER-MEASURES Set an arbitrary complex passcode Albin PETIT ios data protection September 27th, 2012 29 / 35

KEYCHAIN ATTACK V2 ATTACK Access to the keychain items changing the keychain access group of the applications COUNTER-MEASURES Don t jailbreak your ios device Albin PETIT ios data protection September 27th, 2012 30 / 35

AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 31 / 35

DEMO Albin PETIT ios data protection September 27th, 2012 32 / 35

SUMMARY A COMPLEX SECURITY Data encryption on the ios device Different level of availability BUT THIS PROTECTION CAN BE COMPROMISED IF : No passcode set Wrong use of class keys (NSProtectionComplete vs NSProtectionNone) Sensitive information not saved in the keychain BootROM vulnerability ( iphone 4 & ipad 1) Albin PETIT ios data protection September 27th, 2012 33 / 35

QUESTIONS? Albin PETIT ios data protection September 27th, 2012 34 / 35

REFERENCES TALKS SSTIC 2012: Forensic ios (2012) - Jean-Baptiste BEDRUNE & Jean SIGWALD iphone data protection in depth (2011) - Jean-Baptiste BEDRUNE & Jean SIGWALD ios Forensics: Overcoming iphone Data Protection (09/2011) - Andrey Belenko Overcoming ios data protection to re-enable iphone forensics (2011) - Andrey BELENKO VIDEOS Apple WWDC 2010, Session 209 - Securing Application Data Apple WWDC 2012, Session 714 - Protecting the User s Data PAPERS ios Security (05/2012) - Apple ios Keychain Weakness FAQ (02/2012) - Jens Heider, Matthias Boll Lost iphone? Lost Passwords! (02/2011) - Jens Heider, Matthias Boll Overcoming ios data protection to re-enable iphone forensics (2011)- Andrey BELENKO WEBSITE http://www.securitylearn.net/category/iphone/ Albin PETIT ios data protection September 27th, 2012 35 / 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback