SECURIMAG IOS DATA PROTECTION 1 Albin PETIT firstname.name@ensimag.fr Grenoble INP Ensimag 1 inspired by the presentation : iphone data protection in depth by Jean-Baptiste BÉ- DRUNE (Sogeti) and Jean SIGWALD (ESEC) Albin PETIT ios data protection September 27th, 2012 1 / 35
INTRODUCTION (1) WHAT ARE DATA? Text Photo Credentials Preferences Others Albin PETIT ios data protection September 27th, 2012 2 / 35
INTRODUCTION (1) WHAT ARE DATA? Text Photo Credentials Preferences Others WHERE ARE DATA? On the device On a backup In transit On icloud Albin PETIT ios data protection September 27th, 2012 2 / 35
INTRODUCTION (2) ios PROTECTIONS Passcode: Prevents casual device access Privilege Separation and Sanboxing: Limits access to system or other app data if local app compromised Code Signing: Only code of approved origins can execute Remote Wipe: Erase all data if phone is lost Encrypted Storage: Fast Remote Wipe Encrypted Backups: Protects data off the device Data Protection: Protects user s data when the device is locked Albin PETIT ios data protection September 27th, 2012 3 / 35
AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 4 / 35
AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 5 / 35
DATA PROTECTION OBJECTIVES Protect data at rest Encrypted data protected by user s passcode HOW IS IT WORKED? Protection classes for files and keychain items Master keys for protection classes stored encrypted in a keybag Different data availability Albin PETIT ios data protection September 27th, 2012 6 / 35
HOW IS A FILE ENCRYPTED? Albin PETIT ios data protection September 27th, 2012 7 / 35
HOW IS A FILE ENCRYPTED? File Meta Data File Key File Key : randomly generated for every file that get created Albin PETIT ios data protection September 27th, 2012 7 / 35
HOW IS A FILE ENCRYPTED? File Meta Data File Key Class Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35
HOW IS A FILE ENCRYPTED? File Meta Data User Passcode Key File Key Class Key Device Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35
HOW IS A FILE ENCRYPTED? File System Key File Meta Data User Passcode Key File Key Class Key Device Key File Key : randomly generated for every file that get created Class Key : randomly generated when a class is established Albin PETIT ios data protection September 27th, 2012 7 / 35
FILE SYSTEM PROTECTION Device Key User Passcode Key Class Key 1 Class Key 2 Class Key 3 Meta Data Meta Data Meta Data Meta Data Meta Data Meta Data File Key 1 File Key 2 File Key 3 File Key 4 File Key 5 File Key 6 Albin PETIT ios data protection September 27th, 2012 8 / 35
CLASS KEYS FOR FILES Availability When unlocked While locked After first unlock Always File Data Protection NSFileProtectionComplete NSFileProtectionCompleteUnlessOpen NSFileProtectionCompleteUntilFirstUserAuthentication NSFileProtectionNone Albin PETIT ios data protection September 27th, 2012 9 / 35
KEYCHAIN A SQLITE DATABASE CONTAINING Passwords Sensitive information HOW IT WORKS? Encrypted with AES 128 Every application have its own set of keychain items BUT a keychain items can be shared between apps from the same developer Keychain items are restricted by class keys Albin PETIT ios data protection September 27th, 2012 10 / 35
CLASS KEYS FOR THE KEYCHAIN Availability When unlocked Keychain Data Protection ksecattraccessiblewhenunlocked While locked After first unlock N/A ksecattraccessibleafterfirstunlock Always ksecattraccessiblealways Albin PETIT ios data protection September 27th, 2012 11 / 35
CLASS KEYS FOR THE KEYCHAIN Availability When unlocked While locked After first unlock Always Keychain Data Protection ksecattraccessiblewhenunlocked ksecattraccessiblewhenunlockedthisdeviceonly N/A ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlockthisdeviceonly ksecattraccessiblealways ksecattraccessiblealwaysthisdeviceonly Albin PETIT ios data protection September 27th, 2012 11 / 35
EXAMPLE OF USES Item Wi-Fi passwords IMAP/POP accounts Exchange accounts Safari passwords itunes backup passwords icloud certificates Keychain Data Protection ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlock ksecattraccessibleafterfirstunlock ksecattraccessiblewhenunlocked ksecattraccessiblewhenunlockedthisdeviceonly ksecattraccessiblealwaysthisdeviceonly Albin PETIT ios data protection September 27th, 2012 12 / 35
KEYBAGS (1) Collection of Class Keys 4 types of keybags System keybag Backup keybag Escrow keybag icloud Backup keybag Albin PETIT ios data protection September 27th, 2012 13 / 35
KEYBAGS (2) SYSTEM KEYBAG Stored on the device (/private/var/keybags/systembag.kb) Binary plist AES encrypted The key is changed each time the user changes the passcode ESCROW KEYBAG Used by itunes syncing & Mobile Device Management Contains all the class keys used on the device Stored on the synchronized computer Allow backup and syncing without entering passcode Encrypted by a random key Key stored on device (NSFileProtectionCompleteUntilFirstUserAuthentication) Albin PETIT ios data protection September 27th, 2012 14 / 35
KEYBAGS (3) BACKUP KEYBAG Created for each encrypted backup Holds random class keys for data in the backup Class keys are protected with a derived passcode computes from a backup password entered by user (10,000 iterations of PBKDF2) ICLOUD BACKUP KEYBAG Similar to the Backup Keybag Encrypted data is read from the device and sent to icloud Corresponding class keys are protected by icloud keys Albin PETIT ios data protection September 27th, 2012 15 / 35
Introduction Data protection S YSTEM Storage Encryption Attacks & Counter Measures Demo Conclusion KEYBAG UNLOCK Passcode UID key Key 0x835 KDF Passcode key wrapped with passcode key encrypted with the 0x835 AES unwrap Keybag IV Wrapped class key integrity check fail => wrong passcode encrypted with the 0x835 AES decrypt Class key Albin P ETIT ios data protection September 27th, 2012 16 / 35
AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 17 / 35
Introduction I OS Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion S TORAGE D ISK PARTITIONING Boot: Plog: Nvrm: Firm: Fsys: Low Level Bootloader Effaceable area Environments variables iboot, device tree and boot logos Filesystem partition boot plog block 0 block 1 nvrm firm blocks 2-7 blocks 8-15 fsys blocks 16-4084 reserved blocks 4085-4100 Figure : 16 Gb iphone 4 NAND layout Albin P ETIT ios data protection September 27th, 2012 18 / 35
PLOG PARTITION (3 ERASABLE LOCKERS) EMF! Data partition encryption key, encrypted with key 0x89B Format : Length (0x20) + AES(key89B, emfkey) DKEY NSProtectionNone Class key, wrapped with key 0x835 Allow to unwrap the System Keybag BAG1 System Keybag Key Format : Magic (BAG1) + IV + Key Allow to decrypt systembag.kb Erased at each passcode change Albin PETIT ios data protection September 27th, 2012 19 / 35
IOS 3 KEY HIERACHY UID Key 0x89B Key 0x835 EMF! Decrypt EMF Key Decrypt Saved password Data partition Decrypt Keychain-2.db Albin PETIT ios data protection September 27th, 2012 20 / 35
IOS 4 KEY HIERACHY Data partition IV Passcode Unwrap EMF Key UID Key KDF systembag.kg cprotect attr Unwrap systembag.kg NSFileProtectionNone Decrypt Decrypt Effaceable Storage EMF! Dkey BAG1 Key 0x89B Key 0x835 System Keybag (locked) Class A Key Class B Key Class C Key Class D Key Class Key... Class Key Passcode Key Unlock System Keybag (unlocked) Albin PETIT ios data protection September 27th, 2012 21 / 35
ITUNES BACKUP (1) BACKUP STORAGE One directory per backup %APPDATA%/Apple Computer/MobileSync/Backup/<udid> Can be protected by a password HOW DOES IT WORK? File content is AES-256 encrypted (if encrypted option is chosen in itunes) Password is entered by user Filenames are hashed (SHA1) A database contains all information (eg: filenames, size, permissions, attributes) Albin PETIT ios data protection September 27th, 2012 22 / 35
ITUNES BACKUP (2) Albin PETIT ios data protection September 27th, 2012 23 / 35
AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 24 / 35
CONSULT AN IOS DEVICE ATTACK Consult an ios device not password protected COUNTER-MEASURES Set a password Erase data after n invalid passcode attempts Erase Dkey and EMF Reformat data partition Generate new system key bag Use Find My iphone to : Use location services to find it Erase data (as already mentioned) Albin PETIT ios data protection September 27th, 2012 25 / 35
BACKUP ATTACK Extract a backup and get access to all the data of the device COUNTER-MEASURES Encrypt your backup on itunes Don t give access to your computer (and consequently your backup) Albin PETIT ios data protection September 27th, 2012 26 / 35
ESCROW KEYBAG ATTACK Make a Backup without enter the passcode and put it back to the iphone COUNTER-MEASURES Don t give access to your computer Switch off your ios device when it s possible Albin PETIT ios data protection September 27th, 2012 27 / 35
BRUTEFORCE ATTACK ATTACK Try all 4-digit passcodes in root access COUNTER-MEASURES Set an arbitrary complex passcode by turning off the simple password Use a configuration profiles to force data protection Require password length and complexity Require maximum password grace Albin PETIT ios data protection September 27th, 2012 28 / 35
KEYCHAIN ATTACK V1 ATTACK Decrypt the keychain from the backup with the 0x835 key computes on the device COUNTER-MEASURES Set an arbitrary complex passcode Albin PETIT ios data protection September 27th, 2012 29 / 35
KEYCHAIN ATTACK V2 ATTACK Access to the keychain items changing the keychain access group of the applications COUNTER-MEASURES Don t jailbreak your ios device Albin PETIT ios data protection September 27th, 2012 30 / 35
AGENDA 1 Data protection File protection Keychain Keybags 2 Storage Encryption ios storage itunes Backup 3 Attacks & Counter Measures Steal an ios device Escrow Keybag Steal a backup folder Bruteforce attack Keychain attack v1 Keychain attack v2 4 Demo Albin PETIT ios data protection September 27th, 2012 31 / 35
DEMO Albin PETIT ios data protection September 27th, 2012 32 / 35
SUMMARY A COMPLEX SECURITY Data encryption on the ios device Different level of availability BUT THIS PROTECTION CAN BE COMPROMISED IF : No passcode set Wrong use of class keys (NSProtectionComplete vs NSProtectionNone) Sensitive information not saved in the keychain BootROM vulnerability ( iphone 4 & ipad 1) Albin PETIT ios data protection September 27th, 2012 33 / 35
QUESTIONS? Albin PETIT ios data protection September 27th, 2012 34 / 35
REFERENCES TALKS SSTIC 2012: Forensic ios (2012) - Jean-Baptiste BEDRUNE & Jean SIGWALD iphone data protection in depth (2011) - Jean-Baptiste BEDRUNE & Jean SIGWALD ios Forensics: Overcoming iphone Data Protection (09/2011) - Andrey Belenko Overcoming ios data protection to re-enable iphone forensics (2011) - Andrey BELENKO VIDEOS Apple WWDC 2010, Session 209 - Securing Application Data Apple WWDC 2012, Session 714 - Protecting the User s Data PAPERS ios Security (05/2012) - Apple ios Keychain Weakness FAQ (02/2012) - Jens Heider, Matthias Boll Lost iphone? Lost Passwords! (02/2011) - Jens Heider, Matthias Boll Overcoming ios data protection to re-enable iphone forensics (2011)- Andrey BELENKO WEBSITE http://www.securitylearn.net/category/iphone/ Albin PETIT ios data protection September 27th, 2012 35 / 35