iPhone: is this possible and a potential security hole?
Is the following scenario possible?
You take someone's locked iPhone. You hook it up to your computer (on which the iPhone has been backed up at least once). You back it up again. You restore that backup to an old iPhone of yours that you've put into DFU mode (thus kind of cloning it). You start it up. No passcode asked!? You have access to all the data on it (which isn't protected by additional logins) ...
You take someone's locked iPhone. You hook it up to your computer (on which the iPhone has been backed up at least once). You back it up again. You restore that backup to an old iPhone of yours that you've put into DFU mode (thus kind of cloning it). You start it up. No passcode asked!? You have access to all the data on it (which isn't protected by additional logins) ...
Possible and the pdf shared detials - closer look at use of iTunes..
http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf
With iOS 5, data stored on the iPhone can be backed up to a computer with iTunes or to a cloud based storage with iCloud. If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the user to enter the passcode and unlock the device before starting the sync process.
Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.
During backup,
iTunes also creates a property list file with device UDID as the name and stores the Escrow key bag, Device certificate, Host ID, Host certificate and Host private key in it. Escrow Keybag allows a paired device (normally a computer) to gain full access to the iPhone file system (circumventing iOS Data Protection feature) when the phone is in a locked state. This improves the usability by not asking the user to unlock the device during every backup.
With iOS 5, Escrow Keybag is also protected with a passcode key derived from the user’s passcode, restricting to perform Escrow Keybag attacks. Escrow Keybag attack bypasses the iPhone data protection mechanism and allows decrypting every file on the device without requiring the user’s passcode. Escrow Keybag is a copy of the System Keybag and contains a collection of protection class keys that are used for data encryption on the iPhone. Protection class keys stored in the Escrow Keybag allows the iTunes to access protected files & keychain items when the iPhone is locked.
As the backup files are encrypted with a hardware key, backup taken from a device can
only be restored to the original device. With iOS 4, Apple introduced a feature to encrypt the iTunes backups, which provides portability and allows restoring the backup files of one device to another device. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password that a user gives in iTunes instead of the devices hardware key. With encrypted backups, all the backup data can be migrated except the content which is protected by ThisDeviceOnly class keys.
http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf
With iOS 5, data stored on the iPhone can be backed up to a computer with iTunes or to a cloud based storage with iCloud. If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the user to enter the passcode and unlock the device before starting the sync process.
Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.
During backup,
iTunes also creates a property list file with device UDID as the name and stores the Escrow key bag, Device certificate, Host ID, Host certificate and Host private key in it. Escrow Keybag allows a paired device (normally a computer) to gain full access to the iPhone file system (circumventing iOS Data Protection feature) when the phone is in a locked state. This improves the usability by not asking the user to unlock the device during every backup.
With iOS 5, Escrow Keybag is also protected with a passcode key derived from the user’s passcode, restricting to perform Escrow Keybag attacks. Escrow Keybag attack bypasses the iPhone data protection mechanism and allows decrypting every file on the device without requiring the user’s passcode. Escrow Keybag is a copy of the System Keybag and contains a collection of protection class keys that are used for data encryption on the iPhone. Protection class keys stored in the Escrow Keybag allows the iTunes to access protected files & keychain items when the iPhone is locked.
As the backup files are encrypted with a hardware key, backup taken from a device can
only be restored to the original device. With iOS 4, Apple introduced a feature to encrypt the iTunes backups, which provides portability and allows restoring the backup files of one device to another device. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password that a user gives in iTunes instead of the devices hardware key. With encrypted backups, all the backup data can be migrated except the content which is protected by ThisDeviceOnly class keys.
As you are noting, the passcode is needed and in most cases, that means the phone is very reasonably secured.
you may also want to note the bypass iCloud activation lock for iOS 7
https://ltlprints.zendesk.com/entries/33415954-Bypass-ICloud-Activation-Lock-IOS-7
https://ltlprints.zendesk.com/entries/33415954-Bypass-ICloud-Activation-Lock-IOS-7
When users charge their device, Backup takes sync towards the next level by backing up your iOS devices to iCloud daily over Wi-Fi. Professional programs such as Fone Rescue, the iPhone recover file utility (with separate versions for Windows and Mac) might help to retrieve deleted files without backup, it works with all iOS devices including newer iPads, the iPhone 5, and also the iPhone 4S etc.
indeed passcode is key to the crown jewel...
ASKER
John: in this case it's a IT-savvy husband trying to spy on his wife ... so he has physical access to both the phone and the computer.
ASKER
bread:
So this means that if the iPhone has once been connected to a certain PC (let's say, during a time where people were still friendly with each other) it will always be able to back it up on this machine, even if the lockcode has changed in the mean time?
If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the user to enter the passcode and unlock the device before starting the sync process.
Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.
So this means that if the iPhone has once been connected to a certain PC (let's say, during a time where people were still friendly with each other) it will always be able to back it up on this machine, even if the lockcode has changed in the mean time?
IT-savvy husband trying to spy on his wife
That is new information since you posted.
First, is there an issue? We share the same Windows userid, iTunes and iPhone software. There is no issue.
Second, if there is an issue, then set up a Windows User Name for one person that is different and secure. Set up iTunes in that and set up separate iTunes / iPhones accounts. Software will be separate and so on.
It can be secure but the family will probably not like it. Anything likeable will not be secure from each other.
That is new information since you posted.
First, is there an issue? We share the same Windows userid, iTunes and iPhone software. There is no issue.
Second, if there is an issue, then set up a Windows User Name for one person that is different and secure. Set up iTunes in that and set up separate iTunes / iPhones accounts. Software will be separate and so on.
It can be secure but the family will probably not like it. Anything likeable will not be secure from each other.
If you have previously synchronized your iPhone with iTunes on a Mac or Windows computer, you typically still can backup recent additions to your iPhone by connecting it to the same computer you have used before without having to enter the passcode, and even after you changed passcode ...
Nonetheless, if attempt to sync with another computer there will be need to enter the passcode anyway. On top of that the iPhone only syncs with one iTunes library so if they did, it would be wiped when they try to sync.
Nonetheless, if attempt to sync with another computer there will be need to enter the passcode anyway. On top of that the iPhone only syncs with one iTunes library so if they did, it would be wiped when they try to sync.
ASKER
Yes, ok. But he could have 'cloned' his wife's iPhone this way then and getting rid of the passcode at the same time. I was just trying to understand how he could have gained access despite the passcode having been changed a while ago.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
John: Yes, thank you. That's the way to go indeed. I was just trying to figure out, in retrospect, how he gained access to the data on the phone despite of the changed passcode.
Like I said, you can reset the phone. I think that would do it.
yes indeed passcode cannot stop a determined perpetrator.
That iphone may have sync with other machines as well unknowningly leaving traces and there maybe "software bug" in the iphone for beaconing back...planting of such "spyware" is not that hard esp if physical access is viable
http://www.flexispy.com/en/features/spy-on-passcodes.htm
or simply..as stated in above link ....If your TARGET device is an iPhone or Android and the owner locks the device with a passcode after you have installed FlexiSPY then now you can immediately know the passcode.
Tough to conclude the path since we are always in the brighter side and they are in the darker side. best is factory reset but I heard of even firmware restored are bugged version really way pass back ...
That iphone may have sync with other machines as well unknowningly leaving traces and there maybe "software bug" in the iphone for beaconing back...planting of such "spyware" is not that hard esp if physical access is viable
http://www.flexispy.com/en/features/spy-on-passcodes.htm
or simply..as stated in above link ....If your TARGET device is an iPhone or Android and the owner locks the device with a passcode after you have installed FlexiSPY then now you can immediately know the passcode.
Tough to conclude the path since we are always in the brighter side and they are in the darker side. best is factory reset but I heard of even firmware restored are bugged version really way pass back ...
ASKER
bread: but flexispy can't be used on a non-jailbroken iPhone, can it?
now the iPhone could be jailbroken but look like it's not using flexispy... ??
now the iPhone could be jailbroken but look like it's not using flexispy... ??
I cannot do any more with this. If the one partner has access and is savvy, they can break into the phone if they are determined. What else can we say at this point?
Yes need to jailbreak first but if spyware get in they can also hide jail break sign and flexispy does that...lose physical access means lose phone literally. There is even case of bogus public usb charger..planting malice apps..
Http://www.arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus-chargers-get-a-dose-of-malware/
Really how much we trust device once it is touched ...I never put high hope for determined perpetrator
Http://www.arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus-chargers-get-a-dose-of-malware/
Really how much we trust device once it is touched ...I never put high hope for determined perpetrator
ASKER
Wow, this is really a new world opening up here ... the stuff you can do (but shouldn't!!) with flexispy is mindboggling!?
Yap even the bogus charger brings up the bar..flexispy is jus an example...there is other as well from thehackingteam if you heard of their davinci suite or even the Gamma FinFisher ...sigh mobile device becomes indispensable but at the same time a treasure trove on the 'move'..
you may be interested in this recent HOPE X preso on iPhone undocument api (and more)
http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf
http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf
Extracting Data from Passcode Locked iOS Devices
Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.
Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.
Bypasses “Backup Encryption” mechanism provided to users
Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target
If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)
Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
(a) the owner gives their phone AND computer to someone (You CANNOT get at my phone that way), or,
(b) someone steals the phone AND computer.