iPhone: is this possible and a potential security hole?

Is the following scenario possible?

You take someone's locked iPhone. You hook it up to your computer (on which the iPhone has been backed up at least once). You back it up again. You restore that backup to an old iPhone of yours that you've put into DFU mode (thus kind of cloning it). You start it up. No passcode asked!? You have access to all the data on it (which isn't protected by additional logins) ...
XeronimoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
It is only a security hole if:

(a) the owner gives their phone AND computer to someone (You CANNOT get at my phone that way), or,

(b) someone steals the phone AND computer.
0
btanExec ConsultantCommented:
Possible and the pdf shared detials  - closer look at use of iTunes..

http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf

With iOS 5, data stored on the iPhone can be backed up to a computer with iTunes or to a cloud based storage with iCloud. If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the  user to enter the passcode and unlock the device before starting the sync process.

Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.

During backup,
iTunes also creates a property list file with device UDID as the name and stores the Escrow key bag, Device certificate, Host ID, Host certificate and Host private key in it. Escrow Keybag allows a paired device (normally a computer) to gain full access to the iPhone file system (circumventing iOS Data Protection feature) when the phone is in a locked state. This improves the usability by not asking the user to unlock the device during every backup.

With iOS 5, Escrow Keybag is also protected with a passcode key derived from the user’s passcode, restricting to perform Escrow Keybag attacks. Escrow Keybag attack bypasses the iPhone data protection mechanism and allows decrypting every file on the device without requiring the user’s passcode. Escrow Keybag is a copy of the System Keybag and contains a collection of protection class keys that are used for data encryption on the iPhone. Protection class keys stored in the Escrow Keybag allows the iTunes to access protected files & keychain items when the iPhone is locked.


As the backup files are encrypted with a hardware key, backup taken from a device can
only be restored to the original device. With iOS 4, Apple introduced a feature to encrypt the iTunes backups, which provides portability and allows restoring the backup files of one device to another device. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password that a user gives in iTunes instead of the devices hardware key. With encrypted backups, all the backup data can be migrated except the content which is protected by ThisDeviceOnly class keys.
0
JohnBusiness Consultant (Owner)Commented:
As you are noting, the passcode is needed and in most cases, that means the phone is very reasonably secured.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

btanExec ConsultantCommented:
you may also want to note the bypass iCloud activation lock for iOS 7
https://ltlprints.zendesk.com/entries/33415954-Bypass-ICloud-Activation-Lock-IOS-7

When users charge their device, Backup takes sync towards the next level by backing up your iOS devices to iCloud daily over Wi-Fi. Professional programs such as Fone Rescue, the iPhone recover file utility (with separate versions for Windows and Mac) might help to retrieve deleted files without backup, it works with all iOS devices including newer iPads, the iPhone 5, and also the iPhone 4S etc.
0
btanExec ConsultantCommented:
indeed passcode is key to the crown jewel...
0
XeronimoAuthor Commented:
John: in this case it's a IT-savvy husband trying to spy on his wife ... so he has physical access to both the phone and the computer.
0
XeronimoAuthor Commented:
bread:

If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the  user to enter the passcode and unlock the device before starting the sync process.

Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.

So this means that if the iPhone has once been connected to a certain PC (let's say, during a time where people were still friendly with each other) it will always be able to back it up on this machine, even if the lockcode has changed in the mean time?
0
JohnBusiness Consultant (Owner)Commented:
IT-savvy husband trying to spy on his wife

That is new information since you posted.

First, is there an issue?  We share the same Windows userid, iTunes and iPhone software. There is no issue.

Second, if there is an issue, then set up a Windows User Name for one person that is different and secure. Set up iTunes in that and set up separate iTunes / iPhones accounts. Software will be separate and so on.

It can be secure but the family will probably not like it. Anything likeable will not be secure from each other.
0
btanExec ConsultantCommented:
If you have previously synchronized your iPhone with iTunes on a Mac or Windows computer, you typically still can backup recent additions to your iPhone by connecting it to the same computer you have used before without having to enter the passcode, and even after you changed passcode ...

Nonetheless, if attempt to sync with another computer there will be need to enter the passcode anyway. On top of that the iPhone only syncs with one iTunes library so if they did, it would be wiped when they try to sync.
0
XeronimoAuthor Commented:
Yes, ok. But he could have 'cloned' his wife's iPhone this way then and getting rid of the passcode at the same time. I was just trying to understand how he could have gained access despite the passcode having been changed a while ago.
0
JohnBusiness Consultant (Owner)Commented:
If he has unrestricted access to the phone and iTunes, and is savvy, he could remove the passcode. He could have recovered from an iTunes backup. I have reset my partner's iPhone this way.

If people have access, all bets are off.

If this partner's phone needs to be truly secure, get a different computer with a hard drive password and a completely separate iPhone / iTunes setup. That will do it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
XeronimoAuthor Commented:
John: Yes, thank you. That's the way to go indeed. I was just trying to figure out, in retrospect, how he gained access to the data on the phone despite of the changed passcode.
0
JohnBusiness Consultant (Owner)Commented:
Like I said, you can reset the phone. I think that would do it.
0
btanExec ConsultantCommented:
yes indeed passcode cannot stop a determined perpetrator.
That iphone may have sync with other machines as well unknowningly leaving traces  and there maybe "software bug" in the iphone for beaconing back...planting of such "spyware" is not that hard esp if physical access is viable

http://www.flexispy.com/en/features/spy-on-passcodes.htm

or simply..as stated in above link ....If your TARGET device is an iPhone or Android and the owner locks the device with a passcode after you have installed FlexiSPY then now you can immediately know the passcode.

Tough to conclude the path since we are always in the brighter side and they are in the darker side. best is factory reset but I heard of even firmware restored are bugged version really way pass back ...
0
XeronimoAuthor Commented:
bread: but flexispy can't be used on a non-jailbroken iPhone, can it?

now the iPhone could be jailbroken but look like it's not using flexispy... ??
0
JohnBusiness Consultant (Owner)Commented:
I cannot do any more with this. If the one partner has access and is savvy, they can break into the phone if they are determined. What else can we say at this point?
0
btanExec ConsultantCommented:
Yes need to jailbreak first but if spyware get in they can also hide jail break sign and flexispy does that...lose physical access means lose phone literally.  There is even case of bogus public usb charger..planting malice apps..

Http://www.arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus-chargers-get-a-dose-of-malware/

Really how much we trust device once it is touched ...I never put high hope for determined perpetrator
0
XeronimoAuthor Commented:
Wow, this is really a new world opening up here ... the stuff you can do (but shouldn't!!) with flexispy is mindboggling!?
0
btanExec ConsultantCommented:
Yap even the bogus charger brings up the bar..flexispy is jus an example...there is other as well from thehackingteam if you heard of their davinci suite or even the Gamma FinFisher ...sigh mobile device  becomes indispensable but at the same time a treasure trove on the 'move'..
0
btanExec ConsultantCommented:
you may be interested in this recent HOPE X preso on iPhone undocument api (and more)

http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

Extracting Data from Passcode Locked iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.

Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.
Bypasses “Backup Encryption” mechanism provided to users

 Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target

 If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)

 Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.