?
Solved

iPhone: is this possible and a potential security hole?

Posted on 2014-07-16
20
Medium Priority
?
522 Views
Last Modified: 2014-08-12
Is the following scenario possible?

You take someone's locked iPhone. You hook it up to your computer (on which the iPhone has been backed up at least once). You back it up again. You restore that backup to an old iPhone of yours that you've put into DFU mode (thus kind of cloning it). You start it up. No passcode asked!? You have access to all the data on it (which isn't protected by additional logins) ...
0
Comment
Question by:Xeronimo
  • 8
  • 6
  • 6
20 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 40200439
It is only a security hole if:

(a) the owner gives their phone AND computer to someone (You CANNOT get at my phone that way), or,

(b) someone steals the phone AND computer.
0
 
LVL 65

Expert Comment

by:btan
ID: 40200967
Possible and the pdf shared detials  - closer look at use of iTunes..

http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf

With iOS 5, data stored on the iPhone can be backed up to a computer with iTunes or to a cloud based storage with iCloud. If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the  user to enter the passcode and unlock the device before starting the sync process.

Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.

During backup,
iTunes also creates a property list file with device UDID as the name and stores the Escrow key bag, Device certificate, Host ID, Host certificate and Host private key in it. Escrow Keybag allows a paired device (normally a computer) to gain full access to the iPhone file system (circumventing iOS Data Protection feature) when the phone is in a locked state. This improves the usability by not asking the user to unlock the device during every backup.

With iOS 5, Escrow Keybag is also protected with a passcode key derived from the user’s passcode, restricting to perform Escrow Keybag attacks. Escrow Keybag attack bypasses the iPhone data protection mechanism and allows decrypting every file on the device without requiring the user’s passcode. Escrow Keybag is a copy of the System Keybag and contains a collection of protection class keys that are used for data encryption on the iPhone. Protection class keys stored in the Escrow Keybag allows the iTunes to access protected files & keychain items when the iPhone is locked.


As the backup files are encrypted with a hardware key, backup taken from a device can
only be restored to the original device. With iOS 4, Apple introduced a feature to encrypt the iTunes backups, which provides portability and allows restoring the backup files of one device to another device. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password that a user gives in iTunes instead of the devices hardware key. With encrypted backups, all the backup data can be migrated except the content which is protected by ThisDeviceOnly class keys.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40200975
As you are noting, the passcode is needed and in most cases, that means the phone is very reasonably secured.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 65

Expert Comment

by:btan
ID: 40200976
you may also want to note the bypass iCloud activation lock for iOS 7
https://ltlprints.zendesk.com/entries/33415954-Bypass-ICloud-Activation-Lock-IOS-7

When users charge their device, Backup takes sync towards the next level by backing up your iOS devices to iCloud daily over Wi-Fi. Professional programs such as Fone Rescue, the iPhone recover file utility (with separate versions for Windows and Mac) might help to retrieve deleted files without backup, it works with all iOS devices including newer iPads, the iPhone 5, and also the iPhone 4S etc.
0
 
LVL 65

Expert Comment

by:btan
ID: 40200977
indeed passcode is key to the crown jewel...
0
 

Author Comment

by:Xeronimo
ID: 40201296
John: in this case it's a IT-savvy husband trying to spy on his wife ... so he has physical access to both the phone and the computer.
0
 

Author Comment

by:Xeronimo
ID: 40201299
bread:

If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the  user to enter the passcode and unlock the device before starting the sync process.

Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer.

So this means that if the iPhone has once been connected to a certain PC (let's say, during a time where people were still friendly with each other) it will always be able to back it up on this machine, even if the lockcode has changed in the mean time?
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40201584
IT-savvy husband trying to spy on his wife

That is new information since you posted.

First, is there an issue?  We share the same Windows userid, iTunes and iPhone software. There is no issue.

Second, if there is an issue, then set up a Windows User Name for one person that is different and secure. Set up iTunes in that and set up separate iTunes / iPhones accounts. Software will be separate and so on.

It can be secure but the family will probably not like it. Anything likeable will not be secure from each other.
0
 
LVL 65

Expert Comment

by:btan
ID: 40202051
If you have previously synchronized your iPhone with iTunes on a Mac or Windows computer, you typically still can backup recent additions to your iPhone by connecting it to the same computer you have used before without having to enter the passcode, and even after you changed passcode ...

Nonetheless, if attempt to sync with another computer there will be need to enter the passcode anyway. On top of that the iPhone only syncs with one iTunes library so if they did, it would be wiped when they try to sync.
0
 

Author Comment

by:Xeronimo
ID: 40202069
Yes, ok. But he could have 'cloned' his wife's iPhone this way then and getting rid of the passcode at the same time. I was just trying to understand how he could have gained access despite the passcode having been changed a while ago.
0
 
LVL 99

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 40202091
If he has unrestricted access to the phone and iTunes, and is savvy, he could remove the passcode. He could have recovered from an iTunes backup. I have reset my partner's iPhone this way.

If people have access, all bets are off.

If this partner's phone needs to be truly secure, get a different computer with a hard drive password and a completely separate iPhone / iTunes setup. That will do it.
0
 

Author Comment

by:Xeronimo
ID: 40202101
John: Yes, thank you. That's the way to go indeed. I was just trying to figure out, in retrospect, how he gained access to the data on the phone despite of the changed passcode.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40202106
Like I said, you can reset the phone. I think that would do it.
0
 
LVL 65

Expert Comment

by:btan
ID: 40202119
yes indeed passcode cannot stop a determined perpetrator.
That iphone may have sync with other machines as well unknowningly leaving traces  and there maybe "software bug" in the iphone for beaconing back...planting of such "spyware" is not that hard esp if physical access is viable

http://www.flexispy.com/en/features/spy-on-passcodes.htm

or simply..as stated in above link ....If your TARGET device is an iPhone or Android and the owner locks the device with a passcode after you have installed FlexiSPY then now you can immediately know the passcode.

Tough to conclude the path since we are always in the brighter side and they are in the darker side. best is factory reset but I heard of even firmware restored are bugged version really way pass back ...
0
 

Author Comment

by:Xeronimo
ID: 40202137
bread: but flexispy can't be used on a non-jailbroken iPhone, can it?

now the iPhone could be jailbroken but look like it's not using flexispy... ??
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 40202155
I cannot do any more with this. If the one partner has access and is savvy, they can break into the phone if they are determined. What else can we say at this point?
0
 
LVL 65

Expert Comment

by:btan
ID: 40202234
Yes need to jailbreak first but if spyware get in they can also hide jail break sign and flexispy does that...lose physical access means lose phone literally.  There is even case of bogus public usb charger..planting malice apps..

Http://www.arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus-chargers-get-a-dose-of-malware/

Really how much we trust device once it is touched ...I never put high hope for determined perpetrator
0
 

Author Comment

by:Xeronimo
ID: 40202246
Wow, this is really a new world opening up here ... the stuff you can do (but shouldn't!!) with flexispy is mindboggling!?
0
 
LVL 65

Expert Comment

by:btan
ID: 40202361
Yap even the bogus charger brings up the bar..flexispy is jus an example...there is other as well from thehackingteam if you heard of their davinci suite or even the Gamma FinFisher ...sigh mobile device  becomes indispensable but at the same time a treasure trove on the 'move'..
0
 
LVL 65

Expert Comment

by:btan
ID: 40211679
you may be interested in this recent HOPE X preso on iPhone undocument api (and more)

http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf

Extracting Data from Passcode Locked iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.

Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.
Bypasses “Backup Encryption” mechanism provided to users

 Can be accessed both via USB and wirelessly (WiFi, maybe cellular); networks can be scanned for a specific target

 If device has not been rebooted since user last entered PIN, can access all data encrypted with data-protection (third party app data, etc)

 Other (more legitimate) services enable software installation, APN installation (adding proxy servers) for continued monitoring
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email is way too noisy, prone to hiding the important stuff, and really becoming unreliable for critical/timely communications. There are better ways to communicate.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question