SlideShare a Scribd company logo

Analyzing Apple iCloud Backups, Find My iPhone, Documents

Download as ODP, PDF
S
SynapseIndiaiPhoneApps

This document discusses analyzing Apple iCloud backups, Find My iPhone, and document storage. It provides an overview of iOS forensics needs given the widespread adoption of Apple devices. It describes iOS data protection methods, including encryption. It then covers analyzing iCloud backups, the Find My iPhone protocol, and accessing files stored in iCloud documents. The conclusion discusses balancing security, privacy, and convenience when analyzing Apple cloud services and the need for further work to access additional data types and decrypt encrypted information.

Technology
1 of 38
Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage
The need for iOS forensics • More than 5 years on the market • 7 iPhones, 5 iPods, 5 iPads • 320+ million iPhones, 280+ million iPods, 120+ million iPads sold worldwide • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing
iOS data protection • Device passcode • Protect unauthorized access to the device • Bypassing is not enough (used in encryption) • Disk encryption • Keychain • System-wide storage for sensitive data (keys, passwords etc) • Data is encrypted
iOS forensics • Logical acquisition (iTunes backups) • Physical acquisition • iCloud backups and storage
iOS forensics - logical acquisition - logical acquisition • “Ask” device to produce backup • Device must be unlocked (by passcode or iTunes) • Device may produce encrypted backup • Limited amount of information
iOS forensics - physical acquisition - physical acquisition •Boot-time exploit to run unsigned code or •Jailbreak •Device lock state isn’t relevant, can bruteforce passcode •Can get all information from the device
iOS Data Protection Every iOS device contains secure AES engine with two embedded keys: •GID – shared by all devices of same “family” •UID – unique per device •Newer devices have additional UID+ key There is no known way to extract GID or UID
iOS data protection (cont-d) • Content grouped by accessibility requirements: • Available only when device is unlocked • Available after first device unlock (and until power off) • Always available • Each protection class has a master key • Master keys are protected by device key and passcode • Protected master keys form system keybag • New keys created during device restore
iOS 4+ passcode • Passcode is used to compute passcode key • Computation is tied to hardware key (UID/UID+) • Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock most keys from the system keybag • Most files are protected with NSProtectionNone and don’t require a passcode • Most keychain items are protected with ...WhenUnlocked or ...AfterFirstUnlock and require a passcode
iOS 4+ passcode (cont-d) • Passcode-to-Key transformation is slow • Offline brute-force currently is not possible • Requires extracting UID/UID+ key • On-device bruteforce is slow • 2 p/s on iPhone 3G, 7 p/s on iPad • System keybag contains hint on password complexity
iOS 4+ passcode (cont-d)
iOS 5 Keychain • SQLite3 DB, all columns are encrypted Available protection classes • kSecAttrAccessibleWhenUnlocked (+ ...ThisDeviceOnly) • kSecAttrAccessibleAfterFirstUnlock (+ ...ThisDeviceOnly) • kSecAttrAccessibleAlways (+ ...ThisDeviceOnly) • Random key for each item (AES) • Item key is protected with corresponding protection class master key
Ios • Only User partition is encrypted • Available protection classes: • NSProtectionNone • NSProtectionComplete • NSFileProtectionCompleteUntilFirstUserAuthentication • NSFileProtectionCompleteUnlessOpen • Per-file random encryption key • File key protected with master key is stored in extended attributes (pretty much like Microsoft EFS) • No protection class - partition key is used • File system metadata and unprotected files • Transparent encryption and decryption (same as pre-iOS 4)
iCloud • Introduced in Oct 2011 • Introduced with iOS 5 • Successor to MobileMe, .Mac, iTools • 5 GB free storage • Up to 50 GB paid storage • Over 125 million users in April 2012
iCloud services
iCloud Control Panel
iPhone backup - why?
Mission: impossible :)
iCloud backup - what • Messages (including iMessages) • Application data • Device settings • Camera roll (photos and videos) • Visual voicemails • Purchases (music, movies, TV, apps, books) • Home screen arrangement • Ringtones
iCloud backup - when • Backup runs daily when device is: • Connected to the Internet over Wi-Fi • Connected to a power source • Locked • Can force backup • [Settings] | [iCloud] | [Storage & Backup] | [Back Up Now]
iCloud backup - how
iCloud CP: backups
iCloud backup protocol flow • Dynamic: endpoints depend on Apple ID • Built on Google Protocol Buffers (mostly) • Files are split into chunks • Apple provides file-to-chunks mapping, chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft) • Encryption key depends on chunk data (deduplication?)
iCloud backup protocol flow (cont-d)• /mbs/<personId> • List of backups • /mbs/<personId>/<backupUDID>/getKeys • OTA backup keybag • /mbs/<personId>/<backupUDID>/<snapshotId>/listFiles • File manifest • /mbs/<personId>/<backupUDID>/<snapshotId>/getFiles • File auth tokens • /mbs/<personId>/authorizeGet • Info about containers of chunks for "les (FileGroups)  • Request containers of chunks (FileGroups) • Containers of chunks
iCloud encryption • Data stored at 3rd-party storage providers is encrypted • Apple has encryption keys to that data • Few files are further encrypted using keys from OTA backup keybag • Keychain items are encrypted using keys from OTA backup keybag • Need key 0x835 (securityd) to decrypt most keys from OTA backup keybag
iCloud backups - summary • There is no user-con"gurable encryption for iCloud backups • iCloud backups are stored in Microsoft and Amazon clouds in encrypted form • Apple holds encryption keys and thus have access to data in iCloud backups • If Apple stores 0x835 keys then it can also have access to Keychain data (i.e. passwords) • Apple may have legal obligations to do this (e.g. LE)
Find My Phone
FindMyPhone protocol
FindMyPhone - demo output
iCloud documents
iCloud CP: documents
Get files from iCloud To get list of files •Authentication request (with given AppleID & password). Client gets mmeAuthToken in return; which, in order, is used to create authentication token (together with dsid). dsid (Destination Signaling IDentifier) is an unique ID assigned to the user when registering at iCloud.com. •Request to get AccountSettings. Client gets an URL (ubiquityUrl) with an address to get UUID (unique user identifier), file list, info on file tokens and for authorization. •Request to get file list (POST). Output (for every file): • file name • file id • parent folder id • last change time • checksum • access rights To download given file •Request to get file token (using file id, checksum and aliasMap). •Authorization request. Returns information on file chunks and containers. Output: container list (with URLs) and chunk information.
Files in iCloud
iCloud docs: demo output
Possible usage • Backups in iCloud • near-realtime acquisition (SMS, iMessage, mail, call logs) • browse backup data without actual device • download only data of specific type (need further work) • Find My Phone • keep track • using Google Maps (or whatever) • enter/leave some are • 2+ devices • Documents in iCloud • open from 3rd party apps • track changes • download unsupported document data
Conclusion • Balance between security, privacy and convenience • iCloud security risks • Use additional encryption • Need further work (contacts, calendar, mode documents, converting documents, partial backup download, decrypting keychain, photo stream, 3rd party apps data: 1Password etc)
backups, Find My iPhone, Document Storage Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage CanSecWest 2013 Vladimir Katalov, ElcomSoft Co. Ltd. http://www.elcomsoft.com http://blog.crackpassword.com Facebook: ElcomSoft Twitter: @elcomsoft

Recommended

2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfwsCyber Security Alliance
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
SynapseIndia Iphone apps Presentation on Apple Iphone
SynapseIndia Iphone apps Presentation on Apple IphoneSynapseIndia Iphone apps Presentation on Apple Iphone
SynapseIndia Iphone apps Presentation on Apple IphoneSynapseIndiaiPhoneApps
 
CV of OSAMA HASAN 8
CV of OSAMA HASAN 8CV of OSAMA HASAN 8
CV of OSAMA HASAN 8Osama Hasan
 
Monetarysystemof031388mbp
Monetarysystemof031388mbpMonetarysystemof031388mbp
Monetarysystemof031388mbpbevarsi82q377
 
Santo Ojara Character in Community
Santo Ojara Character in CommunitySanto Ojara Character in Community
Santo Ojara Character in CommunitySanto Ojara
 
How to lay a solid job search foundation before you graduate
How to lay a solid job search foundation before you graduateHow to lay a solid job search foundation before you graduate
How to lay a solid job search foundation before you graduateLee Gamelin
 

Recommended

2014.11 asfws
2014.11 asfws2014.11 asfws
2014.11 asfwsCyber Security Alliance
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applicationsn|u - The Open Security Community
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
SynapseIndia Iphone apps Presentation on Apple Iphone
SynapseIndia Iphone apps Presentation on Apple IphoneSynapseIndia Iphone apps Presentation on Apple Iphone
SynapseIndia Iphone apps Presentation on Apple IphoneSynapseIndiaiPhoneApps
 
CV of OSAMA HASAN 8
CV of OSAMA HASAN 8CV of OSAMA HASAN 8
CV of OSAMA HASAN 8Osama Hasan
 
Monetarysystemof031388mbp
Monetarysystemof031388mbpMonetarysystemof031388mbp
Monetarysystemof031388mbpbevarsi82q377
 
Santo Ojara Character in Community
Santo Ojara Character in CommunitySanto Ojara Character in Community
Santo Ojara Character in CommunitySanto Ojara
 
How to lay a solid job search foundation before you graduate
How to lay a solid job search foundation before you graduateHow to lay a solid job search foundation before you graduate
How to lay a solid job search foundation before you graduateLee Gamelin
 
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
Belenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityBelenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityDefconRussia
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics Tjylen Veselyj
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseSeth Law
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 

More Related Content

Similar to Analyzing Apple iCloud Backups, Find My iPhone, Documents

Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
Belenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityBelenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityDefconRussia
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArtDataArt
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseSeth Law
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)Sam Bowne
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Similar to Analyzing Apple iCloud Backups, Find My iPhone, Documents (20)

Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir Katalov
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
Belenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)securityBelenko, sklyarov dark and bright sides of i cloud (in)security
Belenko, sklyarov dark and bright sides of i cloud (in)security
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry Forensics
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt"Mobile security: iOS", Yaroslav Vorontsov, DataArt
"Mobile security: iOS", Yaroslav Vorontsov, DataArt
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)CNIT 128 2. Analyzing iOS Applications (Part 1)
CNIT 128 2. Analyzing iOS Applications (Part 1)
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data Protection
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Analyzing Apple iCloud Backups, Find My iPhone, Documents

  • 1. Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage
  • 2. The need for iOS forensics • More than 5 years on the market • 7 iPhones, 5 iPods, 5 iPads • 320+ million iPhones, 280+ million iPods, 120+ million iPads sold worldwide • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing
  • 3. iOS data protection • Device passcode • Protect unauthorized access to the device • Bypassing is not enough (used in encryption) • Disk encryption • Keychain • System-wide storage for sensitive data (keys, passwords etc) • Data is encrypted
  • 4. iOS forensics • Logical acquisition (iTunes backups) • Physical acquisition • iCloud backups and storage
  • 5. iOS forensics - logical acquisition - logical acquisition • “Ask” device to produce backup • Device must be unlocked (by passcode or iTunes) • Device may produce encrypted backup • Limited amount of information
  • 6. iOS forensics - physical acquisition - physical acquisition •Boot-time exploit to run unsigned code or •Jailbreak •Device lock state isn’t relevant, can bruteforce passcode •Can get all information from the device
  • 7. iOS Data Protection Every iOS device contains secure AES engine with two embedded keys: •GID – shared by all devices of same “family” •UID – unique per device •Newer devices have additional UID+ key There is no known way to extract GID or UID
  • 8. iOS data protection (cont-d) • Content grouped by accessibility requirements: • Available only when device is unlocked • Available after first device unlock (and until power off) • Always available • Each protection class has a master key • Master keys are protected by device key and passcode • Protected master keys form system keybag • New keys created during device restore
  • 9. iOS 4+ passcode • Passcode is used to compute passcode key • Computation is tied to hardware key (UID/UID+) • Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock most keys from the system keybag • Most files are protected with NSProtectionNone and don’t require a passcode • Most keychain items are protected with ...WhenUnlocked or ...AfterFirstUnlock and require a passcode
  • 10. iOS 4+ passcode (cont-d) • Passcode-to-Key transformation is slow • Offline brute-force currently is not possible • Requires extracting UID/UID+ key • On-device bruteforce is slow • 2 p/s on iPhone 3G, 7 p/s on iPad • System keybag contains hint on password complexity
  • 11. iOS 4+ passcode (cont-d)
  • 12. iOS 5 Keychain • SQLite3 DB, all columns are encrypted Available protection classes • kSecAttrAccessibleWhenUnlocked (+ ...ThisDeviceOnly) • kSecAttrAccessibleAfterFirstUnlock (+ ...ThisDeviceOnly) • kSecAttrAccessibleAlways (+ ...ThisDeviceOnly) • Random key for each item (AES) • Item key is protected with corresponding protection class master key
  • 13. Ios • Only User partition is encrypted • Available protection classes: • NSProtectionNone • NSProtectionComplete • NSFileProtectionCompleteUntilFirstUserAuthentication • NSFileProtectionCompleteUnlessOpen • Per-file random encryption key • File key protected with master key is stored in extended attributes (pretty much like Microsoft EFS) • No protection class - partition key is used • File system metadata and unprotected files • Transparent encryption and decryption (same as pre-iOS 4)
  • 14. iCloud • Introduced in Oct 2011 • Introduced with iOS 5 • Successor to MobileMe, .Mac, iTools • 5 GB free storage • Up to 50 GB paid storage • Over 125 million users in April 2012
  • 19. iCloud backup - what • Messages (including iMessages) • Application data • Device settings • Camera roll (photos and videos) • Visual voicemails • Purchases (music, movies, TV, apps, books) • Home screen arrangement • Ringtones
  • 20. iCloud backup - when • Backup runs daily when device is: • Connected to the Internet over Wi-Fi • Connected to a power source • Locked • Can force backup • [Settings] | [iCloud] | [Storage & Backup] | [Back Up Now]
  • 23. iCloud backup protocol flow • Dynamic: endpoints depend on Apple ID • Built on Google Protocol Buffers (mostly) • Files are split into chunks • Apple provides file-to-chunks mapping, chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft) • Encryption key depends on chunk data (deduplication?)
  • 24. iCloud backup protocol flow (cont-d)• /mbs/<personId> • List of backups • /mbs/<personId>/<backupUDID>/getKeys • OTA backup keybag • /mbs/<personId>/<backupUDID>/<snapshotId>/listFiles • File manifest • /mbs/<personId>/<backupUDID>/<snapshotId>/getFiles • File auth tokens • /mbs/<personId>/authorizeGet • Info about containers of chunks for "les (FileGroups)  • Request containers of chunks (FileGroups) • Containers of chunks
  • 25. iCloud encryption • Data stored at 3rd-party storage providers is encrypted • Apple has encryption keys to that data • Few files are further encrypted using keys from OTA backup keybag • Keychain items are encrypted using keys from OTA backup keybag • Need key 0x835 (securityd) to decrypt most keys from OTA backup keybag
  • 26. iCloud backups - summary • There is no user-con"gurable encryption for iCloud backups • iCloud backups are stored in Microsoft and Amazon clouds in encrypted form • Apple holds encryption keys and thus have access to data in iCloud backups • If Apple stores 0x835 keys then it can also have access to Keychain data (i.e. passwords) • Apple may have legal obligations to do this (e.g. LE)
  • 32. Get files from iCloud To get list of files •Authentication request (with given AppleID & password). Client gets mmeAuthToken in return; which, in order, is used to create authentication token (together with dsid). dsid (Destination Signaling IDentifier) is an unique ID assigned to the user when registering at iCloud.com. •Request to get AccountSettings. Client gets an URL (ubiquityUrl) with an address to get UUID (unique user identifier), file list, info on file tokens and for authorization. •Request to get file list (POST). Output (for every file): • file name • file id • parent folder id • last change time • checksum • access rights To download given file •Request to get file token (using file id, checksum and aliasMap). •Authorization request. Returns information on file chunks and containers. Output: container list (with URLs) and chunk information.
  • 34.
  • 36. Possible usage • Backups in iCloud • near-realtime acquisition (SMS, iMessage, mail, call logs) • browse backup data without actual device • download only data of specific type (need further work) • Find My Phone • keep track • using Google Maps (or whatever) • enter/leave some are • 2+ devices • Documents in iCloud • open from 3rd party apps • track changes • download unsupported document data
  • 37. Conclusion • Balance between security, privacy and convenience • iCloud security risks • Use additional encryption • Need further work (contacts, calendar, mode documents, converting documents, partial backup download, decrypting keychain, photo stream, 3rd party apps data: 1Password etc)
  • 38. backups, Find My iPhone, Document Storage Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage CanSecWest 2013 Vladimir Katalov, ElcomSoft Co. Ltd. http://www.elcomsoft.com http://blog.crackpassword.com Facebook: ElcomSoft Twitter: @elcomsoft