SecurIMAG iOS data protection1 - 1inspired by the ...€¦ · IntroductionData protectionStorage...

Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion

SECURIMAGIOS DATA PROTECTION1

Albin [email protected]

Grenoble INP – Ensimag

1 inspired by the presentation : iPhone data protection in depth by Jean-Baptiste BÉ-DRUNE (Sogeti) and Jean SIGWALD (ESEC)

Albin PETIT iOS data protection September 27th, 2012 – 1 / 35


INTRODUCTION (1)

WHAT ARE DATA ?� Text� Photo� Credentials

� Preferences� Others

WHERE ARE DATA ?� On the device� On a backup

� In transit� On iCloud



INTRODUCTION (2)

iOS PROTECTIONS� Passcode: Prevents casual device access� Privilege Separation and Sanboxing: Limits access to system orother app data if local app compromised� Code Signing: Only code of approved origins can execute� Remote Wipe: Erase all data if phone is lost� Encrypted Storage: Fast Remote Wipe� Encrypted Backups: Protects data off the device� Data Protection: Protects user’s data when the device is locked



AGENDA

1 Data protectionFile protectionKeychainKeybags

2 Storage EncryptioniOS storageiTunes Backup

3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2

4 Demo



AGENDA




4 Demo



DATA PROTECTION

OBJECTIVES� Protect data at rest� Encrypted data protected by user’s passcode

HOW IS IT WORKED ?� Protection classes for files and keychain items� Master keys for protection classes stored encrypted in a keybag� Different data availability



HOW IS A FILE ENCRYPTED ?

Class KeyFile Key

File Meta Data

Device Key

User Pass-code Key

File System Key

File Key : randomly generated for every file that get created

Class Key : randomly generated when a class is established




Class Key

File Key

File Meta Data

Device Key

User Pass-code Key

File System Key






Class KeyFile Key

File Meta Data

Device Key

User Pass-code Key

File System Key





FILE SYSTEM PROTECTION

Class Key 2Class Key 1 Class Key 3

Device KeyUser Pass-code Key

File Key 1

Meta Data

File Key 2

Meta Data

File Key 3

Meta Data

File Key 4

Meta Data

File Key 5

Meta Data

File Key 6

Meta Data



CLASS KEYS FOR FILES

Availability File Data Protection

When unlocked NSFileProtectionComplete

While locked NSFileProtectionCompleteUnlessOpen

After first unlock NSFileProtectionCompleteUntilFirstUserAuthentication

Always NSFileProtectionNone



KEYCHAIN

A SQLITE DATABASE CONTAINING� Passwords� Sensitive information

HOW IT WORKS ?� Encrypted with AES 128� Every application have its own set of keychain items BUT a keychainitems can be shared between apps from the same developer� Keychain items are restricted by class keys



CLASS KEYS FOR THE KEYCHAIN

Availability Keychain Data Protection

When unlocked kSecAttrAccessibleWhenUnlocked

kSecAttrAccessibleWhenUnlockedThisDeviceOnly

While locked N/A

After first unlock kSecAttrAccessibleAfterFirstUnlock

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly

Always kSecAttrAccessibleAlways

kSecAttrAccessibleAlwaysThisDeviceOnly



EXAMPLE OF USES

Item Keychain Data Protection

Wi-Fi passwords kSecAttrAccessibleAfterFirstUnlock

IMAP/POP accounts kSecAttrAccessibleAfterFirstUnlock

Exchange accounts kSecAttrAccessibleAfterFirstUnlock

Safari passwords kSecAttrAccessibleWhenUnlocked

iTunes backup passwords kSecAttrAccessibleWhenUnlockedThisDeviceOnly

iCloud certificates kSecAttrAccessibleAlwaysThisDeviceOnly



KEYBAGS (1)

� Collection of Class Keys� 4 types of keybags

� System keybag� Backup keybag� Escrow keybag� iCloud Backup keybag



KEYBAGS (2)

SYSTEM KEYBAG� Stored on the device (/private/var/keybags/systembag.kb)� Binary plist AES encrypted� The key is changed each time the user changes the passcode

ESCROW KEYBAG� Used by iTunes syncing & Mobile Device Management� Contains all the class keys used on the device� Stored on the synchronized computer� Allow backup and syncing without entering passcode� Encrypted by a random key

� Key stored on device (NSFileProtectionCompleteUntilFirstUserAuthentication)



KEYBAGS (3)

BACKUP KEYBAG� Created for each encrypted backup� Holds random class keys for data in the backup� Class keys are protected with a derived passcode computes from abackup password entered by user (10,000 iterations of PBKDF2)

ICLOUD BACKUP KEYBAG� Similar to the Backup Keybag� Encrypted data is read from the device and sent to iCloud� Corresponding class keys are protected by iCloud keys



SYSTEM KEYBAG UNLOCK

Passcode

Keybag IV

Wrapped class key

KDF

Key 0x835

Passcode key

AESunwrap

AESdecrypt

Class key

UID key

wrapped with passcode keyencrypted with the 0x835

encrypted with the 0x835

integrity check fail=> wrong passcode



AGENDA




4 Demo



IOS STORAGE

DISK PARTITIONING� Boot: Low Level Bootloader� Plog: Effaceable area� Nvrm: Environments variables� Firm: iBoot, device tree and boot logos� Fsys: Filesystem partition

bootblock 0boot

block 0plog

block 1plog

block 1nvrm

blocks 2-7nvrm

blocks 2-7�rm

blocks 8-15�rm

blocks 8-15fsys

blocks 16-4084fsys

blocks 16-4084reserved

blocks 4085-4100reserved

blocks 4085-4100

Figure : 16 Gb iPhone 4 NAND layout



PLOG PARTITION (3 ERASABLE LOCKERS)

EMF!� Data partition encryption key, encrypted with key 0x89B� Format : Length (0x20) + AES(key89B, emfkey)

DKEY� NSProtectionNone Class key, wrapped with key 0x835� Allow to unwrap the System Keybag

BAG1� System Keybag Key� Format : Magic (BAG1) + IV + Key� Allow to decrypt systembag.kb� Erased at each passcode change



IOS 3 KEY HIERACHY

UID

Key 0x89B Key 0x835

DecryptEMF!

EMF Key

DecryptData partition Keychain-2.db

DecryptSaved

password



IOS 4 KEY HIERACHY

PasscodeIV

KDF

Passcode Key

Unlock

System Keybag(unlocked)

UID Key

Key 0x835Key 0x89B

Class A Key

Class B Key

Class C Key

Class D Key

Class Key. . .

Class Key

Decryptsystembag.kgNSFileProtectionNone

BAG1

Dkey

EMF!

Decrypt

EMF KeyUnwrap

Data partition

systembag.kgcprotect attr

Unwrap

EffaceableStorage System Keybag (locked)



ITUNES BACKUP (1)

BACKUP STORAGE� One directory per backup� %APPDATA%/Apple Computer/MobileSync/Backup/<udid>� Can be protected by a password

HOW DOES IT WORK ?� File content is AES-256 encrypted (if encrypted option is chosen in iTunes)

� Password is entered by user� Filenames are hashed (SHA1)� A database contains all information (eg: filenames, size, permissions,attributes)



ITUNES BACKUP (2)



AGENDA




4 Demo



CONSULT AN IOS DEVICE

ATTACK� Consult an iOS device not password protected

COUNTER-MEASURES� Set a password� Erase data after n invalid passcode attempts

� Erase Dkey and EMF� Reformat data partition� Generate new system key bag

� Use Find My iPhone to :� Use location services to find it� Erase data (as already mentioned)



BACKUP

ATTACK� Extract a backup and get access to all the data of the device

COUNTER-MEASURES� Encrypt your backup on iTunes� Don’t give access to your computer (and consequently your backup)



ESCROW KEYBAG

ATTACK� Make a Backup without enter the passcode and put it back to theiPhone

COUNTER-MEASURES� Don’t give access to your computer� Switch off your iOS device when it’s possible



BRUTEFORCE ATTACK

ATTACK� Try all 4-digit passcodes in root access

COUNTER-MEASURES� Set an arbitrary complex passcode by turning off the simplepassword� Use a configuration profiles to force data protection

� Require password length and complexity� Require maximum password grace



KEYCHAIN ATTACK V1

ATTACK� Decrypt the keychain from the backup with the 0x835 key computeson the device

COUNTER-MEASURES� Set an arbitrary complex passcode



KEYCHAIN ATTACK V2

ATTACK� Access to the keychain items changing the keychain access groupof the applications

COUNTER-MEASURES� Don’t jailbreak your iOS device



AGENDA




4 Demo



DEMO



SUMMARY

A COMPLEX SECURITY� Data encryption on the iOS device� Different level of availability

BUT THIS PROTECTION CAN BE COMPROMISED IF :� No passcode set� Wrong use of class keys (NSProtectionComplete vs NSProtectionNone)� Sensitive information not saved in the keychain� BootROM vulnerability (≤ iPhone 4 & iPad 1)



QUESTIONS

?Albin PETIT iOS data protection September 27th, 2012 – 34 / 35


REFERENCES

TALKS� SSTIC 2012: Forensic iOS (2012) - Jean-Baptiste BEDRUNE & Jean SIGWALD� iPhone data protection in depth (2011) - Jean-Baptiste BEDRUNE & Jean SIGWALD� iOS Forensics: Overcoming iPhone Data Protection (09/2011) - Andrey Belenko� Overcoming iOS data protection to re-enable iPhone forensics (2011) - Andrey BELENKO

VIDEOS� Apple WWDC 2010, Session 209 - Securing Application Data� Apple WWDC 2012, Session 714 - Protecting the User’s Data

PAPERS� iOS Security (05/2012) - Apple� iOS Keychain Weakness FAQ (02/2012) - Jens Heider, Matthias Boll� Lost iPhone? Lost Passwords! (02/2011) - Jens Heider, Matthias Boll� Overcoming iOS data protection to re-enable iPhone forensics (2011)- Andrey BELENKO

WEBSITE� http://www.securitylearn.net/category/iphone/


https://www.sstic.org/media/SSTIC2012/SSTIC-actes/forensicsios/SSTIC2012-Slides-forensicsios-sigwald_bedrune.pdf

http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf

http://www.slideshare.net/andrey.belenko/ios-forensics-overcoming-iphone-data-protection

https://media.blackhat.com/bh-us-11/Belenko/BH_US_11_Belenko_iOS_Forensics_Slides.pdf

http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf

http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords-faq.pdf

http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords.pdf

https://media.blackhat.com/bh-us-11/Belenko/BH_US_11_Belenko_iOS_Forensics_WP.pdf

http://www.securitylearn.net/category/iphone/

SecurIMAG iOS data protection1 - 1inspired by the ...€¦ · IntroductionData protectionStorage...

Documents

Transcript of SecurIMAG iOS data protection1 - 1inspired by the ...€¦ · IntroductionData protectionStorage...