HitB2011AMS: iPhone Data Protection in-DepthFrank Breedijk
Slides on the HitB Materials page.
This talk is about data security and the iPhone. Almost all iPhone like deices (excluding the iPad2 for the moment) can book usigned code when they are in recovery mode. It is also possible to create acustom ram disk, thee are techniques used by jailbreakers and phone forensics people.
Data in the iPhone is encrypted with either the UID (unique iPhone key) or GID (key unique to each model).
In the iPhone (iOS < 4) the UID key was only used to facilitate fast wipe (change key, cannot read flash anymore), it did not provide data security. The iPhone 4 was designed with data security in mind. Jean and Jean demonstrate the tools they wrote to get around the data protection of iOS 4
Because the unlock code is used for data security data can be set to be only available when:
- The Phone is unlocked
- After the phone is unlocked for the first time
In iOS 4 there is an escrow key which allows MobileMe and iTunes to access the phone for backup or passcode reset without unlocking the phone.
The first tool that they developed and demonstrated was the keyChainViewer which can be used to view the contents of keyChain, but not the keys.
Using the built in iOS functions (that use the passwcode) you can actually bruto force the passcode of the phone with a small application on the phone. If you boot the phone from a ram disc you can do this without knowing the passcode. Using the brute forced passcode the keyChain can be read and decrypted.
Next tools where demoed to browse the encrypted filesystem and to decrypt iTunes backup files.
Conclusion of the researchers:
- iOS4 offers far better protection then iOS3
- Mail files (with the exception of exchange) are protected by the passcode this offers additional protection, but it can be obtained if you have the phone
About Jean-Baptiste Bédrune
Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.
About Jean Sigwald
Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.