iOS 4 Hardware Encryption Cracked By Forensics Firm - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


iOS 4 Hardware Encryption Cracked By Forensics Firm

The iPhone 4 is at risk, but the forensics tool will only be sold to law enforcement, intelligence agencies, and forensics investigators.

Slideshow: Apple iPhone 4, A True Teardown
Slideshow: Apple iPhone 4, A True Teardown
(click for larger image and for full slideshow)
Russian digital forensics toolmaker Elcomsoft said that it's the first forensics company to have successfully cracked the data security scheme of the iPhone 4. What that means is that digital forensic investigators will be able to circumvent, in many cases, the hardware-based encryption introduced by Apple with iOS 4.

Elcomsoft, however, said that its related tool for cracking iPhone 4 encryption, released Monday, will only be made available to law enforcement agencies, intelligence agencies, and professional forensic investigators.

Why the one-year lag between the first release of iOS 4, and tools able to retrieve data from such devices? According to a blog post from Elcomsoft CEO Vladimir Katalov, his company "found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools such as Guidance EnCase or AccessData FTK--or any other tool which supports raw drive images and HFS+ file system."

Before iOS 4, he said, it was relatively easy to recover data from Apple iPhone, iPod Touch, and iPad devices by taking a bit-level snapshot of the devices' file system--akin to making a disk image or converting a DVD into an ISO file. But with iOS 4, Apple introduced hardware-based encryption, meaning that even though the file system can still be recovered, it's useless without knowing the encryption key.

To successfully extract data off of a device, an investigator must also have physical access to it until the data is decrypted. "Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition," said Katalov.

The information that can be recovered from an iOS 4 device is limited, however, unless a forensic investigator (or attacker) recovers the passcode for the device. Accordingly, one of the best ways to protect an iOS 4 device is to disable its "simple password" setting and to use a long, complex password that can't be guessed via dictionary attacks, since this makes it extremely difficult or even impossible to brute-force the password.

Interestingly, Elcomsoft's announcement parallels the release of new research that details iOS 4 data security protections. Security researchers Jean-Baptiste Bedrune and Jean Sigwald, who work at IT services company Sogeti, last week presented a paper at the Hack In The Box conference in Amsterdam that details security changes to iOS 4, as well as how to crack them.

They also released free tools to create a copy of the RAM disk for forensic purposes, decrypt iTunes backups (slowly, they said), and to brute-force simple passwords that contain four digits or fewer, in 20 minutes or less.

According to the researchers' presentation overview, "using the built-in iOS functions--that use the passcode--you can actually brute-force the passcode of the phone with a small application on the phone. If you boot the phone from a RAM disk you can do this without knowing the passcode. Using the brute-forced passcode, the Keychain can be read and decrypted."

Andrey Belenko, a security researcher at Elcomsoft, said his company's research occurred separately from the Sogeti researchers' investigations. "We did our research on our own," he said in a blog post. In addition, "our set of tools uses [a] somewhat different approach, which we believe allows for greater flexibility and compatibility."

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll