iPwned: How easy is it to mine Apple services, devices for data?
Apple executives never mentioned the words “iCloud security” during the unveiling of the iPhone 6, iPhone 6+, and Apple Watch yesterday, choosing to focus on the sexier features of the upcoming iOS 8 and its connections to Apple’s iCloud service. But digital safety is certainly on everyone’s mind after the massive iCloud breach that resulted in many celebrity nude photos leaking across the Internet. While the company has promised fixes to both its mobile operating system and cloud storage service in the coming weeks, the perception of Apple’s current security feels iffy at best.
In light of one high profile “hack,” is it fair to primarily blame Apple’s current setup? Is it really that easy to penetrate these defenses?
In the name of security, we did a little testing using family members as guinea pigs. To demonstrate just how much private information on an iPhone can be currently pulled from iCloud and other sources, we enlisted the help of a pair of software tools from Elcomsoft. These tools are essentially professional-level, forensic software used by law enforcement and other organizations to collect data. But to show that an attacker wouldn’t necessarily need that to gain access to phone data, we also used a pair of simpler “hacks,” attacking a family member’s account (again, with permission) by using only an iPhone and iTunes running on a Windows machine.
As things stand right now, a determined attacker will still find plenty of ways to get to iPhone data. They need to gain physical access to the device, or harvest or crack credentials to do so. But there are ways to do this that won’t alert the victim. The weakest links are components of the iCloud service.
A quick word on Apple security
The iCloud thefts were likely aided and abetted either by a weakness in iCloud’s authentication for the “Find My iPhone” application interface or by some clever deduction of passwords or security questions based on data about the targets gleaned from public sources (like, for example, Wikipedia). Sadly iCloud backups, because of their nature, often contain data long gone from a phone itself, or at least data that’s gone from what the phone user can see onscreen.
Again, Apple has a number of security fixes coming. For example, the new tweaks will alert users by e-mail and push message when there’s an attempt to restore a backup from iCloud to a new device, to change a password, or to connect a new device to an iCloud account. While this may not have prevented the celebrity information swipe entirely, it would have at least alerted those being targeted that their accounts were accessed. In addition to these alerts, Apple will also push harder for users to use two-factor authentication in iOS 8—which will cover access to iCloud from mobile devices.
Apple has done a great deal to improve the security of the iPhone and iOS over the past few years. While older devices can still be easily scraped of personal data with forensic tools, newer devices are notably harder to crack. However, the new fixes won’t help every iPhone or iPad user going forward. Users who don’t use two factor authentication (which there’s a three-day waiting period to sign up for) or upgrade to iOS 8 will continue to be easy targets, especially if they don’t react quickly to account alerts.
Cracking a brand new iPhone through the front door is hard. However, there are still a statistically significant number of older devices in circulation,even based on a look at the agent information from Ars’ visitor logs. And many users leave their phone less secure by sticking with the default 4-digit PIN,
iCloud busting, phase 1: With professional tools
It’s important to note that Elcomsoft built its tools without any help from Apple—they’re based entirely on reverse engineering of Apple’s protocols. Elcomsoft is just one of a number of forensic tool vendors that gives investigators the ability to exploit seized smart phones and laptops to extract personal data. Cellebrite, Oxygen Forensics, and AccessData are just a few of the commercial tools vendors that also offer ways to crack iOS devices of varying vintage. Oxygen Forensics offers a free 6-month trial download of its suite to anyone willing to give up their email address. There are also open-source tools, such as the iPhone Backup Analyzer.
In our first assault on iPhone data, we employed that Elcomsoft pair—iOS Forensic Toolkit (EIFT) and Elcomsoft Phone Password Breaker (EPPB). Elcomsoft iOS Forensic toolkit, which we ran on an Apple MacBook Pro, is a command-line tool that uses a jailbreak to give the user the ability to bypass the security of an iOS device. It also allows you to decrypt and download an image of its contents. The tool is available for Windows as well, and it requires a USB “dongle” to operate. (That’s an anti-piracy measure that allows the company to control its distribution.)
EPPB, on the other hand, is a Windows-only tool that uses a standard installation key. It gives users the ability to recover passwords from iPhone phone backups on a PC or to grab the contents of an iPhone backup from an iCloud account. It can also crack BlackBerry passwords, but that’s an experiment for another story.
EPPB requires you to have at least one of the following things:
- The target’s iCloud password—by them volunteering it, through a phishing attack, or by gaining access through other social engineering.
- Access to a computer with iTunes and a local backup of their iPhone.
- Access to a computer with their stored iCloud credentials in a token—either with the phone owner’s credentials or as root. The token, which is stored locally by the iCloud control panel on Windows and by Mac OS X’s built-in iCloud keychain, can be extracted by another Elcomsoft tool, allowing EPPB to act like it’s a device already trusted by iCloud.
First, we tried using EIFT to go after our iPhone 5S. That turned out to be a mistake, as the toolkit depends on a “jailbreak” that doesn’t work on more recent iPhones. Elcomsoft CEO Vladimir Katalov said in an e-mail, “iPhone 5S (as well as iPad Air and iPad Mini with Retina, i.e. all 64-bit devices) are not supported by EIFT yet. We are working on that, but analyzing 64-bit ARM code is a nightmare.” The attempt ended up putting our phone in recovery mode, resulting in an ironic restoration from an iCloud backup.
However, the EIFT attack was super-effective on an old iPhone 4 on the first attempt—largely because the target (my wife) hadn’t updated iOS since version 5.1. We were quickly able to bust the passcode and image the device’s contents as a set of .DMG files on my Mac.
Next, we upgraded the device to the current iOS 7 release and tried again. This time, EIFT stumbled on recovering the passcode for the device, but it was still able to get an image of the contents of the phone’s “user space.” This should serve as a reminder: when trading in or recycling old iPhones, make sure to do the “factory wipe” on data beforehand. Otherwise, someone could be harvesting your data off that old phone.
Next, we shifted tactics away from the iPhones themselves and went after what is currently perceived as the softest target—iCloud backups. Using EPPB, we downloaded the full backup contents of our iCloud account, discovering there were three date-stamped backup images waiting to be plundered for data. Protected only by the iCloud password, EPPB was able to extract these in less time than it takes to restore an iPhone 5S.
We also went after a password-encrypted version of the backup on a local drive using EPPB’s dictionary and brute-force password attacks, cracking the seven-letter password after about two days of hammering the file on an ancient HP dual-Athlon machine. Until recently, the same sort of attacks could be launched (albeit in extreme slow motion) against iCloud without triggering an alert.
Password-guessing and brute-force attacks aren’t the only ways an attacker could get a target’s iCloud credentials. There’s been a recent wave (at least in our e-mail) of Apple iCloud account phishing attacks. While most of these have been pretty obvious (Apple would never allow e-mails with that many typos to go out), a well-thought-out phishing attack could be used to throw a user into a panic—for example, by suggesting that their iCloud account has been compromised.
And since the iCloud backup is only protected by the iCloud password right now, once someone has obtained that password, everything in that backup is wide open. And there’s a lot in that backup.
Your whole digital existence
There are a number of things some people might be surprised to find in the iCloud backups. Among the data found were:
- SQLite databases containing phone call history, SMS and iMessage messages, and voicemail message data (with the number they were from and timestamps for when they were trashed) dating back to the phone’s original purchase. So much for deleting call history.
- A file called “recents” that contained e-mail, Messenger, and SMS addresses with message header data and other information.
- An “accounts” database with all the e-mail, Twitter, and Apple-associated identity accounts we’ve ever held. Some details synced over from accounts closed before the target phone was purchased.
- A file with all “known” Wi-Fi hotspots, with the SSIDs and MAC addresses of every hotspot the phone ever connected to.
- Images, many believed to be long deleted, in three separate photo folders on each backup. All of the images carried the default EXIF data that Apple’s camera app attaches to them: dates taken, GPS latitude, longitude, and altitude. These images, in our oldest iCloud backup, were part of a much older incremental backup that had not been cleared from the cloud, and were found in a duplicate image folder within the DCIM folder of the backup image.
- A file containing Apple Maps addresses searched for.
- Mailbox files for the e-mail accounts used with Apple’s Mail app.
- An address book database with over 1,000 e-mail addresses, phone numbers, Facebook profile links, and other contact data.
That is just what we found sifting around for a few hours aimlessly. It’s clear that anyone targeted by an iCloud account hack hasn’t just had pictures exposed; their entire digital lives have been laid out on display.
iCloud busting phase 2: Budget edition
There have been a lot of theories about how the iCloud attackers managed to “rip” the accounts of targeted celebrities, some of which have included the use of pirated copies of EPPB to do the extraction. There are also ways to do the equivalent of a local attack without being in physical possession of an iOS device, such as an attack over Wi-Fi. As I demonstrated in June, if an iPhone’s Wi-Fi is turned on it can be fooled into connecting to a malicious network by spoofing one of its known networks, such as “attwifi”—networks that it continually seeks with probe requests that can be turned against it.
If an iOS device has been configured for synchronization over Wi-Fi, this can become an even bigger privacy problem, as security researcher Jonathan Zdziarski showed in a paper published in January. Zdziarski wrote that if an attacker were able to retrieve the pairing code from the computer an iPhone or other iOS device was paired with for Wi-Fi synchronization, it would be possible to spoof that computer over Wi-Fi and get the iOS device to perform a backup. This and other gaps in iOS security have been patched in iOS 8, Zdziarski noted in a blog post yesterday.
But there are much less sophisticated ways to get to an iCloud user’s data. To name two—by restoring backed-up data to another iOS device that you have access to or by connecting a computer to the target iCloud account.
The iCloud restore feature essentially allows an attacker to create a clone of the victim’s device (at least, within the storage limits of the device being used). This will give the attacker access to many of the details that a deeper forensic attack would have: some recent call history, Messenger history, photos, and access to some of the target’s applications. The backup could even give access to the target’s Twitter account when restored to a device, through stored credentials.
The iCloud Control Panel for Windows could be used, for example, on a virtual machine to create what amounts to an image of all of a target’s iCloud-synced data. If the target is syncing contacts, images, and browser bookmarks, these can all be pulled directly to a PC or exported from the iCloud Web interface using the victim’s credentials. For example, the victim’s entire contact list could be exported as vCards, allowing the attacker to farm for more victims wholesale.
Even creepier, the iCloud access also gives the attacker the ability to stalk the victim in real-time by using the Find My iPhone feature. If the phone is turned on and Find My iPhone was configured, the attacker can use the feature just as the owner would (of course, odds are that it’s on the owner’s person). We were able to identify the location of family members in this way as soon as the target phone was turned on.
None of this is particularly high-tech. And it’s well within the threshold of pain for a mildly technically literate, very obsessed attacker. Given enough time, research, and effort—or a few hundred dollars, a botnet rental, and a well-crafted phishing e-mail—just about anyone could gain access to at least one high-profile target’s iCloud account. And that can be used as the first step to getting access to others.
Are Apple’s pending fixes enough?
Apple CEO Tim Cook told The Wall Street Journal that in two weeks, Apple would roll out those security fixes mentioned above. But the changes by themselves aren’t going to deter the sort of attackers that have gone after high-profile targets for years.
Adding two-factor authentication protection to more of iCloud’s features—including the backup, which would likely require use of the account’s lengthy recovery key—will improve iCloud’s security significantly. But it will only really be effective if Apple can get users to adopt it. Since it requires users to actually do something (and something that they currently can’t complete in one sitting), the rate of adoption for two-factor authentication is likely to remain low for some time regardless of how quickly people buy new devices and upgrade to iOS 8.
Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device. That would at least give backups the same level of protection that they get when stored locally with encryption (already an option in iTunes).
And two-factor authentication would be a lot more secure if it gave an option other than typing in a lengthy recovery key when a device isn’t present. A physical authentication key or even a fingerprint scan would be much more user-friendly than a typed recovery key or a four-digit key sent by SMS.
These measures will not mean that the police, the FBI, or the NSA couldn’t get to your iPhone data if they had a need to. The fixes won’t stop a determined attacker from finding other ways to compromise a user’s devices to gain access to information. But these tweaks raise the level of effort required enough to deter casual attacks, and they will hopefully raise people’s awareness to attacks in progress early enough to react. Simply put, that may be the best Apple (or anyone) can do right now.