Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mining iPhones and iCloud For Data With Forensic Tools

Posted by Soulskill on from the security-through-panic-and-news-articles dept.

SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

14 of 85 comments (clear)

  1. Last link suspect by SuperKendall · · Score: 2

    The last link (about spoofing device identification) is really just a generic warning about man in the middle attacks.

    Are there published ways to use a man-in-the-middle against iCloud?

    Also normally the backups only activate when the device is plugged in...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  2. That almost smells like... by geekmux · · Score: 2

    ""Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

    I'm sorry, but this smells a lot like common sense and good security practice.

    In other words, it doesn't stand a chance getting past the don't-bother-me-with-security collective we like to call "smart" phone users.

    1. Re:That almost smells like... by gnasher719 · · Score: 2

      You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

      Think about it. I buy an iPhone with fingerprint reader. I store top secret information and back it up on iCloud. The I drop the iPhone into the toilet and it dies, unrecoverable. I go to the store and hand over the cash for a new iPhone. At that point the backup functionality must work. It can't use the fingerprint of my old iPhone, because the new iPhone doesn't have it. All I have is the Apple ID and password.

      What could work is that you enter say your name and passport number (I mean physical passport number), you go to an Apple Store with your passport, iCloud sends a passcode to the store, and they hand it over to you only if they see the passport and it matches.

    2. Re:That almost smells like... by dex22 · · Score: 2

      Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

    3. Re:That almost smells like... by dex22 · · Score: 2

      If they abstract the fingertip so there's a granular range of maybe 10,000 possibilities, it would have the same security as a 4 digit pin and an attacker would only have a 1:10,000 chance per attempt of hacking the fingerprint. That's within the realm of being anonymous enough to not exclusively identify, yet difficult enough to not easily reproduce. It's also a course enough granulation that a person can achieve the same result with their same fingerprint on a new phone.

      It looks like we're in violent agreement ;)

    4. Re:That almost smells like... by gnasher719 · · Score: 2

      Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

      Now you are being stupid. The iPhone doesn't know that it's _my_ fingerprint. It only knows that it's the fingerprint of the person who programmed their fingerprint into the iPhone. So if _I_ can buy a brand new iPhone, program it with my finger print, enter my AppleID and password and perform a restore, then any scammer who knows my AppleID and password can buy a brand new iPhone, program it with his or her finger print, enter my AppleID and password and perform a restore. In other words, this isn't giving any security.

  3. Security vs Recoverability by Rich0 · · Score: 3, Insightful

    Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device.

    I forgot my iPhone password, and those lousy Apple folks refused to reset it for me. They just said some kind of technobabble about encryption and security. Why did they make iPhones harder to use? Isn't Apple supposed to be easy to figure out?

    You can't have it both ways. I encrypt all my sensitive data that I back up to the cloud, but I also keep copies of the key in safe places so that when my house burns down I don't lose access to my offsite backups along with it. I wouldn't expect the average iCloud user to appreciate the need for this, and neither does Apple, so their backups aren't encrypted.

  4. Secondary password... by ByTor-2112 · · Score: 2

    ... would end up being the same as the account password. Or just add a one. Not the answer.

  5. Not true. by gnasher719 · · Score: 2

    The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone.

    I checked the link, and it does no such thing. The article is about fake Wifi hotspots. Such a fake Wifi hotspot could of course cause all kinds of trouble (basically it can read WiFi traffic that you thought was encrypted), but it doesn't allow anyone to convince iCloud of anything.

    1. Re:Not true. by nine-times · · Score: 2

      The article is about fake Wifi hotspots.

      I don't think it was even that simple. I didn't read the article in detail because it seemed dumb, but the author seemed to be talking about spoofing a trusted destination for WiFi iPhone backups.

      So if you set up your iPhone to sync over WiFi, and if you connect to a compromised WiFi network, and *if* that network has a machine that manages to spoof the computer that you sync your iPhone to, the iPhone will sync to that computer instead, which might sync sensitive information.

      That's a very special set of conditions, and it's not clear how you would spoof the computer that's serving as a sync destination.

  6. Re:No no no... by 93+Escort+Wagon · · Score: 4, Interesting

    Given the exploit requires the installation of a jailbreak, it's not actually going to work unless you already have the user's security code - the device needs to be unlocked in order to install the jailbreak.

    I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.

    --
    #DeleteChrome
  7. Re:No no no... by nine-times · · Score: 3, Insightful

    I skimmed the article, so I may have missed something, but the attacks that they're talking about generally entail having physical access to the phone, offline access to the phone's backup, phishing for passwords, or WiFi man-in-the-middle attacks *if* you can manage to spoof a computer that the iPhone trusts.

    Which is to say, these aren't tremendous vulnerabilities on Apple's part. An attacker might be able to pull off a brute-force attack on your encrypted password-protected iPhone backup if they have an offline copy, if the password is weak. Well golly! Everyone better stop using their iPhone right away.

  8. Re:No no no... by nine-times · · Score: 4, Insightful

    I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.

    First, I don't think that it's known that the accounts were compromised with iBrute. People made the connection because the leak happened shortly after iBrute was announced, but there have been many suggestions that the photos had been acquired months or years before that. That makes it pretty unlikely that the accounts were accessed using iBrute. And Apple seems to deny that the accounts were accessed by exploiting "Find My iPhone".

    Second, their comment about "bad passwords" is valid regardless, and would be valid even if the passwords had been accessed through brute force attacks. Brute force attack mitigation is specifically helpful in protecting accounts with weak passwords. If your password is strong enough, a brute force attack should still take a prohibitively long time to succeed.

    From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service. There was just a news story about 5 million Gmail passwords being leaked, but it doesn't seem that it was from a exploit of Google's services either. Most likely, they were all acquired by phishing, or other non-technical attacks.

  9. Apple should answer... by Ronin+Developer · · Score: 2

    to the fact that items thought deleted were showing up in the backups. That, to me, is the most disturbing part of this story. Yes, I READ BOTH articles. The second one, as others noted, was focused on WiFi spoofing. The first detailed the use of forensic tools to access the information in the backups.

    Of course, to gain access to any of this information, the author had to have physical access to the phone and jailbreak the device as well as a knowing the iCloud password. And, the exploits he discussed were against older hardware and the obsolete iOS 5.1 He had no success against against iOS 7 on the iPhone 5s.

    As I stated earlier, knowing that so much still existed AFTER supposedly deleting it (such as mailboxes, pictures, call history) is a real issue and one that needs to be publicly addressed by Apple.