Forensics at BlackHat2011: iOS Password Decryption Method Revealed
“Overcoming iOS Data Protection to Re-Enable iPhone Forensics” was the title of Mr. Andrey Belenko of ElcomSoft talk today at BlackHat2011.
Mr. Belenko and Dmitry Sklyarov (if you don’t know about Sklyarov and his arrest at DefCon in 2001 for his work on AdobePDF security, read this), conducted research into overcoming the encryption in iOS devices. There are a number of technical barriers in extracting information from a password protected iOS device. Although earlier versions of iOS (pre 3GS) had data protection methods that are generally considered very weak, newer versions of the iOS have stronger encryption deployed. Many digital forensic examiners have hit a wall when try to acquire digital forensic from password protected iOS devices.
That’s where ElcomSoft has stepped in. Mr Belenko’s work focused on levering the iOS device itself to brute force the device password. As it turns out, the OS itself reveals password length and strength in clear text. For example, the device reveals in clear text, that the password is four characters long and only contains numbers. And since most users want a short PIN on their device, this pre-attack analysis by the ElcomSoft tool narrows down the scope of any brute force software effort. There are a number of smart techniques like this that the ElcomSoft team used in developing this tool.
A demonstration of the tool given to The CyberJungle after the talk. The CyberJungle entered in a the PIN 4111, but Vladimir Katalov, ElcomSoft’s CEO did not see us enter in that PIN . Mr. Katalov was able to crack the iPhone 4G in a few minutes. The PIN was revealed, along with passwords to the user’s Amazon account, email accounts, and other data secured by the devices so-called keybag. Mr. Katalov told the CyberJungle that the tool will dd “image” the device after breaking the PIN. According to Mr. Katalov, while other tools will image iOS devices, his team has the only tool that will both crack the PIN and image the device for analysis.
According to Mr. Katalov the software will work on 4G, iPad1 and iPod. The lack of iPad2 support is due to the lack of software signatures by Apple, not a limitation on the technical abilities of the software.
Find out more about the Elcomsoft iOS Forensic Toolkit. Look for a CyberJungle audio interview with a member of the ElcomSoft team in this section (Conference Notes) of CyberJungle Radio.