Protecting iPhone backups
Today I want to talk about little-known features of iOS related to the protection of backups, bypassing this protection (recursion) and protection against bypassing protection (double recursion). The cherry on the cake will be a short instruction that allows you to bypass protection from the backup protection bypass (for example, third-order recursion), as well as recommendations that will help protect against bypassing the protection from backup protection bypass (excellent, fourth-order recursion - I think earned a medal!).
IOS backup system - truly out of competition. We saw something similar in terms of local backups in BlackBerry 10, but this system is dead, and BlackBerry never got to the cloud. (By the way, in BlackBerry 10 OS backups were always encrypted, and the key was always stored in the cloud - either in the BlackBerry user ID, or on the corporate network). It was pretty decent to back up to the “cloud” and in Windows Phone 8.1, as well as in Windows 10 Mobile - but these systems are now dead, and there have never been local backups in them.
The only competitor to iOS is the Android system, the backups of which are created exclusively in the cloud (we will ignore the adb backup command: there is even less data actually saved by this command than it gets into the cloud). Yes, certain tricks will help to get more data out, but backups in Android are far from ideal.
As part of this article, we are primarily interested in local backups; I wrote about their content on our blog earlier. They can be created, for example, in the iTunes application, but not only in it: there are many third-party applications (including our own iOS Forensic Toolkit) that, when connected to the iPhone, will create a backup copy of it. By the way, using Toolkit, a backup can sometimes be pulled out of the phone even when the screen is locked and the lock code is unknown (lockdown files are used for this).
A backup copy is a convenient, universal and very simple way to extract a fresh copy of data from a well-protected (and, by the way, encrypted) storage device. Almost all the most interesting things fall into the backups: both the data of most applications, and logins with passwords that the user saved in the Safari browser and third-party applications, and passwords for Wi-Fi, and clock backups, and data on user activity (steps, heartbeat at a given point in time). Fall into backups and many other things vital to the investigation of crimes.
Why do I need a backup if the lock code is known?
We are often asked the question (to be precise in the wording, they “claim”): if the lock code is already known, then why do we need a backup copy? Can I see everything on the iPhone itself?
No, not all. Even if the lock code is known, not all interesting data can be viewed on the iPhone itself. IPhone backs up a lot of data in backups, even beyond the user's will. The user may not even know that this data exists! This applies, for example, to the history of the Safari browser - on the phone itself or in iCloud, you can view the history for the last 30 days, and the entire history for the entire time you use the phone falls into the backup (if the user did not manually clear the history). By the way, exactly the same applies to the call history: in the Phone application it is visible only for the last 30 days, and information about all calls is saved in the backup copy. This alone is enough for law enforcement to hunt for backups, but that’s not all. The user can delete part of the messages in the instant messaging program - and you will not see them on the device screen; at the same time, a database in SQLite format can contain deleted records for a long time - until the procedure for periodic garbage collection is started. Important things are analysis, search, export of data, including deleted data (the first police request is “where was the user at such and such a time”, try to answer this question with interest, having your own phone in your hands and detect how much it will take time, and analyzing the data from the backup will give an answer in a second.) There are also little things - for example, the date the contact was added or the date the event was created on the calendar that are not visible in the user interface.
At the same time, in the hands of the attacker, the backup turns into a weapon against the user. Logins and passwords from the Keychain allow you to “hijack” accounts, gain access to the correspondence and money of the user. To prevent this, Apple allows the user to set a password for backups.
If a password is set, the entire backup will be encrypted with a strong key, which is generated based on the password. Encryption takes place inside the device; if a password is set, then unencrypted data simply does not leave the phone. Accordingly, no matter what backup program you use, the result will be the same: encrypted backup.
Encryption of local backups in relatively newer versions of iOS (10.2 and newer) is so strong that even using hardware acceleration with the Nvidia GTX 1080 GPU, we were unable to get the search speed of more than a hundred passwords per second. Accordingly, a frontal attack is useless even if a simple password of only 7 characters is used (average for the hospital). However, even if you have a strong encryption password from your phone, you can extract photos and media files if you know the passcode or have a lockdown.
In iOS 10.2 and up to the release of iOS 11, a long and complicated backup password was an absolute protection; there was no way to delete or change the password without first entering the old one, in older versions of the system did not exist. In iOS 11, the situation has changed.
I already wrote about what can be done in iOS 11, 12 and 13 using a lock code. Among many other things, in these versions of iOS, a screen lock code can be used to reset the backup password. Now, if an attacker finds out the screen lock code, he can reset the password to a local backup, connect the phone to the computer and extract all the data, and also decrypt all passwords from the keychain.
The Apple website provides detailed instructions on how to proceed to reset the password for the backup:
In iOS 11 or later, you can create an encrypted backup of your device by resetting your password. To do this, follow these steps:
On a device with iOS 10 or earlier, password reset is not possible.
The ease with which an attacker can bypass your most complex and long password by just entering a screen lock code is unpleasantly amazing. However, you can try to protect yourself from this scourge. The protection mechanism here will be Parental Control Restrictions (iOS 11) or Screen Time Password (iOS 12 and 13). For simplicity, I will describe exactly iOS 12.
Let's say your iPhone fell into the hands of an attacker. Suppose an attacker managed to spy your lock code; Now he is trying to untie the phone from the cloud, and at the same time merge a copy of the data, gaining access to passwords from the Keychain. You can protect yourself from such a development of events with the help of the Screen Time password. You can read more about the possibilities of controlling Screen time in the Apple article Using parental control on iPhone, iPad and iPod touch devices . We are now interested in another possibility of this system: to protect the phone from resetting the password for backup.
Oddly enough, restricting the ability to reset the password for a local iOS backup is quite simple: all you need to do is set the Screen Time password as such. The complexity of this password is small: the only available option is a 4-digit PIN code. Nevertheless, such protection is generally quite reliable. Since this password is used very rarely and differs from the device lock code, it cannot be accidentally spied. This code is needed in extremely rare cases when you want to change the settings or disable restrictions. You can set a random code by writing it on a piece of paper left at home - and it will be completely safe.
What happens if I try to reset my password for backup now? At the first step, there are no differences: the system will ask for the device lock password. But right after that, an additional 4-digit Screen Time password will be requested. This security measure is quite capable of not only repelling the curious, but also protecting the iPhone from quite serious hacking attempts.
The screen time password is stored on the device itself. It is impossible to pick it up in a reasonable time: a small space of 10,000 combinations is protected by progressive delays between input attempts. After several unsuccessful attempts, the system will limit the speed of enumerating passwords of Screen time by introducing progressive delays of 1, 5, 15, and 60 minutes. After 10 unsuccessful attempts, each subsequent attempt can be made no earlier than an hour after the previous one; rebooting the device will not help speed up the process. Thus, all 10,000 combinations can be sorted out in 416 days.
However, there are more interesting ways. I’ll make a reservation right away: the first one works only when the password for the backup copy is not set or known, and the second one if you can jailbreak the iPhone (that is, the iOS version on it is no newer than iOS 12.2). For the iPhone with an unknown password for the backup running on the latest version of iOS (today it is 12.4) there is no working way to find out the password of the Screen Time (for now).
Method 1: Extract from Backup
In iOS 7-11, this password (called the Restrictions there) is stored as a hash. The algorithm is relatively robust (pbkdf2-hmac-sha1, but the number of iterations is relatively small). Given that this password always consists of only 4 digits, a complete search of the hash on the computer takes several seconds. The hash itself is stored in the file com.apple.restrictionspassword.plist, which gets into the backup. Accordingly, the Restrictions password can be opened if we have (one of):
In iOS 12 (here it is the password of the Screen Time, or Screen Time) is stored in the clear. No, security didn’t get any worse: the password was moved to the Keychain. Nevertheless, the protection class for the password for Screen Time was assigned a minimum: it is not tied to the device. The minimum protection class is assigned intentionally. This is done so that when restoring a new iPhone from backup, the Screen Time password is set automatically (thus Apple closed the potential to remove the Screen Time password by creating a backup, resetting the device and then restoring from the backup). Keychain records with higher protection classes do not end up in backups or end up, but are protected by the device’s hardware key (that is, they can only be restored to the same device).
To get the screen time password, you need:
Method 2: via jailbreak
Obviously, the first method will work only when the password for the backup is not set or known. If the password for the backup is set, but it is not known, then the only remaining way to find out the password of the Screen Time is to get access to the Keychain. For older versions of iOS, you need a copy of the file system.
For iOS 7-11 you need:
For iOS 12:
Do I need to do this? I’m not sure: if you managed to install a jailbreak, then, firstly, all passwords can be extracted without a middleman in the form of a backup. Secondly, you can find out the password for the backup by decrypting the Keychain: the password for the backup (just like the password for the Screen Time) is stored there in the clear. However, if the goal is to remove the limitations of Screen time, then this approach is quite suitable.
One more thing
Interestingly, the Screen Time password is also stored in the iCloud cloud, but only if you enable two-factor authentication and activate the Screen Time option “Share across devices”. The key itself does not fall into the Cloud keychain, but is stored separately (approximately in the same form as the key to restore access to encrypted FileVault 2 volumes). There are currently no mechanisms to extract it from iCloud and view it. We are working on it; In the fall, it is planned to release the latest version of Elcomsoft Phone Breaker, which will have this capability (if nothing changes in the storage mechanism with the release of iOS 13; there is such a possibility: iOS 13 has already changed the storage location for this password).
In any case, to pull out the Screen Time password from iCloud, you will need all of the following:
But we did not check the scenario with resetting the device and then restoring it from the “cloud” backup, so I can’t say for sure whether the Screen Time password is activated if I create a backup in iCloud, reset the iPhone and recover from the cloud. Moreover, the system can behave differently in cases where the same iPhone or new device is restored from the backup.
So we come to the last point. If your goal is to secure the device as much as possible, then it is in your interests to make sure that the Screen Time password is neither reset nor recognizable. As in the previous part, I have two news: good and bad.
The good news is that protecting the Screen Time password from an average person and even a professional cracker is quite simple: just set a long and strong password for a backup copy, and then just keep the device up to date by installing the latest versions of iOS right after they exit. Jailbreaks for new versions of iOS do not come out right away. Sometimes months elapse between the release of an iOS update and the appearance of a workable jailbreak for it.
You can be afraid of the scenario when a stolen device (with a blocking code known to an attacker) is put on a shelf waiting for a jailbreak to appear. Here, however, the standard “Erase [device]” made in the Find my iPhone portal can help. The fact is that to install the jailbreak you must first sign the IPA file, and then confirm the digital signature directly on the iPhone itself. The digital signature is verified on the Apple server; that is, the attacker will have to allow the stolen iPhone to go online. At this moment, the command to erase the device will most likely work.
Attackers can solve this problem using special router configurations, in which access to the nodes responsible for the Find My iPhone functionality will be denied. In addition, instead of the usual certificate, they can use a developer certificate to sign the jailbreak, which does not require iPhone to go online to confirm the digital signature.
The bad news is that no matter how hard you try, you won’t be able to protect your iPhone from access via GrayKey or UFED Premium systems: their developers were able to bypass most of the iPhone’s security mechanisms. If the screen lock code is known, then users of these complexes will be able to access the file system and decrypt the Keychain without any problems. On the other hand, these complexes are available only to law enforcement agencies, and by no means in any country (for example, they are not supplied to Russia). Getting them in the hands of attackers is practically impossible. Thus, you are unlikely to be exposed to this danger.
Backup protection: while everything is simple
IOS backup system - truly out of competition. We saw something similar in terms of local backups in BlackBerry 10, but this system is dead, and BlackBerry never got to the cloud. (By the way, in BlackBerry 10 OS backups were always encrypted, and the key was always stored in the cloud - either in the BlackBerry user ID, or on the corporate network). It was pretty decent to back up to the “cloud” and in Windows Phone 8.1, as well as in Windows 10 Mobile - but these systems are now dead, and there have never been local backups in them.
The only competitor to iOS is the Android system, the backups of which are created exclusively in the cloud (we will ignore the adb backup command: there is even less data actually saved by this command than it gets into the cloud). Yes, certain tricks will help to get more data out, but backups in Android are far from ideal.
As part of this article, we are primarily interested in local backups; I wrote about their content on our blog earlier. They can be created, for example, in the iTunes application, but not only in it: there are many third-party applications (including our own iOS Forensic Toolkit) that, when connected to the iPhone, will create a backup copy of it. By the way, using Toolkit, a backup can sometimes be pulled out of the phone even when the screen is locked and the lock code is unknown (lockdown files are used for this).
A backup copy is a convenient, universal and very simple way to extract a fresh copy of data from a well-protected (and, by the way, encrypted) storage device. Almost all the most interesting things fall into the backups: both the data of most applications, and logins with passwords that the user saved in the Safari browser and third-party applications, and passwords for Wi-Fi, and clock backups, and data on user activity (steps, heartbeat at a given point in time). Fall into backups and many other things vital to the investigation of crimes.
Why do I need a backup if the lock code is known?
We are often asked the question (to be precise in the wording, they “claim”): if the lock code is already known, then why do we need a backup copy? Can I see everything on the iPhone itself?
No, not all. Even if the lock code is known, not all interesting data can be viewed on the iPhone itself. IPhone backs up a lot of data in backups, even beyond the user's will. The user may not even know that this data exists! This applies, for example, to the history of the Safari browser - on the phone itself or in iCloud, you can view the history for the last 30 days, and the entire history for the entire time you use the phone falls into the backup (if the user did not manually clear the history). By the way, exactly the same applies to the call history: in the Phone application it is visible only for the last 30 days, and information about all calls is saved in the backup copy. This alone is enough for law enforcement to hunt for backups, but that’s not all. The user can delete part of the messages in the instant messaging program - and you will not see them on the device screen; at the same time, a database in SQLite format can contain deleted records for a long time - until the procedure for periodic garbage collection is started. Important things are analysis, search, export of data, including deleted data (the first police request is “where was the user at such and such a time”, try to answer this question with interest, having your own phone in your hands and detect how much it will take time, and analyzing the data from the backup will give an answer in a second.) There are also little things - for example, the date the contact was added or the date the event was created on the calendar that are not visible in the user interface.
At the same time, in the hands of the attacker, the backup turns into a weapon against the user. Logins and passwords from the Keychain allow you to “hijack” accounts, gain access to the correspondence and money of the user. To prevent this, Apple allows the user to set a password for backups.
If a password is set, the entire backup will be encrypted with a strong key, which is generated based on the password. Encryption takes place inside the device; if a password is set, then unencrypted data simply does not leave the phone. Accordingly, no matter what backup program you use, the result will be the same: encrypted backup.
Encryption of local backups in relatively newer versions of iOS (10.2 and newer) is so strong that even using hardware acceleration with the Nvidia GTX 1080 GPU, we were unable to get the search speed of more than a hundred passwords per second. Accordingly, a frontal attack is useless even if a simple password of only 7 characters is used (average for the hospital). However, even if you have a strong encryption password from your phone, you can extract photos and media files if you know the passcode or have a lockdown.
In iOS 10.2 and up to the release of iOS 11, a long and complicated backup password was an absolute protection; there was no way to delete or change the password without first entering the old one, in older versions of the system did not exist. In iOS 11, the situation has changed.
First recursion: reset password to backup
I already wrote about what can be done in iOS 11, 12 and 13 using a lock code. Among many other things, in these versions of iOS, a screen lock code can be used to reset the backup password. Now, if an attacker finds out the screen lock code, he can reset the password to a local backup, connect the phone to the computer and extract all the data, and also decrypt all passwords from the keychain.
The Apple website provides detailed instructions on how to proceed to reset the password for the backup:
In iOS 11 or later, you can create an encrypted backup of your device by resetting your password. To do this, follow these steps:
- On your iOS device, go to Settings> General> Reset.
- Click "Reset All Settings" and enter the iOS password.
- Follow the instructions to reset. This will not affect user data or passwords, but will reset settings such as display brightness, program position on the Home screen, and wallpaper. The password for encrypting backups will also be deleted. (In parentheses: at this point, the device will require you to enter a screen lock code).
- Reconnect the device to iTunes and create a new encrypted backup.
- You cannot use previously created encrypted backups, but you can use iTunes to back up current data and set a new backup password.
On a device with iOS 10 or earlier, password reset is not possible.
Second recursion: we protect ourselves from attempts to reset the password for backup
The ease with which an attacker can bypass your most complex and long password by just entering a screen lock code is unpleasantly amazing. However, you can try to protect yourself from this scourge. The protection mechanism here will be Parental Control Restrictions (iOS 11) or Screen Time Password (iOS 12 and 13). For simplicity, I will describe exactly iOS 12.
Let's say your iPhone fell into the hands of an attacker. Suppose an attacker managed to spy your lock code; Now he is trying to untie the phone from the cloud, and at the same time merge a copy of the data, gaining access to passwords from the Keychain. You can protect yourself from such a development of events with the help of the Screen Time password. You can read more about the possibilities of controlling Screen time in the Apple article Using parental control on iPhone, iPad and iPod touch devices . We are now interested in another possibility of this system: to protect the phone from resetting the password for backup.
Oddly enough, restricting the ability to reset the password for a local iOS backup is quite simple: all you need to do is set the Screen Time password as such. The complexity of this password is small: the only available option is a 4-digit PIN code. Nevertheless, such protection is generally quite reliable. Since this password is used very rarely and differs from the device lock code, it cannot be accidentally spied. This code is needed in extremely rare cases when you want to change the settings or disable restrictions. You can set a random code by writing it on a piece of paper left at home - and it will be completely safe.
What happens if I try to reset my password for backup now? At the first step, there are no differences: the system will ask for the device lock password. But right after that, an additional 4-digit Screen Time password will be requested. This security measure is quite capable of not only repelling the curious, but also protecting the iPhone from quite serious hacking attempts.
Recursion Three: How to find out the password of the Screen Time
The screen time password is stored on the device itself. It is impossible to pick it up in a reasonable time: a small space of 10,000 combinations is protected by progressive delays between input attempts. After several unsuccessful attempts, the system will limit the speed of enumerating passwords of Screen time by introducing progressive delays of 1, 5, 15, and 60 minutes. After 10 unsuccessful attempts, each subsequent attempt can be made no earlier than an hour after the previous one; rebooting the device will not help speed up the process. Thus, all 10,000 combinations can be sorted out in 416 days.
However, there are more interesting ways. I’ll make a reservation right away: the first one works only when the password for the backup copy is not set or known, and the second one if you can jailbreak the iPhone (that is, the iOS version on it is no newer than iOS 12.2). For the iPhone with an unknown password for the backup running on the latest version of iOS (today it is 12.4) there is no working way to find out the password of the Screen Time (for now).
Method 1: Extract from Backup
In iOS 7-11, this password (called the Restrictions there) is stored as a hash. The algorithm is relatively robust (pbkdf2-hmac-sha1, but the number of iterations is relatively small). Given that this password always consists of only 4 digits, a complete search of the hash on the computer takes several seconds. The hash itself is stored in the file com.apple.restrictionspassword.plist, which gets into the backup. Accordingly, the Restrictions password can be opened if we have (one of):
- backup without password
- backup with password, plus password from it
In iOS 12 (here it is the password of the Screen Time, or Screen Time) is stored in the clear. No, security didn’t get any worse: the password was moved to the Keychain. Nevertheless, the protection class for the password for Screen Time was assigned a minimum: it is not tied to the device. The minimum protection class is assigned intentionally. This is done so that when restoring a new iPhone from backup, the Screen Time password is set automatically (thus Apple closed the potential to remove the Screen Time password by creating a backup, resetting the device and then restoring from the backup). Keychain records with higher protection classes do not end up in backups or end up, but are protected by the device’s hardware key (that is, they can only be restored to the same device).
To get the screen time password, you need:
- backup with password plus password from it
Method 2: via jailbreak
Obviously, the first method will work only when the password for the backup is not set or known. If the password for the backup is set, but it is not known, then the only remaining way to find out the password of the Screen Time is to get access to the Keychain. For older versions of iOS, you need a copy of the file system.
For iOS 7-11 you need:
- image of a file system shot by EIFT (need a jailbreak) or GrayKey (jailbreak is not needed, a device lock code is enough, but the product itself is available only to law enforcement agencies of some countries)
For iOS 12:
- Keychain mined by EIFT or GrayKey
Do I need to do this? I’m not sure: if you managed to install a jailbreak, then, firstly, all passwords can be extracted without a middleman in the form of a backup. Secondly, you can find out the password for the backup by decrypting the Keychain: the password for the backup (just like the password for the Screen Time) is stored there in the clear. However, if the goal is to remove the limitations of Screen time, then this approach is quite suitable.
One more thing
Interestingly, the Screen Time password is also stored in the iCloud cloud, but only if you enable two-factor authentication and activate the Screen Time option “Share across devices”. The key itself does not fall into the Cloud keychain, but is stored separately (approximately in the same form as the key to restore access to encrypted FileVault 2 volumes). There are currently no mechanisms to extract it from iCloud and view it. We are working on it; In the fall, it is planned to release the latest version of Elcomsoft Phone Breaker, which will have this capability (if nothing changes in the storage mechanism with the release of iOS 13; there is such a possibility: iOS 13 has already changed the storage location for this password).
In any case, to pull out the Screen Time password from iCloud, you will need all of the following:
- username and password from Apple ID (iCloud) user
- device screen lock code
- access to the second authentication factor (it is the device itself, if the lock code is known; however, a SIM card with a trusted phone number is enough)
But we did not check the scenario with resetting the device and then restoring it from the “cloud” backup, so I can’t say for sure whether the Screen Time password is activated if I create a backup in iCloud, reset the iPhone and recover from the cloud. Moreover, the system can behave differently in cases where the same iPhone or new device is restored from the backup.
Fourth recursion, the last: how to protect access to the Screen Time password
So we come to the last point. If your goal is to secure the device as much as possible, then it is in your interests to make sure that the Screen Time password is neither reset nor recognizable. As in the previous part, I have two news: good and bad.
The good news is that protecting the Screen Time password from an average person and even a professional cracker is quite simple: just set a long and strong password for a backup copy, and then just keep the device up to date by installing the latest versions of iOS right after they exit. Jailbreaks for new versions of iOS do not come out right away. Sometimes months elapse between the release of an iOS update and the appearance of a workable jailbreak for it.
You can be afraid of the scenario when a stolen device (with a blocking code known to an attacker) is put on a shelf waiting for a jailbreak to appear. Here, however, the standard “Erase [device]” made in the Find my iPhone portal can help. The fact is that to install the jailbreak you must first sign the IPA file, and then confirm the digital signature directly on the iPhone itself. The digital signature is verified on the Apple server; that is, the attacker will have to allow the stolen iPhone to go online. At this moment, the command to erase the device will most likely work.
Attackers can solve this problem using special router configurations, in which access to the nodes responsible for the Find My iPhone functionality will be denied. In addition, instead of the usual certificate, they can use a developer certificate to sign the jailbreak, which does not require iPhone to go online to confirm the digital signature.
The bad news is that no matter how hard you try, you won’t be able to protect your iPhone from access via GrayKey or UFED Premium systems: their developers were able to bypass most of the iPhone’s security mechanisms. If the screen lock code is known, then users of these complexes will be able to access the file system and decrypt the Keychain without any problems. On the other hand, these complexes are available only to law enforcement agencies, and by no means in any country (for example, they are not supplied to Russia). Getting them in the hands of attackers is practically impossible. Thus, you are unlikely to be exposed to this danger.
All Articles