Russia wants apple ...
 
Notifications
Clear all

Russia wants apple to unlock iPhone belonging to killer!  

  RSS
Vesalius
(@vesalius)
Member

An interesting topic, didn't know weather to put this in the phone forensic section or here, so I just put it here.

Anyways, read a lot of different opinions on this on facebook, but I want to hear what you guys think. I say they even got a physical rip of the phone. Apparantley it's an iPhone 4s, but with the latest update, then I guess to modern commercial standard, it's pretty close to impossible to break into. Here it is,

Russia wants apple to unlock iPhone belonging to killer...

Quote
Posted : 22/12/2016 11:47 pm
thefuf
(@thefuf)
Active Member

The whole idea of invasive encryption (not to be confused with pervasive encryption) is a mistake. In a typical iPhone case, there are two problems
1. we don't know the password to unlock the phone;
2. we can't create a forensic image of encrypted data.

Pervasive encryption makes data encrypted by default. Invasive encryption also locks the user out of his/her encrypted device. If pervasive encryption was in place, we could make a forensic image of encrypted data, and then try to guess the right password. If we deal with invasive encryption (e.g. a locked boot loader and encryption keys stored in a separate hardware module), we are stuck. We should either acquire data using a standard interface provided by device developers (e.g. make a backup of user data), but we need to unlock the device first, or use an exploit to bypass the invasive part of invasive encryption (this may or may not require us to unlock the device first).

Crypto advocates try to confuse people by making false and loud claims like weakening encryption means putting politicians, decision-makers, and human rights activists at risk. Fortunately, some politicians and decision-makers begin to understand that bad guys always have 0-day "remote-to-root" exploits to gain access to an iPhone and to maintain persistence on the device (even if they haven't, we should assume that they have, because attacks always get better), and that there is no way a forensic examiner can confirm that the iPhone was or was not infected (even if the owner unlocks the device), because good guys don't have access to 0-day exploits allowing examiners to acquire a complete file system image. So, invasive encryption actually helps attackers to stay stealth and unnoticed. And this problem must be solved. After this, other problems (like described in the original post) will be easier to solve too.

ReplyQuote
Posted : 23/12/2016 12:54 am
TinyBrain
(@tinybrain)
Active Member

Excellent post and very accurate explained the difference and effects of invasive and pervasive crypto. Congratulations!

ReplyQuote
Posted : 23/12/2016 1:35 am
Igor_Michailov
(@igor_michailov)
Senior Member

I guess to modern commercial standard, it's pretty close to impossible to break into.

What about IP-BOX and similar devices?

ReplyQuote
Posted : 23/12/2016 11:25 am
passcodeunlock
(@passcodeunlock)
Senior Member

If the iPhone 4S is set to auto-erase after 10 bad tries, any bruteforce device is useless. Unless there is one, which will block the bad tries counter. ?!

For LEO Cellebrite CAIS might be a choice, but I've read lately that Belkasoft also started their lab services.

ReplyQuote
Posted : 23/12/2016 1:07 pm
Bolo
 Bolo
(@bolo)
Member

Phone model is not important here - even 5S with turned on trigger for wipe can be unlocked if we talking about 4 digits code. Important is SW so iOS version…anything higher than 8.1 has got patched bug CVE-2014-4451 hole in iOS and due this it's not possible to enter codes without wipe (counter will rise each try)….

ReplyQuote
Posted : 24/12/2016 1:19 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

TheFuf

First time I have heard of the concepts of invasive encryption and pervasive encryption.

It appears Apple has adopted "invasive encryption" as a means to protect consumers from themselves; there is nothing preventing a user of a Windows computer from opening up Windows Explorer and deleting system files, but iPhone consumers cannot access nor delete iOS system files unless an iPhone is jailbroken.

My limited understanding of "remote-to-root" 0 Day exploits require the phone user to commit some act such as clicking on a link in a text message. You categorize those with access to 0 Day exploits as "bad guys", but it seems more so that people with significant money can receive services from Fin Fisher (http//www.finfisher.com/FinFisher/index.html) (No offense meant if Rolf Guttman is with FinFisher).

I am in the midst of a theft of trade secrets case in which one former employee would not provide us with his iPhone's PIN code. Due to the fact that the phone was company owned, I was able to work with my client's IT and Apple support to reset the iCloud password.

I then used Elcomsoft' Phone Breaker Forensic to download three iCloud mobile backups of the screen locked iPhone. D So, the screen lock was not insurmountable.

I also found mobile backups of the screen locked iPhone on the former employee's Windows laptop and recovered 17,000 iOS messages using Internet Evidence Finder.

The second former employee's iPhone screen was not locked, but there was an iTunes encryption password in place encrypting the mobile backup of the phone Cellebrite was able to create.

I was able to use Passware to crack the iTunes encryption password in 3 1/2 hours using their current recommended hardware setup.

Happy Holidays

ReplyQuote
Posted : 24/12/2016 11:50 pm
Vesalius
(@vesalius)
Member

What about IP-BOX and similar devices?

ermm exploits on the iPhone are currently only available until iOS 8.1.1.

What I meant was now, not the past, sorry if I put that out there wrong.

ReplyQuote
Posted : 25/12/2016 12:54 am
Igor_Michailov
(@igor_michailov)
Senior Member

Phone model is not important here - even 5S with turned on trigger for wipe can be unlocked if we talking about 4 digits code. Important is SW so iOS version…anything higher than 8.1 has got patched bug CVE-2014-4451 hole in iOS and due this it's not possible to enter codes without wipe (counter will rise each try)….

Cellebrite's exclusive unlocking and decrypted physical extraction capabilities support the following devices
iPhone 4S / 5 / 5c, iPad 2 / 3G / 4G, iPad mini 1G, and iPod touch 5G running iOS 8.x (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2 / 8.1.3 / 8.2/ 8.3 / 8.4 / 8.4.1) or iOS 9.x (9.0 / 9.0.1 / 9.0.2 / 9.1 / 9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2)

Link

ReplyQuote
Posted : 25/12/2016 1:05 am
thefuf
(@thefuf)
Active Member

I am in the midst of a theft of trade secrets case in which one former employee would not provide us with his iPhone's PIN code. Due to the fact that the phone was company owned, I was able to work with my client's IT and Apple support to reset the iCloud password.

I then used Elcomsoft' Phone Breaker Forensic to download three iCloud mobile backups of the screen locked iPhone. Very Happy So, the screen lock was not insurmountable.

I also found mobile backups of the screen locked iPhone on the former employee's Windows laptop and recovered 17,000 iOS messages using Internet Evidence Finder.

The second former employee's iPhone screen was not locked, but there was an iTunes encryption password in place encrypting the mobile backup of the phone Cellebrite was able to create.

I was able to use Passware to crack the iTunes encryption password in 3 1/2 hours using their current recommended hardware setup.

Cool, but you got user data only. Even when a user wants you to analyze his iPhone, you can't acquire more than that, unless you got an exploit. Thus, you can't search for malware. So, bad guys can install a malware program on an iPhone, because they have (assumed to have) a 0-day exploit, but you can't respond to this incident by performing a forensic examintation of that iPhone; in an enterprise environment, you can't build the infrastructure having incident response capabilities.

ReplyQuote
Posted : 25/12/2016 1:26 am
Igor_Michailov
(@igor_michailov)
Senior Member

you can't search for malware

Why not?

We can't extract malware from an iPhone. But, we can use other ways which can indicate the iDevice contains malware.

ReplyQuote
Posted : 25/12/2016 3:12 am
Igor_Michailov
(@igor_michailov)
Senior Member

Update MacReports says the Russian team could not technically hack the 4-digit pass code, however, they have been able to retrieve data from the device by using other means, which they have not divulged.

Link

ReplyQuote
Posted : 25/12/2016 10:52 am
qassam22222
(@qassam22222)
Active Member

An interesting topic, didn't know weather to put this in the phone forensic section or here, so I just put it here.

Anyways, read a lot of different opinions on this on facebook, but I want to hear what you guys think. I say they even got a physical rip of the phone. Apparantley it's an iPhone 4s, but with the latest update, then I guess to modern commercial standard, it's pretty close to impossible to break into. Here it is,

Russia wants apple to unlock iPhone belonging to killer...

it can be done by nand mirroring attack

https://assets.documentcloud.org/documents/3109052/NANDmirroring.pdf

ReplyQuote
Posted : 28/12/2016 12:52 pm
Bolo
 Bolo
(@bolo)
Member

Phone model is not important here - even 5S with turned on trigger for wipe can be unlocked if we talking about 4 digits code. Important is SW so iOS version…anything higher than 8.1 has got patched bug CVE-2014-4451 hole in iOS and due this it's not possible to enter codes without wipe (counter will rise each try)….

Cellebrite's exclusive unlocking and decrypted physical extraction capabilities support the following devices
iPhone 4S / 5 / 5c, iPad 2 / 3G / 4G, iPad mini 1G, and iPod touch 5G running iOS 8.x (8.0 / 8.0.1 / 8.0.2 / 8.1 / 8.1.1 / 8.1.2 / 8.1.3 / 8.2/ 8.3 / 8.4 / 8.4.1) or iOS 9.x (9.0 / 9.0.1 / 9.0.2 / 9.1 / 9.2 / 9.2.1 / 9.3 / 9.3.1 / 9.3.2)

Link

To clarify - I talked about BF attack and they use combined attack scheme - NAND copy then NAND write, enter 8-9 codes, NAND write, enter 8-9 codes ….loop.

As many know you can use KZT adapters (https://scontent.fwaw5-1.fna.fbcdn.net/v/t1.0-9/15781256_1275727225835081_1548277887004329683_n.jpg?oh=47ae939b8924cf7e358f9113c7243eca&oe=58E04A2F) to run NAND over a PCB board (connect there flex testing tape and LCD, power supply and run phone on table) - then make BF attack on it and rewrite every few tries - as already been told here there was test of mirroring attack already available. Now just lets wait for automated solutions 😉

ReplyQuote
Posted : 28/12/2016 11:29 pm
Share: