State of iPhone and iPad forensics (physical & logical)

On iPhone 4 whatever the OS version is you can a) image it and b) attack the passcode. Elcomsoft's tools will - using the automated function - attack a 4 digit PIN. However the scripts if used manually can be used to attack a PIN of any length you fancy and you can even reduce the keyspace to say only include the numbers 1-6, not that you would want to, but you can. You can also manually use the scripts to attack alphanumeric passwords of whatever length you like and specify the keyspace to use.

A lot of organisations use MDM technology (harnessing Apple APIs) to force a 6 digit PIN. In my testing on an iPhone 4 this can be cracked in a maximum of 3.15 days (for every permutation). Have a read of this which will explain where I got that figure from

http//www.fishnetsecurity.com/6labs/blog/ios-passwords-quick-tips-maximize-your-security

No laughing at the picture! )

Though bear in mind the figure there shows 3.12 and that's because it doesn't include the time to attacks PINs of length 1 (1 secs to test all), 2 (24 secs to test all), 3 (266 secs to test all), 4 (didn't need to do as the iDevice gives a clue that it's not length 4, 5 (26315 secs to test all) followed by 3.12 days for all permutations of 6.

I should point out that my statement about being able to jailbreak a device running iOS 6.1.3 with a PIN/password is correct, however again it only relates to the early devices which are vulnerable to a RAM disk attack. Apologies, I realise that was a little misleading in the context of the thread and doesn't help in the case of newer devices. So the custom bundle idea goes out the window. I was typing faster than I was thinking. ) Newer devices require the PIN in order to jailbreak as there are no bootROM exploits available for the break.

A lot of organisations use MDM technology (harnessing Apple APIs) to force a 6 digit PIN. In my testing on an iPhone 4 this can be cracked in a maximum of 3.15 days (for every permutation). Have a read of this which will explain where I got that figure from

http//www.fishnetsecurity.com/6labs/blog/ios-passwords-quick-tips-maximize-your-security

No laughing at the picture! )

Agreed ) , no laughing at the picture, and actually I am taking my hat off before your nice, clear and simple article, but allow me to say how the 3.12 days are the result of a theoretical calculation and represents the actual maximum possible time (that you will get only once in a lifetime) and this should be IMHO a bit highlighted.

In real life it is more likely that it will take between 1 day and 2 days roughly, but it may also depend on the algorithm the software uses to generate the test key.

Many "brute force" crackers, cannot say if for simplicity, for "speed optimization" or "whatever" (and cannot say about the Elcomsoft specific soft) use "sequential addressing" of the possible combination.

This carries with it the not-so-trifling practical consequence that 000001 will be cracked in NO time, whilst 999999 will be cracked in the 3 days+.

Additionally, and as a side note, possibly of general interest, if you give the "end customer" the choice to choose his/her own pin number (made of 6 numbers 0-9) a large majority of them will use a date (and a date related to birth of oneself, of th epartner, day of marriage, etc.), hence an European will have a "pattern of
ddmmyy
whilst a US american will have a pattern of
mmddyy.

A nice feature would be to first examine
dd in range 01-31
mm in range 01-12
yy in range (say) 45-95
or if you prefer in any valid date between (19)45 and (1995).
Since a number of users might be using their sons/daughters birthdates, an additional range between (19)95 and (19)99 and between (20)00 and (20)13 could be of use.
Summiing up for the "European" style one would have
First digit 0-3
Second digit 0-9
Third digit 0-1
Fourth digit 0-9
Fifth digit 0-1 and 4-9
Sixth digit 0-9
This would make (not taking into account impossible dates such as 31/06 or 29/02/99) and unless I am mistaken
4*10*2*10*8*10=64,000
a nice reduction from the original
10*10*10*10*10*10=1,000,000
Even if you do some permutations
ddmmyy
mmddyy
yymmdd
yyddmm
you have 64,000*4=256,000 you have reduced the attempts to 1/4th (and nothing prevents a "truly random" PIN to be representing a date and consequently belong to this "preferred" range anyway).

jaclaz

Hi Jaclaz,

You are absolutely correct, the number is the maximum time to test every permutation. I did point out in the article that it took me only 24 hours to crack a 6 digit code I had set.

You are right with the algorithms too. As far as I understand Elcomsoft does check simple codes first so 111111, 222222 - 999999 etc are all checked. From that point forward I couldn't tell you whether or not there are any other specific custom combinations that are written in to the tool. However as you point out, people who write their own, or customize cracking tools, do indeed use an element of human behaviour to help focus their crack and speed the process along. For example with alphanumeric passwords the most common pattern is for the number to be stuck on at the end of the password and programming the tool you are using to accommodate that reduces the keyspace for all characters, allowing every permutation to be completed in less time. The only problem with this approach is if you fine tune it too much and the password you are cracking doesn't follow the assumed pattern then once it completes without finding the code you have to go back to the "it could be anything anywhere" approach and just wait it out.

While your date suggestion does reduce the number of permutations significantly I still think that 3.15 days is a short enough time and when it is often cracked in half that I find it to be more than acceptable. Realistically the focusing aspect all depends on the amount of time you are prepared to lose if it turns out that you made an incorrect assumption.

Thanks for your insight on this also as too often the threads on this forum seem to be either brief or argumentative. It's nice to see it actually being used to provoke discussion.

Oh, and thanks for not laughing at the photo, it wasn't my best. )

Colin

The only problem with this approach is if you fine tune it too much and the password you are cracking doesn't follow the assumed pattern then once it completes without finding the code you have to go back to the "it could be anything anywhere" approach and just wait it out.

Yep ) , this is one of the drawbacks, but I find it costs nothing (or very little) to - once set anyway to have the thingy chunking it's way for 3.12 days - to have it looking into the "more probable" patterns first.
What is "queer" is that (again cannot say specifically the mentioned software) these features are not "common" in such type of software.

BTW the risk of actually "believing" in this approach "fully" or "blindly" is not completely unlike the unexpected hanging paradox
http//en.wikipedia.org/wiki/Unexpected_hanging_paradox

Some smart guy/gal might want to deduce from the previous posts that 999939 is the "most secure" pin and get very surprised if you include it in your "specific first range" and thus the program finds it in no time.

jaclaz

So, if the device is locked, you can jailbreak it but without getting past the PIN screen you cannot install OpenSSH from Cydia thus you cannot connect to it.
Colin

Colin, in this jailbroken yet locked state will the device connect to http//cyder2.com/ as with cyder it is possible to install jailbroken apps by placing the .deb packages into the /var/Media/Cydia/AutoInstall/

What Jailbreak are you using to successfully jailbreak a locked iPhone 4S?

BR

Hi Mark,

How do you propose navigating the device to that URL if the screen is locked? Not sure if you could do this through SSH but if you could then you would have to have access to the SSH server on the device, and if you have that then you can attack the PIN/password anyway.

If you read each of my posts in this thread you will get a clue to answer your own question re jailbreaking locked devices.

Thanks,

Colin