Cracking and Analyzing Apple iCloud презентация

The need for iOS forensics
More than 5 years on the market
7

iOS data protection
Device passcode
Protect unauthorized access to the device
Bypassing is not

iOS forensics

Logical acquisition (iTunes backups)
Physical acquisition
iCloud backups and storage

iOS forensics
- logical acquisition
“Ask” device to produce backup
Device must be unlocked

iOS forensics
- physical acquisition

Boot-time exploit to run unsigned code
or
Jailbreak
Device lock state

iOS Data Protection

Every iOS device contains secure AES engine with two

iOS data protection (cont-d)

Content grouped by accessibility requirements:
Available only when device

iOS 4+ passcode

Passcode is used to compute passcode key
Computation is tied

iOS 4+ passcode (cont-d)
Passcode-to-Key transformation is slow
Offline brute-force currently is not

iOS 4+ passcode (cont-d)

iOS 5 Keychain
SQLite3 DB, all columns are encrypted Available protection classes
kSecAttrAccessibleWhenUnlocked

iOS 5 Storage
Only User partition is encrypted
Available protection classes:
NSProtectionNone
NSProtectionComplete
NSFileProtectionCompleteUntilFirstUserAuthentication
NSFileProtectionCompleteUnlessOpen
Per-file random encryption

iCloud
Introduced in Oct 2011
Introduced with iOS 5
Successor to MobileMe, .Mac, iTools
5

iCloud services

iCloud Control Panel

iPhone backup - why?

Mission: impossible :)

iCloud backup - what

Messages (including iMessages)
Application data
Device settings
Camera roll (photos and

iCloud backup - when
Backup runs daily when device is:
Connected to the

iCloud backup - how

iCloud CP: backups

iCloud backup protocol flow
Dynamic: endpoints depend on Apple ID
Built on Google

iCloud backup protocol flow (cont-d)

/mbs/
List of backups
/mbs///getKeys
OTA backup keybag
/mbs////listFiles
File manifest
/mbs////getFiles
File auth

iCloud encryption

Data stored at 3rd-party storage providers is encrypted
Apple has encryption

iCloud backups - summary
There is no user-con"gurable encryption for iCloud backups
iCloud

Find My Phone

FindMyPhone protocol

FindMyPhone - demo output

iCloud documents

iCloud CP: documents

Get files from iCloud

To get list of files
Authentication request (with given

Files in iCloud

iCloud docs: demo output

Possible usage

Backups in iCloud
near-realtime acquisition (SMS, iMessage, mail, call logs)
browse backup

Conclusion

Balance between security, privacy and convenience
iCloud security risks
Use additional encryption
Need further