iCloud syncing and 2FA: friend or foe?conference.hitb.org/hitbsecconf2017ams/materials/D1T4 - Vladamir... · Cloud: backup, sync or just storage? ... • Mail logs • Family sharing

ElcomSoft.comElcomSoft.com

iCloudsyncingand2FA:friendorfoe?

© 2017HITBSecConf

Vladimir KatalovElcomSoft Co.Ltd.Moscow, Russia

ElcomSoft.com Page 2

About us: our customers


What’s inside the smartphone?

• Contacts&calendars• Calllogsandtextmessages• Emailsandchats• Accountandapplicationpasswords• WebandWi-Fipasswords• Documents,settingsanddatabases• Webhistory&searches• Picturesandvideos• Geolocationhistory,routesandplaces• 3rd partyappdata• Cachedinternetdata• Systemandapplicationlogs• Socialnetworkactivities


Data acqusition methods§ JTAG/chip-off

§ thereisnotestaccessportonmanydevices§ full-diskencryptionmakesofflineattackscompletelyuseless

§ Physical§ Limitedcompatibility§ Mayalternatedata§ Datamaybeencrypted

§ Logical§ Limitedcompatibility§ Bypassing screen lock is needed

§ Cloud§ Limitedsetofdata§ Needcredentials§ Legalproblems


Cloud: backup, sync or just storage?§ Problems

§ Differentplatforms(Apple,Google,Microsoft)§ Manyvendor-specificclouds(especiallyinChina:360,QQetc)§ 3rd partycloudservices(Dropbox,Amazon,Azureandmore)§ Credentialsneeded(passwordortoken)

§ Profits§ Nophysicalaccessneeded§ Maybeperformedsilently

§ Backup§ Nostandardwaytoget§ Mightnotbeavailable§ Almostalldatafromdevice

§ Sync§ Limitedsetofdata§ Mostcriticalreal-timedata§ Syncedacrossalldevices

§ Storage§ Onlyfiles/documents§ Easytoaccess


Cloud services: backups

§ Fulldevicebackupsaresometimesavailable (AppleonlyJ)

§ 3rd partyapplicationdataisusuallynotavailable

§ Passwordsarenotalwaysbeingsaved;mightbeadditionallyencrypted

§ Dailybackups(inbestcase,untilforcedfromthedevice)

§ Backupscannotbeforcedremotely

§ 3rd partysoftware(likeoursJ)isneeded

§ Almostnowaytomanage

§ Slowaccess,longdownload


Cloud services: synced data

§ Contacts§ Calllog§ Messages(SMS,iMessage,Hangouts,Skype)§ Calendars§ Mail(onlycloud-based)§ Internetactivities(visitedsites,searches)§ Mediafiles(photos,videos)§ Gamingdata§ Passwords§ Healthdata

Other• Paymentinfo• Homedevices• Wallet(Apple-specific)• Maps(searches,bookmarks,routes)• Books• News,weather• Locationdata


More (i)Cloud data• Accountinformation

• iCloudstorageinformation

• Contactinformation(billing/shippingaddress,emails,creditcards(last4digits)

• Connecteddevices

• Customerservicerecords

• iTunes(purchase/downloadtransactionsandconnections,update/re-downloadconnections,Matchconnections,giftcards)

• Retailandonlinestoretransactions

• Maillogs

• Familysharingdata

• iMessage andFaceTimemetadata

• Deleteddata?


Cloud data by platformApple Google Microsoft

Backups +(three) Sort of(single) Softof(several)

Contacts/calendars/tasks + + +

Calllog J L In backupsonly

Notes + + +

Messages - AndroidN(?) +

Mail iCloudmail Gmail Outlook

Internet Safari Chrome Edge

Media iCloudPhotoLibrary GooglePhotos OneDrive

Documents iCloudDrive GoogleDocs OneDrive

Location Current/last Current,history Current,history

3rd partyappsdata iCloudDrive GoogleDrive OneDrive

Other Health (?),Wallet Dashboardandmore HealthVault, Skype


Cloud passwords, keys etc

Apple Google MicrosoftWi-Fi + + Inbackups

Websites + + +

Creditcards + CVVisneeded ?

Creditcards(2) ApplePay(Wallet):last4digits

only

GooglePay(?) Wallet (?)

App-specific Itdepends SometimesJ -

Authenticationtokens + + -

Encryptionkeys + - -

Certificates + - -

Autocomplete + + +


Apple keychains§ iOSkeychain

§ Local(encryptedbackup)§ Local(notencryptedbackup)§ iCloud

View:Settings|Safari|Passwords,Settings|Safari|AutoFill

Protection:itdependsDecrypt/export:noway(3rd partysoftwareonly)

§ OSX(macOS)keychain

View:Keychainutility(onebyone)Protection:password(bydefault,sameaslogon)Decrypt/export:3rd partysoftwareonly

§ iCloudkeychain

View:Onlywhen/ifsyncedwithlocaldeviceProtection:well,strongJDecrypt/export:noway


Backup vs iCloud keychains

Backup iCloudWi-Fi + +

Websites + +

Creditcards + +

App-specific + Itdepends

AirPlay/AirPort + +

Encryptionkeys&tokens + Itdepends

Autocomplete + -

KeychaininiCloudbackupshavemostdataencryptedwithdevice-specifickey


iOS keychain – passwords (Wi-Fi, email, web form)

<Name>AirPort(APname)</Name><Service>AirPort</Service><Account>APname</Account><Data>APpassword</Data><AccessGroup>apple</AccessGroup><CreationDate>20121231120800.529226Z</CreationDate><ModificationDate>20121231120800.529226Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>

<Name>accounts.google.com(email)</Name><Server>accounts.google.com</Server><Account>email</Account><Data>password</Data><Protocol>HTTPS</Protocol><AuthenticationType>form</AuthenticationType><Description>Webformpassword</Description><AccessGroup>com.apple.cfnetwork</AccessGroup><CreationDate>20150705071047.78112Z</CreationDate><ModificationDate>20150805133813.889686Z</ModificationDate><Label>accounts.google.com(email)</Label><ProtectionClass>CLASS:6</ProtectionClass>

<Name>imap.gmail.com([email protected])</Name><Server>imap.gmail.com</Server><Account>email</Account><Data>password</Data><Protocol>IMAP</Protocol><Port>143</Port><AccessGroup>apple</AccessGroup><CreationDate>20121231124745.097385Z</CreationDate><ModificationDate>20121231124745.097385Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>


iOS keychain (credit card data)

<Name>SafariCreditCardEntries (BBA00CB1-9DFA-4964-B6B8-3F155D88D794)</Name><Service>SafariCreditCardEntries</Service><Account>BBA00CB1-9DFA-4964-B6B8-3F155D88D794</Account><Data><Dictionary><CardholderName>NAME</CardholderName><ExpirationDate>DATE</ExpirationDate><CardNameUIString>Visa</CardNameUIString><CardNumber>NUMBER</CardNumber></Dictionary></Data><Comment>ThiskeychainitemisusedbySafaritoautomaticallyfillcreditcardinformationinwebforms.</Comment><AccessGroup>com.apple.safari.credit-cards</AccessGroup><CreationDate>20131016100432.283795Z</CreationDate><ModificationDate>20150826181627.118539Z</ModificationDate><Label>SafariCreditCardEntry:Visa</Label><ProtectionClass>CLASS:6</ProtectionClass>


iOS [backup] keychain protection classeskSecAttrAccessibleAfterFirstUnlock(7)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly(10)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAlways(8)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyThedatainthekeychaincanonlybeaccessedwhenthedeviceisunlocked.Onlyavailableifapasscodeissetonthedevice.

kSecAttrAccessibleAlwaysThisDeviceOnly(11)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenUnlocked(6)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

kSecAttrAccessibleWhenUnlockedThisDeviceOnly(9)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

• xxxThisDeviceOnly:encryptedusingdevice-specifichardwarekey(canbeextractedfrom32-bitdevicesonly)• Allothers:inpassword-protectedlocalbackups,encryptedwiththekeyderivedfrombackuppassword


iTunes backup password breaking

§ Getmanifest.plist§ GetBackupKeyBag§ Checkpassword

§ iOS3▫ pbkdf2_sha1(2,000)

§ iOS4to10.1(but10.0)▫ Sameasabove,but10,000iterations

§ iOS10.0▫ Sameasaboveworks▫ Singlesha256hashisalsostored

§ iOS10.2+▫ pbkdf2_sha256(10,000,000)▫ pbkdf2_sha1(10,000)

§ UnwrapAESkeyfromKeyBag§ Decryptkeychain(+otherfiles?)

Hashesaresalted,sonorainbowtablesL


macOS keychain


iCloud data protectionhttps://support.apple.com/en-us/HT202303

Mostofthedata:Aminimumof128-bitAESencryptioniCloudKeychain:Uses256-bitAESencryptiontostoreandtransmitpasswordsandcreditcardinformation.Alsousesellipticcurveasymmetriccryptographyandkeywrapping.

Keyisstoredalongwiththedata(exceptjusttheiCloudkeychain)!

• Notificationtoemailwhenthedataisaccessed• Accountmightbeblockedduetosuspiciousactivity(new!)• Two-stepverification(legacy,notrecommended)• Two-factorauthentication

• Immediatepushnotificationtoalltrusteddevices• Havetoallowaccess• Securitycode

• Aspushnotification• BySMStotrustedphonenumber• Generatedbytrusteddevice

Workaroundfor2FA:useauthenticationtokenfromthedevice(iPhone/iPad/iPod),PCorMac


iCloud sign-in


Set up iCloud keychain – no 2FA


Set up 2FA


Set up iCloud keychain –2FA


iCloud keychain inside outiOSSecurityGuide:https://www.apple.com/business/docs/iOS_Security_Guide.pdf

• Keychainsyncing• Circleoftrust• Publickey:syncingidentity(specifictodevice)• Privatekey(ellipticalP256),derivedfromiCloud

password• Eachsynceditemisencryptedspecificallyforthe

device(cannotbedecryptedbyotherdevices)• OnlyitemswithkSecAttrSynchronizable aresynced

• Keychainrecovery• Secureescrowservice(optional)• iCloudsecuritycodeisneeded(notwith2FA!)• HardwareSecurityModule(WTFisthat?J)


Escrow proxy architectureEscrowproxy

• SRP(SecureRemotePassword)protocol• SafefromMITM• Doesnotneedpasswordtobetransferredinplaintext• Doesnotkeeppasswordonserver


Escrow proxy protocol• enroll

toaddnewrecords• get_records

togetdata• get_sms_targets

gettrustedphonenumbers• generate_sms_challenge

startverificationbysms• srp_init

firstauthenticationstepunderSRP• Recover

secondSRPstep

WhatwecangetfromEscrowrecord• Infoonkeyusedforprotection• Numberoffailedretries• Devicedata(model,version,passwordstrength)• ListofkeysforKeyBag decryption• ProtectedStorageServiceslist


SRP protocol

iCSC-iCloudSecureCodeH–SHA256N,g–2048-bitgeneratorofthemultiplicativegroup(RFC5054)

TheuserenrollpasswordverifierandsalttoEscrowCache.EscrowCachestorespasswordverifierandsalt.

<salt>=random()x=SHA(<salt>|SHA(<dsid>|":"|<iCSC>))<passwordverifier>=v=g^x%N

Ifcom.apple.securebackup recordexists,thatmeansthatiCloudSecurityCodeisset.Otherwise,EscrowProxy containscom.apple.icdp.record.hash_of_device records,soiCloudKeychaincanbesyncedwhenoneofdevicepasswordsisprovided.


Key-Value Storage

If2FAisenabled,keychaindataarecopiedintoKVSforcirclesynchronization


Keychain recovery• GetAccountSettings (gettoken)

• SyncRegistry-version:ifempty,getthewholekeychain(pluscurrentstate);ifnot,getonlynewdataReturnskeychainandBackupKeyBag

• SRPauthenticationget_sms_targetsgenerate_sms_challenge

• srp_initGetdataforRecoveryrequest

• Recover (getKeyBagKey)

• DecryptKeyBagKey• DecryptKeyBag• DecryptKeyChain

Ifwehave2FApassedandobtainedthetoken:• Noneedtohavetrusteddevice• NoiCloudSecurityCode• Nonotificationtotrusteddevices• GetallthepasswordsandCCdataJ• Oneofdevice’passcodes isstillneededL


iCloud Keychain access - alternatives• Addnewdeviceto“circleoftrust”

• Needtopass2FA• Notificationstoalldevices

• GetiCloudbackup• Sameasabove• Mightnotexist(ortooold)• Needtogetsecurityd key(physicalacquistion only,32-bitdevices)• Noreal-timeaccess

• Getlocalbackup• PhysicalaccesstoPC/Macisneeded• Backupmightbepassword-protected

• Breakcircle protocol?J

ElcomSoft.com

Thanks!Questions?

ElcomSoft

Page 30