Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
SECURIMAGIOS DATA PROTECTION1
Albin [email protected]
Grenoble INP – Ensimag
1 inspired by the presentation : iPhone data protection in depth by Jean-Baptiste BÉ-DRUNE (Sogeti) and Jean SIGWALD (ESEC)
Albin PETIT iOS data protection September 27th, 2012 – 1 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
INTRODUCTION (1)
WHAT ARE DATA ?� Text� Photo� Credentials
� Preferences� Others
WHERE ARE DATA ?� On the device� On a backup
� In transit� On iCloud
Albin PETIT iOS data protection September 27th, 2012 – 2 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
INTRODUCTION (1)
WHAT ARE DATA ?� Text� Photo� Credentials
� Preferences� Others
WHERE ARE DATA ?� On the device� On a backup
� In transit� On iCloud
Albin PETIT iOS data protection September 27th, 2012 – 2 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
INTRODUCTION (2)
iOS PROTECTIONS� Passcode: Prevents casual device access� Privilege Separation and Sanboxing: Limits access to system orother app data if local app compromised� Code Signing: Only code of approved origins can execute� Remote Wipe: Erase all data if phone is lost� Encrypted Storage: Fast Remote Wipe� Encrypted Backups: Protects data off the device� Data Protection: Protects user’s data when the device is locked
Albin PETIT iOS data protection September 27th, 2012 – 3 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
AGENDA
1 Data protectionFile protectionKeychainKeybags
2 Storage EncryptioniOS storageiTunes Backup
3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2
4 Demo
Albin PETIT iOS data protection September 27th, 2012 – 4 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
AGENDA
1 Data protectionFile protectionKeychainKeybags
2 Storage EncryptioniOS storageiTunes Backup
3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2
4 Demo
Albin PETIT iOS data protection September 27th, 2012 – 5 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
DATA PROTECTION
OBJECTIVES� Protect data at rest� Encrypted data protected by user’s passcode
HOW IS IT WORKED ?� Protection classes for files and keychain items� Master keys for protection classes stored encrypted in a keybag� Different data availability
Albin PETIT iOS data protection September 27th, 2012 – 6 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
HOW IS A FILE ENCRYPTED ?
Class KeyFile Key
File Meta Data
Device Key
User Pass-code Key
File System Key
File Key : randomly generated for every file that get created
Class Key : randomly generated when a class is established
Albin PETIT iOS data protection September 27th, 2012 – 7 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
HOW IS A FILE ENCRYPTED ?
Class Key
File Key
File Meta Data
Device Key
User Pass-code Key
File System Key
File Key : randomly generated for every file that get created
Class Key : randomly generated when a class is established
Albin PETIT iOS data protection September 27th, 2012 – 7 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
HOW IS A FILE ENCRYPTED ?
Class KeyFile Key
File Meta Data
Device Key
User Pass-code Key
File System Key
File Key : randomly generated for every file that get created
Class Key : randomly generated when a class is established
Albin PETIT iOS data protection September 27th, 2012 – 7 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
HOW IS A FILE ENCRYPTED ?
Class KeyFile Key
File Meta Data
Device Key
User Pass-code Key
File System Key
File Key : randomly generated for every file that get created
Class Key : randomly generated when a class is established
Albin PETIT iOS data protection September 27th, 2012 – 7 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
HOW IS A FILE ENCRYPTED ?
Class KeyFile Key
File Meta Data
Device Key
User Pass-code Key
File System Key
File Key : randomly generated for every file that get created
Class Key : randomly generated when a class is established
Albin PETIT iOS data protection September 27th, 2012 – 7 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
FILE SYSTEM PROTECTION
Class Key 2Class Key 1 Class Key 3
Device KeyUser Pass-code Key
File Key 1
Meta Data
File Key 2
Meta Data
File Key 3
Meta Data
File Key 4
Meta Data
File Key 5
Meta Data
File Key 6
Meta Data
Albin PETIT iOS data protection September 27th, 2012 – 8 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
CLASS KEYS FOR FILES
Availability File Data Protection
When unlocked NSFileProtectionComplete
While locked NSFileProtectionCompleteUnlessOpen
After first unlock NSFileProtectionCompleteUntilFirstUserAuthentication
Always NSFileProtectionNone
Albin PETIT iOS data protection September 27th, 2012 – 9 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYCHAIN
A SQLITE DATABASE CONTAINING� Passwords� Sensitive information
HOW IT WORKS ?� Encrypted with AES 128� Every application have its own set of keychain items BUT a keychainitems can be shared between apps from the same developer� Keychain items are restricted by class keys
Albin PETIT iOS data protection September 27th, 2012 – 10 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
CLASS KEYS FOR THE KEYCHAIN
Availability Keychain Data Protection
When unlocked kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
While locked N/A
After first unlock kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Always kSecAttrAccessibleAlways
kSecAttrAccessibleAlwaysThisDeviceOnly
Albin PETIT iOS data protection September 27th, 2012 – 11 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
CLASS KEYS FOR THE KEYCHAIN
Availability Keychain Data Protection
When unlocked kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
While locked N/A
After first unlock kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
Always kSecAttrAccessibleAlways
kSecAttrAccessibleAlwaysThisDeviceOnly
Albin PETIT iOS data protection September 27th, 2012 – 11 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
EXAMPLE OF USES
Item Keychain Data Protection
Wi-Fi passwords kSecAttrAccessibleAfterFirstUnlock
IMAP/POP accounts kSecAttrAccessibleAfterFirstUnlock
Exchange accounts kSecAttrAccessibleAfterFirstUnlock
Safari passwords kSecAttrAccessibleWhenUnlocked
iTunes backup passwords kSecAttrAccessibleWhenUnlockedThisDeviceOnly
iCloud certificates kSecAttrAccessibleAlwaysThisDeviceOnly
Albin PETIT iOS data protection September 27th, 2012 – 12 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYBAGS (1)
� Collection of Class Keys� 4 types of keybags
� System keybag� Backup keybag� Escrow keybag� iCloud Backup keybag
Albin PETIT iOS data protection September 27th, 2012 – 13 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYBAGS (2)
SYSTEM KEYBAG� Stored on the device (/private/var/keybags/systembag.kb)� Binary plist AES encrypted� The key is changed each time the user changes the passcode
ESCROW KEYBAG� Used by iTunes syncing & Mobile Device Management� Contains all the class keys used on the device� Stored on the synchronized computer� Allow backup and syncing without entering passcode� Encrypted by a random key
� Key stored on device (NSFileProtectionCompleteUntilFirstUserAuthentication)
Albin PETIT iOS data protection September 27th, 2012 – 14 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYBAGS (3)
BACKUP KEYBAG� Created for each encrypted backup� Holds random class keys for data in the backup� Class keys are protected with a derived passcode computes from abackup password entered by user (10,000 iterations of PBKDF2)
ICLOUD BACKUP KEYBAG� Similar to the Backup Keybag� Encrypted data is read from the device and sent to iCloud� Corresponding class keys are protected by iCloud keys
Albin PETIT iOS data protection September 27th, 2012 – 15 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
SYSTEM KEYBAG UNLOCK
Passcode
Keybag IV
Wrapped class key
KDF
Key 0x835
Passcode key
AESunwrap
AESdecrypt
Class key
UID key
wrapped with passcode keyencrypted with the 0x835
encrypted with the 0x835
integrity check fail=> wrong passcode
Albin PETIT iOS data protection September 27th, 2012 – 16 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
AGENDA
1 Data protectionFile protectionKeychainKeybags
2 Storage EncryptioniOS storageiTunes Backup
3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2
4 Demo
Albin PETIT iOS data protection September 27th, 2012 – 17 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
IOS STORAGE
DISK PARTITIONING� Boot: Low Level Bootloader� Plog: Effaceable area� Nvrm: Environments variables� Firm: iBoot, device tree and boot logos� Fsys: Filesystem partition
bootblock 0boot
block 0plog
block 1plog
block 1nvrm
blocks 2-7nvrm
blocks 2-7�rm
blocks 8-15�rm
blocks 8-15fsys
blocks 16-4084fsys
blocks 16-4084reserved
blocks 4085-4100reserved
blocks 4085-4100
Figure : 16 Gb iPhone 4 NAND layout
Albin PETIT iOS data protection September 27th, 2012 – 18 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
PLOG PARTITION (3 ERASABLE LOCKERS)
EMF!� Data partition encryption key, encrypted with key 0x89B� Format : Length (0x20) + AES(key89B, emfkey)
DKEY� NSProtectionNone Class key, wrapped with key 0x835� Allow to unwrap the System Keybag
BAG1� System Keybag Key� Format : Magic (BAG1) + IV + Key� Allow to decrypt systembag.kb� Erased at each passcode change
Albin PETIT iOS data protection September 27th, 2012 – 19 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
IOS 3 KEY HIERACHY
UID
Key 0x89B Key 0x835
DecryptEMF!
EMF Key
DecryptData partition Keychain-2.db
DecryptSaved
password
Albin PETIT iOS data protection September 27th, 2012 – 20 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
IOS 4 KEY HIERACHY
PasscodeIV
KDF
Passcode Key
Unlock
System Keybag(unlocked)
UID Key
Key 0x835Key 0x89B
Class A Key
Class B Key
Class C Key
Class D Key
Class Key. . .
Class Key
Decryptsystembag.kgNSFileProtectionNone
BAG1
Dkey
EMF!
Decrypt
EMF KeyUnwrap
Data partition
systembag.kgcprotect attr
Unwrap
EffaceableStorage System Keybag (locked)
Albin PETIT iOS data protection September 27th, 2012 – 21 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
ITUNES BACKUP (1)
BACKUP STORAGE� One directory per backup� %APPDATA%/Apple Computer/MobileSync/Backup/<udid>� Can be protected by a password
HOW DOES IT WORK ?� File content is AES-256 encrypted (if encrypted option is chosen in iTunes)
� Password is entered by user� Filenames are hashed (SHA1)� A database contains all information (eg: filenames, size, permissions,attributes)
Albin PETIT iOS data protection September 27th, 2012 – 22 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
ITUNES BACKUP (2)
Albin PETIT iOS data protection September 27th, 2012 – 23 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
AGENDA
1 Data protectionFile protectionKeychainKeybags
2 Storage EncryptioniOS storageiTunes Backup
3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2
4 Demo
Albin PETIT iOS data protection September 27th, 2012 – 24 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
CONSULT AN IOS DEVICE
ATTACK� Consult an iOS device not password protected
COUNTER-MEASURES� Set a password� Erase data after n invalid passcode attempts
� Erase Dkey and EMF� Reformat data partition� Generate new system key bag
� Use Find My iPhone to :� Use location services to find it� Erase data (as already mentioned)
Albin PETIT iOS data protection September 27th, 2012 – 25 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
BACKUP
ATTACK� Extract a backup and get access to all the data of the device
COUNTER-MEASURES� Encrypt your backup on iTunes� Don’t give access to your computer (and consequently your backup)
Albin PETIT iOS data protection September 27th, 2012 – 26 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
ESCROW KEYBAG
ATTACK� Make a Backup without enter the passcode and put it back to theiPhone
COUNTER-MEASURES� Don’t give access to your computer� Switch off your iOS device when it’s possible
Albin PETIT iOS data protection September 27th, 2012 – 27 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
BRUTEFORCE ATTACK
ATTACK� Try all 4-digit passcodes in root access
COUNTER-MEASURES� Set an arbitrary complex passcode by turning off the simplepassword� Use a configuration profiles to force data protection
� Require password length and complexity� Require maximum password grace
Albin PETIT iOS data protection September 27th, 2012 – 28 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYCHAIN ATTACK V1
ATTACK� Decrypt the keychain from the backup with the 0x835 key computeson the device
COUNTER-MEASURES� Set an arbitrary complex passcode
Albin PETIT iOS data protection September 27th, 2012 – 29 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
KEYCHAIN ATTACK V2
ATTACK� Access to the keychain items changing the keychain access groupof the applications
COUNTER-MEASURES� Don’t jailbreak your iOS device
Albin PETIT iOS data protection September 27th, 2012 – 30 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
AGENDA
1 Data protectionFile protectionKeychainKeybags
2 Storage EncryptioniOS storageiTunes Backup
3 Attacks & Counter MeasuresSteal an iOS deviceEscrow KeybagSteal a backup folderBruteforce attackKeychain attack v1Keychain attack v2
4 Demo
Albin PETIT iOS data protection September 27th, 2012 – 31 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
DEMO
Albin PETIT iOS data protection September 27th, 2012 – 32 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
SUMMARY
A COMPLEX SECURITY� Data encryption on the iOS device� Different level of availability
BUT THIS PROTECTION CAN BE COMPROMISED IF :� No passcode set� Wrong use of class keys (NSProtectionComplete vs NSProtectionNone)� Sensitive information not saved in the keychain� BootROM vulnerability (≤ iPhone 4 & iPad 1)
Albin PETIT iOS data protection September 27th, 2012 – 33 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
QUESTIONS
?Albin PETIT iOS data protection September 27th, 2012 – 34 / 35
Introduction Data protection Storage Encryption Attacks & Counter Measures Demo Conclusion
REFERENCES
TALKS� SSTIC 2012: Forensic iOS (2012) - Jean-Baptiste BEDRUNE & Jean SIGWALD� iPhone data protection in depth (2011) - Jean-Baptiste BEDRUNE & Jean SIGWALD� iOS Forensics: Overcoming iPhone Data Protection (09/2011) - Andrey Belenko� Overcoming iOS data protection to re-enable iPhone forensics (2011) - Andrey BELENKO
VIDEOS� Apple WWDC 2010, Session 209 - Securing Application Data� Apple WWDC 2012, Session 714 - Protecting the User’s Data
PAPERS� iOS Security (05/2012) - Apple� iOS Keychain Weakness FAQ (02/2012) - Jens Heider, Matthias Boll� Lost iPhone? Lost Passwords! (02/2011) - Jens Heider, Matthias Boll� Overcoming iOS data protection to re-enable iPhone forensics (2011)- Andrey BELENKO
WEBSITE� http://www.securitylearn.net/category/iphone/
Albin PETIT iOS data protection September 27th, 2012 – 35 / 35