iOS 4 hardware encryption cracked
‘We don’t want this to fall into the wrong hands’
Russian security outfit ElcomSoft is shipping a toolset that cracks open the hardware encryption protecting iOS4-based iPhones – but it's only for spooks and law enforcement.
In an announcement that will have black-hats working to replicate its results, the company says its tool can “extract all relevant encryption keys from iPhones running iOS 4,” and can also use those keys to “decrypt iPhone file system dumps.”
Vladimir Katalov, ElcomSoft CEO, says the tool breaks “into the heart of iPhone data encryption”.
With access to the device (a prerequisite for ElcomSoft’s technique), the software uses its unique ID and escrow keys (which exist to allow remote devices to sync with the iPhone) to access data.
According to this H Online article, data can only be extracted from an iPhone that’s booted in Device Firmware Upgrade mode, which allows direct copying of data on the Flash drive. This breaks iOS’s protection of the keys themselves, which are not visible to applications running in normal mode.
However, breaking the keys is slow. When files are decrypted, two keys are required – the one generated by the user’s passcode, as well as the key created by iOS Data Protection. H Online said the demonstration given to it required 40 minutes to brute-force a four-digit passcode.
While it might also be feasible to brute-force the escrow key stored on a computer to which the iPhone syncs, that approach has both pros and cons: a PC offers a faster platform for guessing keys, but the escrow key is larger than a typical user’s passcode.
ElcomSoft promises to guard the tool closely, with Katalov saying “we made a firm decision to limit access to this functionality to law enforcement, forensic and intelligence organisations and select government agencies”.
ElcomSoft had already demonstrated password recovery from iPhone 4 devices, last year.
Whether or not you think the police are the ‘right hands’ for this technology probably depends on whether or not you’ve had a device wrongfully seized and presumably data-dumped by a plod suffering a rush of blood to his head. ®
Sorry, but are you saying hackers which are providing cracking methods to governments and snoop services are the white hats?
Grey is the best description. They are white by Russian standards though
Elcomsoft is the company which was involved in the Adobe DRM bypass bru-ha-ha a while back.
It is an interesting company. It has demonstrated some key differences between UK and let's say Russia from a management perspective. The company director actually went to testify, took the charges onto himself and the company and face the charges so his software developer arrested on that case is released:
I do not see a nowdays UK manager who treats his staff as human resource doing that. The ones I know are more likely to chew and swallow their MBA diploma without ketchup instead.
Why bother with this?
Let's face it, under UK law, if threatened by the plod or the courts, you have hand over your passwords anyway, so what's this achieve?! The Plod are still going to reach for the rubber baton or the line "Sorry, Guv he fell down the stairs/walked into the cell door just before he gave us the password."!
"Simply activate the 'Erase Data' feature to wipe all data on the iPhone after 10 failed passcode attempts, stopping brute-force attacks"
The brute-forcing would be done offline against the specific files - you'd only be putting the derived key into the device. Hence this would be no defence.
Title is required but can no longer be bought from politicians
"a plod suffering a rush of blood to the head" - so that'll be away from his brain then?