ElcomSoft.comElcomSoft.com © 2017
Vladimir KatalovElcomSoft Co.Ltd.Moscow, Russia
BreakingintotheiCloudKeychain
ElcomSoft.com Page 2
[Someof]ourcustomers
ElcomSoft.com Page 3
Whatdowewanttohacktoday?
1.Alluser’spasswords2.Creditcarddata
ElcomSoft.com Page 4
What’sinsidethesmartphone?
(tip:almosteverything)
• Contacts&calendars• Calllogsandtextmessages• Emailsandchats• Accountandapplicationpasswords• WebandWi-Fipasswords• Creditcarddata• Documents,settingsanddatabases• Webhistory&searches• Picturesandvideos• Geolocationhistory,routesandplaces• 3rd partyappdata• Cachedinternetdata• Systemandapplicationlogs• Socialnetworkactivities
ElcomSoft.com
§ Problems§ Differentplatforms(Apple,Google,Microsoft)§ Manyvendor-specificclouds§ 3rd partycloudservices§ Credentialsneeded(passwordortoken)
§ Profits§ Nophysicalaccessneeded§ Maybeperformedsilently
§ Backup§ Nostandardwaytoget§ Mightnotbeavailable§ Almostalldatafromdevice
§ Sync§ Limitedsetofdata§ Mostcriticalreal-timedata§ Syncedacrossalldevices
§ Storage§ Onlyfiles/documents§ Easytoaccess
Page 5
Dataacqusition methods|Cloudacquisitionprosandcons
§ JTAG/chip-off§ Notestaccessportonmanydevices§ Fulldiskencryption
§ Physical§ Limitedcompatibility§ Datamaybeencrypted
§ Logical§ Limitedcompatibility§ Bypassingscreenlockisneeded
§ Cloud§ Limitedsetofdata// oh,really?J§ Needcredentials§ Legalproblems
ElcomSoft.com
§ Fulldevicebackupsaresometimesavailable
§ 3rd partyapplicationdataisusuallynotavailable
§ Passwordsareadditionallyencryptedwithhardware-specific key
§ Dailybackups(inbestcase,untilforcedfromthedevice)
§ Backupscannotbeforcedremotely
§ 3rd partysoftwareisneeded
§ Almostnowaytomanage
§ Slowaccess,longdownload
§ Accountmightbelockeddueto‘suspiciousactivity’
Page 6
Cloudservices:backups[iCloud]
ElcomSoft.com Page 7
Cloudservices:synceddata[iCloud]
§ Contacts§ Calllog§ Messages(SMS/iMessage,CallKit-compatibleapps)§ Calendars§ Mail(onlycloud-based)§ Internetactivities(visitedsites,searches)§ Mediafiles(photos,videos)§ Gamingdata§ Passwords§ Healthdata§ Creditcards
Other• ApplePay• Homedevices• Wallet• Maps(searches,bookmarks,routes)• Books• News,weather• Locationdata
ElcomSoft.com Page 8
MoreiClouddata
• Accountinformation• iCloudstorageinformation
• Contactinformation(billing/shippingaddress,emails,creditcards(last4digits)
• Connecteddevices• Customerservicerecords• iTunes(purchase/downloadtransactionsand
connections,update/re-downloadconnections,Matchconnections,giftcards)
• Retailandonlinestoretransactions• Maillogs• Familysharingdata• iMessage andFaceTimemetadata
• Deleteddata?
ElcomSoft.com Page 9
Applekeychains
§ iOSkeychain
§ Local(encryptedbackup)§ Local(notencryptedbackup)§ iCloud
View(iOS10):Settings|Safari|Passwords,AutoFillView(iOS11):Settings|Accounts&Passwords|App&WebsitePasswordsProtection:itdependsDecrypt/export:noway(3rd partysoftwareonly)
§ OSX(macOS)keychain
View:Keychainutility(onebyone)Protection:password(bydefault,sameaslogon)Decrypt/export:3rd partysoftwareonly
§ iCloudkeychain
View:Onlywhen/ifsyncedwithlocaldeviceProtection:well,strongJDecrypt/export:?
ElcomSoft.com Page 10
Backupvs iCloudkeychains
Backup iCloudWi-Fi + +
Websites + +
Creditcards + +
App-specific + Itdepends
AirPlay/AirPort + +
Encryptionkeys&tokens + Itdepends
Autocomplete + -
KeychaininiCloudbackupshavemostdataencryptedwithdevice-specifickey
ElcomSoft.com Page 11
iOSkeychain– passwords(Wi-Fi,email,webform)
<Name>AirPort(APname)</Name><Service>AirPort</Service><Account>APname</Account><Data>APpassword</Data><AccessGroup>apple</AccessGroup><CreationDate>20121231120800.529226Z</CreationDate><ModificationDate>20121231120800.529226Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>
<Name>accounts.google.com(email)</Name><Server>accounts.google.com</Server><Account>email</Account><Data>password</Data><Protocol>HTTPS</Protocol><AuthenticationType>form</AuthenticationType><Description>Webformpassword</Description><AccessGroup>com.apple.cfnetwork</AccessGroup><CreationDate>20150705071047.78112Z</CreationDate><ModificationDate>20150805133813.889686Z</ModificationDate><Label>accounts.google.com(email)</Label><ProtectionClass>CLASS:6</ProtectionClass>
<Name>imap.gmail.com([email protected])</Name><Server>imap.gmail.com</Server><Account>email</Account><Data>password</Data><Protocol>IMAP</Protocol><Port>143</Port><AccessGroup>apple</AccessGroup><CreationDate>20121231124745.097385Z</CreationDate><ModificationDate>20121231124745.097385Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>
ElcomSoft.com Page 12
iOSkeychain(creditcarddata)
<Name>SafariCreditCardEntries (BBA00CB1-9DFA-4964-B6B8-3F155D88D794)</Name><Service>SafariCreditCardEntries</Service><Account>BBA00CB1-9DFA-4964-B6B8-3F155D88D794</Account><Data><Dictionary><CardholderName>NAME</CardholderName><ExpirationDate>DATE</ExpirationDate><CardNameUIString>Visa</CardNameUIString><CardNumber>NUMBER</CardNumber></Dictionary></Data><Comment>ThiskeychainitemisusedbySafaritoautomaticallyfillcreditcardinformationinwebforms.</Comment><AccessGroup>com.apple.safari.credit-cards</AccessGroup><CreationDate>20131016100432.283795Z</CreationDate><ModificationDate>20150826181627.118539Z</ModificationDate><Label>SafariCreditCardEntry:Visa</Label><ProtectionClass>CLASS:6</ProtectionClass>
ElcomSoft.com Page 13
iOS[backup]keychainprotectionclasses
kSecAttrAccessibleAfterFirstUnlock(7)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly(10)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.
kSecAttrAccessibleAlways(8)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyThedatainthekeychaincanonlybeaccessedwhenthedeviceisunlocked.Onlyavailableifapasscodeissetonthedevice.
kSecAttrAccessibleAlwaysThisDeviceOnly(11)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.
kSecAttrAccessibleWhenUnlocked(6)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.
kSecAttrAccessibleWhenUnlockedThisDeviceOnly(9)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.
• xxxThisDeviceOnly:encryptedusingdevice-specifichardwarekey(canbeextractedfrom32-bitdevicesonly)• Allothers:inpassword-protectedlocalbackups,encryptedwiththekeyderivedfrombackuppassword
ElcomSoft.com Page 14
iTunesbackuppasswordbreaking
§ Getmanifest.plist§ GetBackupKeyBag§ Checkpassword
§ iOS3▫ pbkdf2_sha1(2,000)
§ iOS4to10.1(but10.0)▫ Sameasabove,but10,000iterations
§ iOS10.0▫ Sameasaboveworks▫ Singlesha256hashisalsostored
§ iOS10.2+▫ pbkdf2_sha256(10,000,000)▫ pbkdf2_sha1(10,000)
§ UnwrapAESkeyfromKeyBag§ Decryptkeychain(+otherfiles?)
Hashesaresalted,sonorainbowtablesL
ElcomSoft.com Page 15
macOS keychain
ElcomSoft.com Page 16
iClouddataprotection
https://support.apple.com/en-us/HT202303
Mostofthedata:Aminimumof128-bitAESencryptioniCloudKeychain:Uses256-bitAESencryptiontostoreandtransmitpasswordsandcreditcardinformation.Alsousesellipticcurveasymmetriccryptographyandkeywrapping.
Keyisstoredalongwiththedata(exceptjusttheiCloudkeychain)!
• Notificationtoemailwhenthedataisaccessed• Accountmightbeblockedduetosuspiciousactivity(new!)• Two-stepverification(legacy,notrecommended)• Two-factorauthentication
• Immediatepushnotificationtoalltrusteddevices• Havetoallowaccess• Securitycode
• Aspushnotification• BySMStotrustedphonenumber• Generatedbytrusteddevice
Workaroundfor2FA:useauthenticationtokenfromthedevice(iPhone/iPad/iPod),PCorMac
ElcomSoft.com Page 17
iCloudsign-in
ElcomSoft.com Page 18
AboutiCloudkeychain
ElcomSoft.com Page 19
SetupiCloudkeychain– no2FA
ElcomSoft.com Page 20
Setup2FA
ElcomSoft.com Page 21
SetupiCloudkeychain–2FA
ElcomSoft.com Page 22
iOS11and2FA
ElcomSoft.com Page 23
iCloudsyncmodes
Recovery: recoveryfromkeychainbackup/storageintheiCloud
com.apple.sbd3(SecureBackupDaemon)
Keepbackupofkeychainrecords,andcopyingtonewdevices(whentherearenewtrustedones)
Sync:real-timesyncingacrosscloudanddevices
com.apple.security.cloudkeychainproxy3
Supportfor“trustedcircle”,addingnewdevicestoitetc
ElcomSoft.com Page 24
iCloudcircleoftrust
iOSSecurityGuide:https://www.apple.com/business/docs/iOS_Security_Guide.pdf
• Keychainsyncing• Circleoftrust• Publickey:syncingidentity(specifictodevice)• Privatekey(ellipticalP256),derivedfromiCloudpassword• Eachsynceditemisencryptedspecificallyforthedevice
(cannotbedecryptedbyotherdevices)• OnlyitemswithkSecAttrSynchronizable aresynced
• Keychainrecovery• Secureescrowservice(optional)• No2FA:iCloudsecuritycodeisneeded(+SMS)• No2FA,noiCSC:recoveryisnotpossible• 2FA:devicepasscodeisneeded• HardwareSecurityModule(WTFisthat?J)
ElcomSoft.com Page 25
iCloudkeychainrecoverymode
3:keyversion(GCMorCBCalgorythm;GCMhere).6:recordprotectionclass(KeyBag#6 here)0x48: wrappedkey sizeNext:encryptedkeydata
ElcomSoft.com Page 26
iCloudkeychainrecoveryprotection(no2FA)
iCSC- iCloudSecuritycode
NoiCSC
Syncmodeonly.KeychainrecordsarenotstoredintheiCloudandcannotberecoveredifalltrusteddevicesarelost/Accessispossibleonlythroughpushnotificationtothetrusteddevice.Themostsafe/secureconfig?;)
iCSC isset
• Pushnotificationtotrusteddevice(asabove)• iCSC pluscodefromSMS(6digits)
Note:iCSC isnotstoredanywhereinthecloud,justitshash(inEscrow).Threeoptionsareavailable:
• Simple(4or6digits,dependsoniOSversion)• Complex(anysymbols,upto32)• Device-generated/random(24symbols)
ElcomSoft.com Page 27
iCloudkeychainrecoveryprotection(2FA)
Foreverydevice,separaterecordiscreated(atEscrowProxy):
com.apple.icdp.<deviceHash>
Contents:BackupBagPassword(randomlygenerated)
Usage:RFC6637toencryptkeysfromiCloudKeychainKeybags
ElcomSoft.com Page 28
Escrowproxyarchitecture(1)
Escrowproxy
• SRP(SecureRemotePassword)protocol• SafefromMITM• Doesnotneedpasswordtobetransferredatall(evenhash)• Doesnotkeeppasswordonserver
ElcomSoft.com Page 29
Escrowproxyarchitecture(2)
CloudKeychainrecordsofinterestatEscrowProxy
• com.apple.securebackup: keepBackupBagPasswordfrom Keybag,whereiCloudKeychainisstoredfor‘fullrestore’
• com.apple.icdp.<deviceHash>:BackupBagPasswordfrom iCloudKeychainindividualrecordsfromgivendevices,storedforpartialrecovery
ElcomSoft.com Page 30
Escrowproxyarchitecture(3)
No2FA (iCSC)and2FA(DevicePasscode):
• Clientgeneratesrandom25-symbolKeyBagKey• PBKDF2(SHA256,10000)togenerateiCSC/passcodehash• KeyBagKey isencryptedwithAES-CBCusinghashasakey• EncryptedKeyBagKey isstoredinEscrowProxy
Note:if‘random’optionisselectedasiCSC,thenitisnothashed,andsaved‘asis’ItisfurtherusedforencryptingKeyBag withsetofkeysforiCloudKeychain.
ElcomSoft.com Page 31
EscrowproxyAPI
Command Action
/get_club_cert Returnscertificate,associatedwithaccount
/enroll Addnewsecurerecord
/get_records Getlistofstoredrecords
/get_sms_targets Getphonenumber,associatedwithaccount
/generate_sms_challenge Sendsapprovalcodeviasms toassociatednumber
/srp_init InitializesauthenticationviaSRP-6aprotocol
/recover SRPauthenticationfinalization.returnssecurerecordsonsuccess
/update_record Updatesrecordsinformationassociatedwithaccount
ElcomSoft.com Page 32
Escrowproxy:‘public’records
• Infoonkeyusedforprotection• Numberoffailedretries• Devicedata(model,version,passwordstrength)• ListofkeysforKeyBag decryption• ProtectedStorageServiceslist
ElcomSoft.com Page 33
SRPprotocol(v6)
iCSC-iCloudSecureCodeH–SHA256N,g–2048-bitgeneratorofthemultiplicativegroup(RFC5054)
TheuserenrollpasswordverifierandsalttoEscrowCache.EscrowCachestorespasswordverifierandsalt.
<salt>=random()x=SHA(<salt>|SHA(<dsid>|":"|<iCSC>))<passwordverifier>=v=g^x%N
Ifcom.apple.securebackup recordexists,thatmeansthatiCloudSecurityCodeisset.Otherwise,EscrowProxy containscom.apple.icdp.record.hash_of_device records,soiCloudKeychaincanbesyncedwhenoneofdevicepasswordsisprovided.
ElcomSoft.com
Recordname AuthenticationType
com.apple.securebackup MME+SMS
com.apple.icdp.record.hash_of_device PET
com.apple.protectedcloudstorage MME
AuthenticationtypeforaccessofEscrowrecord
Page 34
Escrowproxy– accesstokens
• No2FA,iCloudSecurityCode:MMEtokenisenough;validationusesSMStotrustednumbersetinaccount
Howtoobtain:sameasforbackups,synceddata,iCloudPhotoLibraryetc
• 2FA,devicepasscode:PET(PasswordEquivalentToken);TTL=5minutes
Howtoobtain:passGSAauthentication(toapproveshort-timeaccessfromthegivendevice);newinmacOS10.11
ElcomSoft.com Page 35
Keychainissyncmode
Circleoftrust
trusted
trustedtrusted
Nottrusted
Insyncmode,KeyBag maycontainasfullrecordsinrecoverymode(BackupKeyBag,com.apple.securebackup.record)ortombs,uniqueforeverydomain(HomeKit,Wi-Fietc)
ElcomSoft.com Page 36
Tombs
• Keybag &metadata(ASN.1format)
• Keychain:recordsforthegivendomain,encryptedwithKeybag
• WrappedKey(foreveryRecordID):Keybag keywrappedwithRFC6637
Todecrypt
• gettombsfromcom.apple.sbd• findallRecordIDs• getBackupBagPassword forthe
givenRecordID,usingpasscodeofthedevice
• unwrapKeyBag key• decryptkeysfromKeyBag• DecryptKeychainrecords
ElcomSoft.com Page 37
Othercomponentsandalternativeapproaches
GSA(GrandSlam Authentication)
• gsa.apple.com• basedonSRPprotocol• introducedinmacOS 10.10(basic)• improvedinmacOS 10.11
AnisietteData
• MachineID +OTP• MachineID (60bytes):uniquefordevice• OTP(24bytes):random;refreshedevery
90seconds• codeishardlyobfuscated• implementedinApplePrivateAPI
Continuationtoken
• obtainedthroughGSA• meanstogettokensforotherservices• noneedtokeepAppleIDandpasswordon
device• canbeusedtogetupdated tokenswithshort
TTL• forfurtherrequests:useAlternateDSID &
Continuationtoken insteadofAppleID &password
ElcomSoft.com Page 38
Demo
No2FA
• AppleID• Password• iCloudsecuritycode• SMStotrustednumber
2FA
• AppleID• Passwordnoneedtopass2FAontrustedDesktop
• Passcodeofenrolleddevice
ElcomSoft.com Page 39
Conclusions/risks
• Syncandrecovery:differentapproaches• Trustedcircle:nothardtogetin,butleavestraces• Bothsyncandrecoverycanbeused(mixed)• Needtohavecredentials• Needtohavetrusteddevice
…orSMS• NeedtoknowiCSC
…ordevicepasscode• Legacy2SV:forgetit• With2FA,keychainisalwaysstorediniCloud• No2FA,noiCSC:mostsafefromTLA?
• GetContinuationtoken(+machineID) toobtainfullaccesswithoutanythingelse!• …implementationisstillrelativelysecureJ
ElcomSoft.com Page 40
Wait,onemorething…
• iCloudKeychaincontainsmoredatathanofficiallydocumented:notjustpasswords,butalsotokens(e.g.to2FA-protectedsocialnetworkaccounts)
• iCloudKeychainisbeingactivatedrightwhenyouenable2FA (orevenalwaysexist??),thoughcontainsonlysystemkeys,notuserdata
• iCloudKeychaincontainsencryptionkeyusedtolocksomenewiClouddata(iOS11)
• iCloudKeychainapproachcanbeusedeffectivelywhenlocalkeychainisnoteasilyaccessible
Whatelsedoyouhidefromus,Apple?:)
ElcomSoft.com
Thanks!Questions?
ElcomSoft
Page 41