iPhone hardware encryption investigated
Users of Apple iPhone devices accumulate huge amounts of highly sensitive information stored in their smartphones.
Historical geolocation data, viewed Google maps and routes, Web browsing history and call logs, pictures, email and SMS messages, including deleted ones, usernames, passwords, and nearly everything typed on the iPhone is being cached by the device.
Some of that information is available in iPhone backups made with Apple iTunes software. However, the amount of information that can be extracted from phone backups is naturally limited.
Technically, each iPhone device uses a set of hardware-dependent encryption keys as well as data wipe keys buried securely in iPhone’s protected storage area. If a data wipe key is lost or destroyed, all data stored in the iPhone is rendered inaccessible and, essentially, useless. If, however, those keys are extracted from the device, it becomes possible to make forensic analysis of the iPhone device.
ElcomSoft researchers were able to develop a toolkit to not only extract all relevant encryption keys from iPhone devices running iOS 4, but to make use of those keys to decrypt iPhone file system dumps. This in turn can provide enhanced forensic access to all information stored in iPhone devices, even if the device is passcode-protected.
ElcomSoft enables near-instant forensic access to encrypted information stored in iPhone devices, and updates Phone Password Breaker with tools that can access protected file system dumps extracted from iPhone devices, even if the data is hardware-encrypted by iOS 4.
While iPhone backups store a lot of information about the usage of an iPhone device, they don’t have everything. Forensic wise, dumping the contents of the physical device is the only proper way to handle an investigation.
“This time around it’s not about iPhone backups”, says Vladimir Katalov, ElcomSoft CEO. “Backups created with iTunes software already contain a lot of data, but not quite everything that’s being stored or cached in iPhone devices. In contrast, we were able to break into the heart of iPhone data encryption, providing our customers with full access to all information stored in iPhone devices running iOS 4”.
“Mobile forensic specialists are well-aware of the amount of valuable information stored in these devices. Before our discovery, there was no way to get full access to all of that data”, he continues. “We are responsible citizens, and we don’t want this technology to fall into the wrong hands. Therefore, we made a firm decision to limit access to this functionality to law enforcement, forensic and intelligence organizations and select government agencies”.