1234, 0000, 2580, 1111, 5555, 2222, and 1212 –Whilst not the strongest of PIN passcodes, statistics show that these are amongst the most common codes used by mobile phone users worldwide. There are limitations posed by the Pin Lock feature, as those of you who have enquired with us regarding the Apple iPhone would be aware. The level of background security developed by Apple has proven troublesome for digital forensic experts and law enforcement worldwide. The US National Security Agency has recently marketed the Smartphone as secure for governmental use, after many failed attempts at accessing the device. You’ll now find that UK government departments and many top commercial organisations have ditched their existing Blackberry Smartphones for the Apple iPhone. But why is the iPhone’s security so good? And what can IntaForensics do to try and bypass it?
Back in 2007, the original iPhone was laughed at by the hacking community for its poor implementation of security features. Essentially, every application written by Apple ran with “Root” privileges, allowing complete control over the entire phone. Therefore, hackers could access and take over the phone from the inside. This was rectified the following year, and since then, Apple has built upon the security of its Smartphone, changing the way apps are programmed and introducing additional security features year on year. This makes it one of the most secure Smartphones on the market.
The iPhone has always included the PIN lock feature, but only since the 3GS has this feature been a strong enough to prevent serious attacks. Developments in both hardware and software on an annual basis continue to strengthen the link between the two and in turn improve upon its security. Apple have implemented an optional feature within the iOS devices, the device can automatically wipe itself after a certain number of failed PIN attempts. This reduces the risk of information being leaked if the iOS device is lost or stolen. Because of this feature, specific mobile forensic equipment is necessary for safe access to the data.
This hardware security involves the incorporation of the AES encryption algorithm. AES encryption has been used since the 90’s and is widely known as the most secure form of encryption available, adopted by the US National Security Agency for encrypting classified data. It is widely thought that no computer for the foreseeable future would be able to guarantee breaking the random 256bit AES key in a realistic timescale.
Apple has stated that the AES key within each iPhone or iPad is unique to each device, and is considered to be a truly random key generated by the systems random number generator. This unique key is not recorded by Apple or any of its suppliers to maintain total security. Apple updated the use of AES encryption by placing the hardware that encrypts the data between the Flash storage and the iPhones main memory, meaning that when data is requested from the internal flash memory it is automatically decrypted and then encrypted when saved back to it. In addition, the AES 256 keys are fused into the application processor during manufacturing. Apple burns these keys into the silicon preventing them from being tampered with or bypassed. Only the AES engine can access this.
What we do
Recovery of iPhone, iPad and iPod Touch passcodes is possible on a number of models, but not all. Data is recovered by first entering the device into DFU (Device Firmware Update) mode. This is a mode primarily used to connect to iTunes to allow for updating firmware on devices which have become corrupt. From DFU mode, an exploit is used in combination with a custom kernel and a RAM disk. This exploit is very similar to how a handset is “jailbroken”, the main difference being that all data is being loaded into RAM and not onto the handsets internal memory. This allows for tools to be executed to create a physical image of the device, recover the devices secret files and brute force the device passcode in order to bypass it.
Brute-Force is a method of attempting every single passcode from 0000 to 9999 on the handset. The passcode is brute-forced on a level lower than the operating system with far greater speed. If you were to manually brute force the password on the device it would automatically lock the handset after 10 unsuccessful attempts. Or, if the user has it setup the option to automatically erase the phone, this would also occur. Using the RAM disk bypasses this limitation. If time is important then it is possible to bypass a passcode completely, this is particularly useful on devices with a complex passcode set.
The extraction of data from iOS devices in undoubtedly a complex and dynamic process, and with ever changing security being implemented, the IntaForensics team have to be on the ball with new iOS software and hardware releases. Although access to the phone varies on the device, it is important to keep your information secure.
If you’re interested in finding out whether the IntaForensics experts could help you with Mobile Phone Analysis or Data Recovery, simply give us a call on 0845 009 2600. You can also send us an email at firstname.lastname@example.org with further details about your enquiry, and we’ll be in touch as soon as possible.