How to Pair-Lock Your iOS Device

You know that saying, that you’ve slept with every partner that your partner has ever slept with? The same is true of your iPhone; not sex of course, but pairing. If you’re not familiar with how pairing works on your iPhone or iPad, this is the mechanism by which your desktop establishes a trusted relationship with your device so that iTunes, Xcode, or other tools can talk to it. Once a desktop machine has been paired, it can access a host of personal information on the device, including your address book, notes, photos, music collection, sms database, typing cache, and can even initiate a full backup of the phone. Once a device is paired, all of this and more can be accessed wirelessly at any time, regardless of whether you have WiFi sync turned on. A pairing lasts for the life of the file system: that is, once your iPhone or iPad is paired with another machine, that pairing relationship lasts until you restore the phone to a factory state.

Pairing is a relatively simple mechanism, and it works like this. Your desktop machine creates a private key and certificate. The device then provides its public key (a key that can be used to establish a secure session on the device). The desktop machine signs the device’s public key, and then provides the device with the signed certificate, as well as its own desktop certificate, allowing the device to establish a secure session with the desktop machine. This record is then stored both on the iOS device and on the desktop machine. On your iOS device, you’ll find a copy of all the pairing records in /var/root/Library/Lockdown/pair_records. The device also sends the desktop an escrow key, which can be used to access encrypted data even if the device’s screen lock is on. These are stored in /var/root/Library/Lockdown/escrow_records

What does all this mean? It means that any time you plug your iOS device into another computer, this trusted pairing relationship gets automatically created within seconds. The only time this doesn’t occur is if the device is locked with a PIN – and I mean really locked; if you have anything other than “Require Passcode: Immediately” set, then it will remain unlocked for a while even after you shut off the screen.

In addition to plugging into desktop machines, there have been a number of “other” ways to create a pairing record with an iOS device. A great demo was given at DefCon a while back about a technique called Juice Jacking, in which the victim plugs their USB cable into a public charging station (say, at an airport, or in a hotel), but is actually getting a lot more than a free charge. ¬†Juice Jacking describes a technique where the charge station actually performs a pairing with the device, and possibly even copies off personal data from it. Ever plug your iPhone into a clock radio at a hotel? If it had been tampered with, you may have been jacked in such a manner. A number of other tools also perform a pairing with your device before they can talk to it. These include a number of forensic imaging tools used by both law enforcement and pirated among criminals to commit identity theft. I’ve designed a small utility (which I have not released) that allows me to create a pairing record by connecting an iOS device to my iPad Mini, which is extremely portable, and takes only a few seconds while the target isn’t looking.

As I said, once someone has a pairing record created with the device, they have carte blanche access to a significant amount of personal data on the device – possibly all of it. This data can then be downloaded either over USB, or wirelessly across a WiFi network (or a cellular network, if you were a government agency able to get past the firewalls). And it can be accessed any time, without your knowledge.

By default, pairing is “always on”, you can’t turn it off on your iPhone, and so you are always at risk of accidentally pairing it with a malicious device. This is another example of where the Jailbreak community has been able to help secure your device, where Apple won’t. I wrote a small utility named pairlock, which can be run from the command prompt of your iOS device to enable or disable pairing. This is done by setting an attribute lock on the escrow_records and pair_records directories, causing all pairing attempts to fail. Download:¬†pairlock.zip

Simply copy pairlock into /usr/bin, and run it like so:

# pairlock lock

To enable pairing again, simply run:

# pairlock unlock

That’s it!

If you would like a GUI version of this app, you can soon also find a GUI version of PairLock in Cydia. I’ve tested on iOS 6 only.

About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and hacker. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski
This entry was posted in Forensics, iPhone, Security. Bookmark the permalink.

Leave a Reply