As it turns out, the same mechanism that provides your iOS 7 device with a potential back door can also be used to help secure your device should it ever fall into the wrong hands. This article is a brief how-to on using Apple’s Configurator utility to lock your device down so that no other devices can pair with it, even if you leave your device unlocked, or are coerced into unlocking it yourself with a passcode or a fingerprint. By pair-locking your device, you’re effectively disabling every logical forensics tool on the market by preventing it from talking to your iOS device, at least without first being able to undo this lock with pairing records from your desktop machine. This is a great technique for protecting your device from nosy coworkers, or cops in some states that have started grabbing your call history at traffic stops. Whatever the reason, pair locking will likely leave the person dumbfounded as to why their program doesn’t work, and you can easily just play dumb while trying not to snicker. The best thing about this technique is, unlike my previous technique using pairlock, this one doesn’t require jailbreaking your phone. You can do it right now with that shiny new iOS 7 device.
A pairing is a trusted relationship with another device, where a computer is granted privileged, trusted access on the iPhone. In order to have the level of control to download personal data, install applications, or perform other such tasks on an iOS device, the machine it’s connected to must be paired with the device. This is what iTunes and Xcode do to talk to the phone, but also what forensic recovery tools and a number of free hacking tools do as well. Once paired, these keys remain stored on the device indefinitely, until you perform a restore or wipe the phone some other way, and can access the phone even when it’s locked, both over USB and WiFi. A pairing record is like a skeleton key to your iPhone or iPad. With it, someone can download all of your personal data from any application (including third party applications), install invisible applications (even onto your non-jailbroken phone) that run in the background, activate the device’s built-in packet sniffer to monitor your network traffic, and much more nefarious things… and do all of this either from USB or over WiFi, and without any visual indications to you. Much of this can also be done while the device is locked, regardless of whether you’re using a fingerprint reader or not, as long as you have a pairing record. Personal data can also be acquired from the phone regardless of whether backup encryption is turned on or not, and a number of forensics tools and open source tools (like iMobileDevice) know how to get to this decrypted data.
So what’s the best way to protect yourself from all of these? Pair-lock your device. By pair-locking your device, you’re preventing anyone from dumping data from your phone, installing malicious applications, or doing anything else to it – even if the phone leaves your physical possession, and even if you are forced to give up the PIN code, or unlock it with your fingerprint. When a device is unwilling to create a new pairing session with a desktop machine, nothing can talk to it through its proper interfaces – not forensics tools, not iMobileDevice tools, nothing. And that means unless you have a really old phone with a hardware exploit, there’s no way they’ll be able to dump data from it. In order for them to get at your data, they’d have to steal the pairing record that your own personal desktop has created for the device; if your’e smart enough to be reading this, you’re likely smart enough to also encrypt your hard drive. On a Mac, you’ll find a copy of your pairing record in /var/db/lockdown. Guard it well.
To get started, download the latest Apple Configurator from the Mac App Store. This is a free download. The Configurator is designed to enroll devices in enterprise (corporate) profiles, to place restrictions on them and allow them to be supervised by a security team. You’ll be using it to enroll your own device in your own private security policy. Before you do anything, visit the preferences, and make sure the Configurator won’t trash all of your applications every time you manage a device.
When you run the Configurator, you’ll have three tabs: Prepare, Supervise, and Assign. You’ll first use the Prepare tab to prepare an iOS 7 device to be supervised.
Enter a name for your supervision profile. I simply call mine “Supervised Device”, although you could name yours “Bob’s iPhone”, or whatever. Next, decide if this machine is the only machine you’ll ever, and I mean ever, want to pair this phone with. If it is, then un-check the checkbox named, Allow devices to connect to other Macs. If, on the other hand, you might want to allow this phone to some day pair with other computers, then leave this box checked. It’s ok, in both cases, you’ll still be able to lock and unlock the pairing capabilities of the device.
If you’ve opted to allow the device to (sometimes) connect to other computers, you’ll next want to create a profile, which you’ll use to lock and unlock the pairing.
Assign a name to the profile. I simply call mine Pairing Profile. If you want to be able to remove the profile from the device, you can set a password required to remove it on the device, or for best security, select Never. Next, click on the Restrictions tab and scroll down to the restriction titled Allow pairing with non-Configurator hosts (supervised only). This is your lock switch. To disable any new pairing with the device, uncheck this restriction. Later on, you’ll be able to edit this profile whenever you want to pair the device with a new host.
Once you’ve finished making these changes, save the profile and then click the Prepare button at the very bottom of the Configurator. The Configurator will then download and re-install the iOS 7 firmware (be sure to backup your device first), and will install this supervision profile on the device.
Congratulations! At this point, your device should refuse to pair with any computer, even if it’s unlocked. You won’t be prompted to Trust anything, because it will simply fail. Even if you lose your device or are coerced into unlocking it, they won’t be able to get a logical dump of the device because they won’t be able to pair with it. The system log on the device shows what’s happening internally:
Sep 19 23:53:59 lockdownd <Notice>: 00241000 mc_allow_pairing: hostMayPairWithOptions said no Sep 19 23:53:59 lockdownd <Notice>: 00241000 handle_pair: pair for BOGUS failed: PasswordProtected Sep 19 23:53:59 lockdownd <Notice>: 00241000 set_response_error: handle_pair PasswordProtected
If you open up Settings on your device when view the Profiles under General, you should see your pairing profile, and a restriction preventing the device from pairing with any new devices.
If you set the profile up to be removable with a password (or Always, even), then you can remove the pairing lock at any time by just tapping remove. For ultimate security, set the removal to Never.
Now lets say a few months go by and you decide you want to pair your device with a computer at work, or some other machine. To unlock the pairing again, you’ll need the computer you originally set this up with (unless you’ve backed up your pairing record and set up Configurator somewhere else). Launch the Configurator and click on the Supervise tab and click on your device.
In the profiles window, you should see the Pairing Profile you created. Double-click on it, and bring up the same restrictions window you used to restrict pairing. Now, simply put a checkmark to allow pairing with non-Configurator hosts, and click Save. Click Refresh and revisit the setting to ensure that the change took. You can then disconnect your device and connect it up to any other machine to pair with it. (NOTE: If you run into issues, try power cycling the device for the setting to take). You should be prompted with a Trust dialog prior to pairing, just like old times. Just be sure to disable pairing again when you’re finished, using the same steps.
The advantage to this technique is very good pairing security. In fact, in order to remove the supervision profile, the intruder would need to erase the contents of your device. Someone would need to have physical possession to and full access to both your iOS device and your desktop computer in order to undo this pairing lock to perform a forensic extraction or any other kind of analysis.
The disadvantage is that you can’t simply decide you’re going to pair while you’re out somewhere. You can, if you made the profile removable, but then you’ll need to reinstall the profile to lock pairing again. Which will require a desktop. Pairing has to be a conscious decision, and takes time to verify that you have rights to the device’s content. Then again, shouldn’t it have always been this way? It’s a bit of a chore, but is well worth the added security.
NOTE: This doesn’t guarantee some law enforcement agency won’t send your phone to Apple to be imaged. Apple has the technical capability to override this type of security, if they figure out what’s going on. Of course that doesn’t necessarily mean their tools are set up to deal with this. Because this doesn’t fix the inherent problem of encryption not being fully incorporated into iOS, someone like Apple (who has code execution abilities on all devices) could still run a ram disk to image the device.