Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

January 2023
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Dec    

Archives

  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Forensics . Security

iOS 8 Protection Mode Bug: Some User Files At Risk of Exposure

On September 24, 2014 by Jonathan Zdziarski

Apple’s recent security announcement suggested that they no longer have the ability to dump your content from iOS 8 devices:

“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

It looks like there are some glitches in this new encryption scheme, however, and some of the files being stored on your iOS 8 device are not getting encrypted in this way. If you copy files over to your device using iTunes’ “File Sharing” feature or sync videos that appear in the “Home Videos” section of iOS, these files are not getting placed under the protection of your passcode. Theoretically, Apple could dump these in Cupertino, if given your locked iPhone.

As I pointed out in recent blog post, law enforcement forensics tools can still dump a lot of data from iOS 8 devices too, if they seize your desktop/laptop and copy a pairing record. There was one caveat to this, however, and that was if your device was shut off, they could not get to any of that data until the user entered their passcode again. It looks like, due to this glitch, at least some files are accessible, even if the device has been powered down.

This all came out of a brief discussion this morning with a fellow colleague in the forensics world, Kevin DeLong, who has been teaching forensics investigation classes for years now. He noted that one of the tools he’s been using, iFunbox (a freeware tool to access data on your iPhone), was somehow able to access some of his application files even after rebooting his phone. This conflicted with what we know about the escrow bag stored in pairing files, which normally can’t unlock encryption after a device is rebooted, until the user first enters their passcode. After doing some protocol-level testing, I was able to reproduce this, as well as identify a number of files in iOS 8 that are getting assigned the wrong protection class, and do not get encrypted with with keys dependent on the passcode, as Apple claims.

This is likely just a bug, and I suspect once Apple understands what’s going on, they’ll issue a fix. But for now, it’s important to note that the following data may be at risk under certain circumstances (such as being detailed at an airport, even if you shut your phone down).

  • Any files copied over from iTunes using “File Sharing”  under “Apps”.
  • Any videos copied in from iTunes that fall under the “Home Videos” section of the Videos app. This likely extends to music videos and movies.
  • Any databases stored in Third Party applications are protected, but their -shm (shared-memory write-ahead index) counterpart files are at risk.

Apple has not given any indication that they would be willing to dump this information on behalf of law enforcement, but until they fix the protection classes that these files are assigned, the technical possibility exists to copy this data off without having the passcode.

Take appropriate steps to protect your data. To protect yourself from forensics tools, follow these instructions to pair lock your iOS device, so that a new pairing cannot be created, even if you’re compelled to give up your passcode. Encrypt your desktop/laptop so that pairing files cannot be copied off while it is properly shut down.

I have filed this bug with Apple as bug #18439395.

 

 

Archives

  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

January 2023
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Dec    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2022 by Jonathan Zdziarski, All Rights Reserved