There’s been a lot of confusion about Apple’s recent statements in protecting iOS 8 data, supposedly stifling law enforcement’s ability to do their job. FBI boss James Comey has publicly criticized Apple, and essentially blamed them for the next hundred children who get kidnapped. While Apple’s new security improvements have made it a lot harder to get to certain types of data, it’s important to note that there are still a number of techniques that can be employed against iOS 8, with varying levels of success. Most of these are techniques that law enforcement is already doing. Some are part of commercial forensics tools such as Oxygen and Cellebrite. The FBI is undoubtedly aware of them. I’ll outline some of the most common ones here.
I’ve included some tips for those of us who are concerned about data security. Security researchers, journalists, law abiding activists, diplomats, and many other types of high profile individuals should all be practicing good data security, especially when abroad. Foreign governments are just as capable of performing the same forensics techniques that our own government is capable of, and there is an overwhelming amount of information suggesting that all of these classes of individuals have been targeted by foreign governments.
Dumping With a Pair Record
The guys over at Black Bag wrote a great piece outlining the forensic seizure practices that law enforcement agencies should use to properly secure an iOS device. They made a few important observations, too. First, they acknowledged that, prior to iOS 8, LE has been using the file_relay service as a backdoor to dump data from iOS with a pairing record, as I’ve outlined in numerous papers, talks, and articles. Commercial tools have been around for a year or two to do this very thing. Apple finally fixed this with iOS 8, by closing off the service (and severely downplaying its capabilities), however a number of other services can still be abused to obtain clear text copies of third party application data and the user’s media folder, as I previously outlined. Black Bag also recommends that law enforcement incorporate keeping the device from shutting down in their seizure practices. This is because the encryption locks when the device is rebooted. Due to a protection mode bug, however, even after a reboot some third party application files and media files are still readable without first unlocking the device. The data that can be dumped in clear text with a pair record in iOS 8 is limited to only media and third party application data – which is a significant improvement over previous versions of iOS, which gave up almost all the user data.
What this means to you: law enforcement seizure practices have already begun gravitating toward seizing desktops and laptops that are potentially paired with your devices. This is most easy to do at an airport during a customs check, but also during an arrest. When going through a security checkpoint, or any time you feel as though your equipment might be at risk of seizure, it’s important to power off your iOS device to lock the encryption. Of course, make sure your laptops have full disk encryption and are completely powered down going through security checkpoints.
Attack the Backup Encryption
There are two ways to get a copy of a backup: off of the subject’s desktop machine, or if the device is unlocked (or the passcode / fingerprint is compelled from the suspect), one can be made. If the user didn’t use a backup password, the backup gives up all of the user data on the iPhone. But even if you set a backup password, the encrypted backups can be attacked with tools such as Elcomsoft Phone Password Breaker. If you use a weak backup password, password breakers could potentially run on desktop machines (which are much faster than the iPhone) and attack the encryption used to protect the backup. If cracked, all of the data on the device becomes accessible. This could take years, if you use a sophisticated passcode, however many criminal cases have been known to carry on for years.
What this means to you: it’s critical you set a complex backup password and enable pair locking on your device. More on this in the conclusion.
Monitor the Device via Cell Towers
Cell tower triangulation (location) has been around since the 1970s. Call and data interception, eavesdropping, trap and trace, and persistent monitoring are all also possible from the cell tower, regardless of the model of phone. Even a completely locked down iPhone or Blackphone is susceptible to this kind of monitoring. The federal government has full access to cellular companies who can, with a warrant, perform all of these functions.
What this means to you: as long as you are carrying your device, you are susceptible to eavesdropping. To ensure the privacy of your in-person conversations and your location, leave the device at home, or consider a good quality faraday bag. Simply powering the device off will not guarantee privacy.
iCloud Backups / Photo Stream
As I’ve mentioned in previous posts, iCloud’s default behavior is to enable photo stream and backups. If you haven’t disabled either of these, your data is sitting on iCloud, and can be acquired with a search warrant to Apple.
What this means to you: you shouldn’t be using iCloud to store any data you don’t want to be subject to government… and not just your government: Apple has filed amicus briefs with the court complaining that international treaties have been broken in some cases, where governments have obtained data not stored on their own soil, or about individuals who are not citizens of the requesting country.
Unless you turn Siri off while locked (in Touch ID and Passcode settings), anyone (not just law enforcement) can state a number of commands to read your contacts, incoming texts, email, and other data from your phone by simply abusing the Siri interface. I have seen a few exhaustive lists of commands used widely in LE to read the data off locked devices using Siri, and have even included these commands in some of my classes to law enforcement / military forensics investigators. Touch ID makes it much easier to turn Siri off while locked; you can simply press Home with your thumb, authenticate, then press and hold the Home button again to invoke Siri.
What this means to you: you should shut off Siri when locked to avoid letting someone interrogate her.
Third Party Trace
While the data on your iPhone may be more secure, the trace you leave behind while communicating with others online leaves trace on other computers. There’s email, gmail, texts and photos existing on third party devices, search logs, proxy logs, NSA Prism data (whatever that looks like), Internet packet interception (call register), online account seizure, forum posts (which can be acquired under subpoena), and if you’re a really naughty boy (or girl), there’s also NSA’s TAO group to hack into your machines.
What this means to you: you should use full disk encryption, not send anything out into the ether that you want to keep private, employ good network/device security, and especially good OPSEC. Use tools such as PGP to ensure that emails get encrypted. Use Signal on an iPod (which doesn’t have a tappable baseband like the iPhone does) to make secure phone calls. Use other forms of encryption to help ensure secure communication.
While the iPhone sports encryption that’s on by default (once you set a passcode), most criminals have proven to be too dumb to use encryption on their desktops. As a result, iPhone backups, pairing records, as well as copies of all sorts of incriminating data that may be stored on a suspect’s desktop machine is child’s play to intercept.
What this means to you: encrypt your desktops with full disk encryption, and don’t leave your computers lying around screen-locked. If you’re a journalist, diplomat, or CEO and have exceedingly sensitive information on your laptop, consider using secondary encryption such as a TrueCrypt container with hidden volume, for that data.
ZRT and Analog Tools
ZRT and other such tools are ways to streamline photographing / video recording the data on the iPhone screen when there are no forensic techniques available to access the device. If the suspect is compelled to give up their passcode or fingerprint, and the phone can’t be dumped, tools like ZRT helps to ensure the data visible on the iPhone’s screen is admissible in court.
What this means to you: anything you can visible see on your iPhone may be readable into evidence, if you are compelled to give up your passcode or fingerprint. To ensure your fingerprint isn’t “faked”, at least ensure that your device is powered down when going through a security checkpoint, or any other circumstances where you fear the device may be seized. This will cause the device to require a passcode upon boot.
Kidnapping is generally a very low-tech crime; it’s one step above smash-and-grab. So you’re not dealing with very sophisticated criminals here. In all likelihood, even their iPhones aren’t properly secured, and with a PIN or pair record, a complete backup could be dumped from the device. On the other hand, journalists, diplomats, and the like have a very strong motivation to want to adequately protect their data from foreign governments (and in some cases, their own government).
I can’t stress how important it is for those interested in data security to pair lock their device. Pair locking prevents anyone from creating a backup or dumping any data, even if they have the passcode or your fingerprint. Even if your backup is encrypted, it is still susceptible to attack by EPPB and other tools, and so a big step to preventing that is to prevent the phone from being willing to generate a backup. Properly protect your pair records by encrypting your desktop machine. Maybe at some point in the future, Apple will encrypt the pairing record with a password (stored on the keychain?) so that they can’t be stolen and used on any other computer to access your content.
Also ensure you set a good, complex passcode and not just a four-digit PIN. While Apple doesn’t appear to be breaking passcodes, if anyone is able to get root level code execution on the device, a four digit PIN can be easily brute forced. The Touch ID makes it much easier to set a very complex passcode. In addition to this, set a very complex backup password that would be very hard to crack with server-grade hardware. I’d recommend at least 16-20 characters, and avoid using words or phrases. Use many symbols, and even consider using alternative keyboards on devices that permit it (such as emoji, unicode or Greek incorporated into your passcode). Mac desktops let you do this, but unfortunately, the iPhone doesn’t yet.
The FBI’s recent technical arguments about the iPhone are not at all credible. There are still many ways in which law enforcement can, and will, seize data from criminals’ iOS devices. Those with the know-how to properly secure their devices from this type of seizure are not at all likely to be the kind of people who commit the crimes the FBI is citing in their hypothetical examples. The FBI isn’t the only one with these capabilities, and if you’re in a likely class of people to be targeted, you may consider taking these steps to help prevent your data from being exposed.