In association with heise online

Cracking the chains

Getting at the keychain's protected data is slightly more involved. While it is possible to copy the keychain-2.db database, passwords are only stored there in encrypted form – and they are encrypted with a key that is only accessible on the iPhone itself. However, the jailbreaking community has once again done the required prep work. For one thing, the tethered jailbreak's signature check has already been modified to simply wave through any digital signature. Furthermore, Jay Freeman (aka saurik) has developed a little tool called ldid that enables users to create their own signatures and allocate entitlements.

Up close on the iPhone under our control
Zoom Up close on the iPhone under our control
This allows a homemade app to be given all the entitlements that are listed in the keychain. Alternatively, one can also use the undocumented master key Bédrune and Sigwald discovered in the keychain: the entitlement, which grants unrestricted access privileges. The entitlement allows a small app to read, and output, all the iPhone's keychain items. The security researchers have even built a KeychainViewer app that directly enables users to rummage around the keychain items of a jailbroken iPhone.

The last remaining bastion is the data that has been specially passcode protected, and for which bypassing the system isn't enough. Decrypting this data requires the passcode. However, not even that obstacle is insurmountable.

A normal passcode consists of four numbers; consequently, the total number of potential combinations is only 10,000. This is sufficient if an attacker manually types in the combinations, and if the data is possibly even erased after 10 incorrect attempts. However, if the task of trying out the combinations is handled by an injected program, such a passcode no longer provides any protection worth mentioning.

On an iPhone 4, it takes less than half an hour to crack the four-digit passcode
Cracking Passwords
4 Numbers <30 Minutes
6 Numbers ~2 Days
8 Numbers 6 Months
6 Lower Case Letters ~1.5 Years
4 Numbers + Lower Case Letters ~3 Days
6 Numbers + Lower Case Letters ~10 Years

In particular, these cracking programs can completely bypass the API's passcode testing functions; they are therefore not affected by its intentional, built-in time delays, nor will their unsuccessful attempts trigger any self-destructive features that may be enabled. The two security researchers' implementation decodes a passcode-protected key by trying out all possible number combinations in sequence; it will recognise wrong combinations because they fail an integrity check.

Zoom A user only gets the big buttons if they restrict their long passcode to numbers
There is the theoretical option to use longer passcodes which may also contain letters and special characters. Although this significantly improves the protection from any attempts to crack a passcode by trying all combinations, hardly anyone is using extended passcodes in practice.

One of the reasons for this is that users need to memorise a longer character sequence, as well as enter it – over and over again. And if the passcode contains non-number characters, all characters must be entered via the normal touch screen keyboard, which is significantly more awkward than the simple unlock dialogue's much larger number keys. Users are likely to mistype, especially when they are in a hurry.

Opened up

The H's associates at heise Security put Bédrune and Sigwald's tool collection to the test. With a little tinkering, they managed to perform an assisted boot that started a patched kernel and installed the SSH server, as well as various other tools, on a locked iPhone.

The program determined the passcode, 1234, by brute force in three and a half minutes; it tested all 10,000 possible combinations in less than half an hour. After rebooting they were able to remove the passcode, and the iPhone was freely accessible. Furthermore, they managed to create a complete backup of all files via SSH's scp copy function and retrieve the keychain entries, including the user's email, Wi-Fi and VPN passwords. They had overcome all the hurdles – the secrets of a technically locked iPhone were at their fingertips.

The whole procedure, including the required prep work, took less than an hour, and no traces of it were left on the iPhone once it had been rebooted. The tools that are freely available on the internet are not plug&play; however, with the ability to use a compiler, and a little patience, they can be made to run.

Exploring the iPhone's data
Zoom Exploring the iPhone's data with HFSExplorer
The tool collection can do quite a bit more. It offers a kind of toolbox for forensic experts. For instance, it allows the raw disk image (rdisk0s2s1) to be copied via the USB port, which provides users with a complete image of the flash memory including all user data. Depending on the amount of memory installed, this may take a few hours. Then, a modified version of HFSExplorer can be used to rummage around the file system.


When an iPhone goes missing, the finder can indeed access all the data it contains without major effort, even if a passcode is in place. The only protection is longer passcodes, but these are so impractical for everyday use that they can't really be recommended.

The only exceptions are programs, such as some online banking apps, that encrypt all data separately and query the encryption password every time they are activated. However, not even these programs can inherently be trusted to safeguard the data on lost phones. There is a danger that the developer may have been careless and stored a plain-text password, instead of a hash, in the keychain. This was, for instance, the case in the popular iControl online banking app.

The best protection against losing your stored data along with your iPhone is to perform a "remote wipe". After receiving this command to delete, which is given remotely, the iPhone will discard the crypto keys and revert to its factory condition. In a test, The H's associates at heise Security were indeed unable to detect any remaining personal data on the device.

The obvious catch is that clever thieves could try to avoid the delivery of such a kill command by immediately removing the SIM card and disallowing further Wi-Fi connections. Even when receiving a confirmation email that the wipe command has been accepted and run by the device, users can't be entirely certain that this true. Unfortunately, the confirmation email has no digital signature and can, therefore, easily be forged. The best proof of authenticity is the remote wipe command's time stamp, which a thief would hardly be able to guess.

Incidentally, Apple's smartphone and its iPad tablets share the same general security mechanisms – therefore, the techniques for accessing an iPhone's data also apply to an iPad. The only exception is the iPad 2, for which no jailbreak has so far been released.

The H also has three tips to help you secure your iPhone or iPad more effectively; as this article shows, it won't be an unbreakable data vault, but the tips will make life harder for people who want to get their hands on your personal information.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit