A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group

A(not-so-quick)PrimeroniOSEncryptionDavidSchuetz-NCCGroup

Introduction

• DavidSchuetz• SeniorConsultant,NCCGroup• FocusonwebandiOSapplicationtesting• Cryptopuzzles(ShmooCon,VZDBIR,etc.)

• Volunteerconferencesupporttocommunity

NCCGroup

• BasedinManchester,UK

• ConsultingbusinessmostlyNorthAmerica

• Webandmobileapptesting,pentesting

• RMG,dedicatedCryptographypractice

• Alwayshiring• Stronginternprogram

• NYC,Chicago,Seattle,SanFrancisco,Austin• Evenremote!

Background

AncientHistory• CNET,May2013,claims“Applecanbypassthesecuritysoftware”:

• Bigbacklog(7weeks,onecasetook4months)

AncientHistory

• October2014:“Apple’scommitmenttoyourprivacy”

• ChangesiniOS8

• “Applecannotbypassyourpasscode”• “…nottechnicallyfeasible…torespondtogovernmentwarrants”

• Raisedlotsofquestions:

• Whatdoesthatmean?Whatdidtheydobefore?

• Whataboutotherattacks?Forensics?

• Suddenlygotalotmoreimportant

WhatdoesitMEAN?!?

• Backlogimplies:

• Can’tjustpluginanduseamagickey

• Couldbruteforcepasscodes,conceivably

• “ApplecanaffordaLOTofGPUcrackers…”• Itdoesn’tworkthatway

SohowdoesiOSencryptionwork?

• It’scomplicated,butalsofairlycomprehensive

• Someearlydetailsfiguredoutbyresearchers

• ExaminingandunderstandingpublishedAPIs

• Reverseengineering,breaking• Applepublishesan“iOSSecurity”paper• BeginninginMay2012

• Updatedannuallyorbetter• Coversencryption,ApplePay,lotsofotherthings

• ThistalkfocusesonEncryption

BasicsofiOSEncryption

HowiOSencryptionworksEffaceable

Storage

UIDKey 0x89B

Key 0x835

Stored in Hardware

Dkey

EMF

BAG1

Data Partition

Data FileFile KeyFile Data

Keybag

Class 11 Key

Class 1 KeyClass 2 KeyClass 3 Key

Passcode

Class 4 Key

Entered by User

Keychain File

Keychain Item

Data FileFile KeyFile Data

Passcode Key

Fulldiskencryption

• iPhone3GS/iOS3• DedicatedAESprocessor• LocatedinDMAchannelbetweenCPUandDisk

• Generatearandomkey(EMFkey)

• EncryptEMFkeyusingahardware-derivedkey(0x89b)

• StoreencryptedEMFkeyinspecialdiskarea

• Usethistoencryptfilesystemmetadata

iOS3-FDEEffaceable

Storage

UIDKey 0x89BStored in

HardwareEMF

Data Partition

Data File

Advantages

• Advantages• Fastwipe• Can’taccess/modifydatadirectly(withoutOS)

• Can’ttransferchipstoanotherdevice• Limitations

• Filesystemaccessgrantsaccesstoeverything

• Noadditionalprotectionswhenlocked

File-levelencryption

• DataProtectionAPIintroducediniOS4• Randomencryptionkeycreatedforeachfile

• Filekeyisencryptedusingaclasskey• Encryptedfilekeystoredwithfilemetadata

iOS4-DataProtectionAPI

Data Partition

Data FileFile KeyFile Data

Class 1 Key

Multipleclasses

• Defaultclass:• iOS4-6is“noprotection”• iOS7-9:CompleteuntilFirstAuthentication

• MostsystemappsthroughiOS7stillusedNone

Protection Class Description

None No additional encryption

Complete Unless Open Asymmetric, for locking while writing

Complete Until First User Authentication

Encrypted after reboot, until first time unlocked

Complete Encrypted whenever device is locked

Classkeysinthekeybag

Data Partition

Data FileFile KeyFile Data

Keybag

Class 11 Key

Class 1 KeyClass 2 KeyClass 3 KeyClass 4 Key

Keychain File

Keychain Item

Data FileFile KeyFile Data

DataProtection:None

• Class4orDisFileProtection“None”class• RandomDkeygenerated

• Encryptedwithkey0x835,derivedfromUID

• Encryptedkeystoredineffaceablestorage

DefaultprotectionkeyEffaceable

Storage

UIDKey 0x89B

Key 0x835

Stored in Hardware

Dkey

EMF

BAG1

Data Partition

Data FileFile KeyFile Data

Keybag

Class 11 Key

Class 1 KeyClass 2 KeyClass 3 KeyClass 4 Key

Keychain File

Keychain Item

Data FileFile KeyFile Data

Classkeyprotection

• Eachclasskeyisalsowrappedorencrypted• Usingtheuser’spasscodekey

• Entirekeybagisencrypted• Usingabagkey(storedineffaceablestorage)

• Whenpasscodeischanged,oldbagkeysdeleted

PasscodeandkeybagEffaceable

Storage

UIDKey 0x89B

Key 0x835

Stored in Hardware

Dkey

EMF

BAG1

Data Partition

Data FileFile KeyFile Data

Keybag

Class 11 Key

Class 1 KeyClass 2 KeyClass 3 Key

Passcode

Class 4 Key

Entered by User

Keychain File

Keychain Item

Data FileFile KeyFile Data

Passcode Key

PasscodeKDF

• PBKDF2,usingPasscode,Salt,UID,variableiterations

• Workfactordependsondevice

• Constanttime—approx.80mS/attempt

• A7onwardadda5seconddelay• DependsonUID,whichcan’tbeextractedfromphone

• Notpossibletobringtoyourcrackingcluster

Bruteforcingpasscode• Mustbeperformedonthedevice

• Signedexternalimage

• Usingabootromvulnerability

• 80mSperattempt

• Nowupto5sec,somultiplytableby~62

• Attemptescalation,auto-wipearepartofUI

• Whenbootedfromexternalimage,nolimitsComplexity Time

4-digit numeric 15 min6-digit numeric 22 hours

6-char lowercase 286 days6-char mixed case 50 years

Locking…

• FileProtectionCompletekeyremovedfromRAM

• AllCompleteprotectionfilesnowunreadable

• Otherkeysremainpresent

• AllowsconnectiontoWi-Fi

• Letsyouseecontactinformationwhenphonerings

• [Ioncefoundanedgecasewherethisdoesn’thappen…]

Changingpasscode…

• Thesystemkeybagisduplicated

• Classkeyswrappedusingnewpasscodekey(encryptedwith0x835key,wrappedwithpasscode)

• NewBAGkeycreatedandstoredineffaceablestorage

• OldBAGkeythrownaway• NewkeybagencryptedwithBAGkey

Rebooting…

• FileProtectionCompletekeylostfromRAM

• CompleteuntilFirstAuthenticationkeyalsolost

• Only“FileProtection:None”filesarereadable• AndthenonlybytheOSonthedevice• BecauseFDE

Wipingdevice…

• Effaceablestorageiswiped,destroying:• DKey:All“Fileprotection:none”filesareunreadable

• Bagkey:Allotherclasskeysareunreadable• EMFkey:Can’tdecryptthefilesystemanyway

Playitagain!

• FileisencryptedwithaFileKey• FileKeyencryptedwithClassKey• ClassKeyencryptedwithPasscodeKey• Passcodekeyderivedfrom:

• UID,0x835,Passcode

• KeybagencryptedwithBagKey• EntirediskencryptedwithEMFKey

• EMFkeyencryptedusing0x89b

• 0x89band0x835derivedfromUID

Data Partition

Keybag

Data File

File KeyFile Data

Class Key

BAG1

UID

Passcode

KDF

Passcode Key

Key 0x89B

EMF

Key 0x835

DKey

Disk

EffaceableStorage

System ona Chip(SoC)

WeaknessandAttacks

BreakingThroughtheCrypto

• Severalwaystogetaroundtheseprotections• Jailbreakingdevices

• Simplebugsinthesoftware

• Forensictoolsusingobscureorbrokenfeatures

• Specialboot-levelcapabilities

• Collectfromotherlocations(“Tothecloud!”)

Jailbreaking

• Exploitsbugsintheoperatingsystem

• Bypassescodesigning,sandboxes,etc.• Needstomodifyfilesystemtomaintainpersistence

• Jailbreakprocesscannotbypasscryptoonalockeddevice

• Butmayweakenit

• Generallyneedtounlock,install,rebootdevice:

• Jailbreakershavemuchlargerattacksurface

• Anyapporsystemprocessonunlockeddevice

Bugs

• Lockscreenbypasses• Reallyjustmovingfromoneapptoanother

• Cryptoprotectionsarestillinplace

• Limiteddataaccessibility

• Usuallyfixedquickly

• Maliciousapps

• Fromappstore

• Side-loadedwithenterprisecerts

• OS-levelproblems

ForensicCapabilities

• Nomagicchannelsjustforforensicstools

• Frequentlyusingsamebugsfoundbycommunity

• Methodsandcapabilitiesoftencloselyheld

• Difficulttofullyascertain

• Lockeddevice

• Facesameobstaclesaseveryoneelse

• Unlockeddevice

• Hiddenorlittle-understoodfeatures

• Specialdatabases,logs,etc.

• Treasuretroveofinfo

BootANewOS

• Multi-stepbootprocess

• LLB(low-levelboot)

• iBoot

• OSboot

• Signaturechecksateachstage

• OSimageencryptedforeachdeviceclass

• Keyderivedfrom“GID”codeinSoC

• Bugsonearlydevicesallowedbypassingsignature

• FixediniPhone4S,iPad2

TheCloud• Server-sidedatastorageverycommon

• Generous“basic”app-datastorageforfreefromApple

• User-paidiClouddata

• Third-partycloudstorage

• Appvendorservers

• Can’tgetdataonphone?Gotothenet

• ExamplesofiOSdatastoredoniCloud:

• Backups

• Notes,calendarentries,contacts

• App-specificdata

• iClouddrive-iWorkdata,etc.

MDMorDesktopSync

• SynctoiTunesgetslotsofdata• Butnokeychain,unlessthebackupisencrypted

• USBaccessontrusteddesktop• Usedtoallowaccesstomostalldata

• Nowonlyworksonbetaversionsofsoftware

• Couldcomebackwithoutwarning(bydesignornot)

• MobileDeviceManagement

• Ifenrolledandconfigured,canremotelyunlock• NeedsWi-Fiaccess

• Ifrebootedandnocellulardata—noMDM.

PrivacyTakesCenterStage

NewPublicFocus

• EncryptionfeaturesfairlystablesinceiOS4• Whyisthisabigdealnow?

• Softwarechanges• Newhardwarefeatures• Strongerpublicstanceonprivacy• Somewhatdrivenbypost-Snowdenconcerns

NewDataProtectionDefaults

• iOS7defaults:• 3rdpartyapps:CompleteUntilFirstUnlock

• Systemapps:None(exceptMail)

• NowSystemAppsdefaulttoUntilFirstUnlock

• Mostdataunreadableafterareboot

• AlsolimitedsandboxaccessoverUSB

• Cannolongeraccessallofapp’sfiles• Evenwhenunlocked• Evenwithtrustedcomputer

Seeforyourself

• iOS7phone:• Reboot,Callfromlandline

• Seefullcontactinformation(name,picture,etc.)

• iOS8or9:• Reboot,callfromlandline,justseephonenumber

• Unlock,lockagain,callagain• Nowyouseeeverything

SecureEnclave

• IntroducedwithiPhone5SandiOS7in2013• Specialsub-processorandstorage

• SeparatehardenedOS• Speciallyencryptedareaondisk

• Handlesmanyofthepasscodefeatures

• Notsurewhetherfailurecountsstoredthere

• Hardcoded5seconddelay

• Additionalfeaturesaddedovertime• Encryptionandpublickeys

• Notverywellunderstoodatthispoint

PublicCommitmenttoPrivacy

• Drawsalineinthesand• “Wesellproducts,notyourinformation”

• Wantscustomerstobeincontroloftheirdata

• Technicaladviceforstrongsecuritychoices• Promiseoftransparencyregardinggovernmentaccess

(Intense)SpotlightonSecurity

TheRoadtoSanBernardino

• Gradualsecurityimprovementsoveryears

• Snowdenrevelations• Publiccommitmenttoprivacyandsecurity

• Beginningsofpushbackfromlawenforcement

• SanBernardinoattack• FBIrequestscourttoorderassistancefromApple

• Strangersaskingmeaboutthecase

WhatFBIaskedfor

• Awaytobypasspasscodeguessinglimits

• “Customversionofoperatingsystem”

• “Tailoredtojustthisphone”

• Possible?Maybe.Probably.

• Agoodidea?• Applespentnearly100pagesexplainingwhynot

• FBIeventually….hiredhackers?….

How’dtheyfinallygetin?

• Manypossibilitieshavebeensuggested

• Mostlyjustspeculation

• Someideasmorelikelythanothers

• Someideasare…outthere.

ProbableAttackSurfaces

• Cryptography• Extensivelyused• Securityhighlydependentuponthisbeing“safe”

• Hardwareattacks• Ifyoucanholdit,youcanownit• Howmuchdoyouwanttospend?

• Softwarebugs• Theyhappentoeveryone• Alot

CryptographicAttacks• Tobootahackedimage:

• BreakintoAppleandstealtheirsecretkeys• OtherAppleservicesusetamper-resistantHSM

• Breaksignatureprocess• RSAsignatures

• SHA1hashes

• BootROMbug

• MajorcryptographicbreakinAES

• AllowderivationofUIDandofflinecracking• Allowdirectdecryptionofdatafiles

HardwareAttacks• De-captheSoC• FindtheUIDandextractit

• CopyencrypteddatafromNAND

• Brute-forcepasscodeonaGPUcluster

• Riskyandexpensive.Norecoverypath.

• Memorychipattacks

• Preventupdatingpasscodefailurecount

• Rollflashbacktopreviouscopywherecount=0

• Racecondition

• DetectfailurebeforeOScanupdatecount

SoftwareAttacks• Racecondition• Enterpasscode,dosomethingelseREALLYFAST

• Lockscreenbypass• Wouldn’tgetmuchdata

• Couldshowspringboard• Mightshowthatphonehadverylittledataanyway

• Otherattacks• Codeinjection• DFUoriTunesRestoreattacks• Wiredorwirelessattacksurfaces

LikelySuspects?

• NewBootROMbug

• Boothackedimagecontainingpasscodecracker

• Lockscreenbypass• Limiteddataextraction,butprovideswindow

• Otherbugsinlockscreen• Allowingforinterruptionoftimeoutorfailurecounting

• Attacharobot• Hardware-levelattacksonmemory

• Interruptingdatawritesorrestoringearliercopy

Howmuchcouldtheyget?

• Everything,rightaway?• Needsamajorcryptobug

• Everything,eventually?

• Passcodefailurecountbypasses

• Hardwareorsoftwareattacks

• Simpleintelandgeneralphoneusage?

• Lockscreenbypass

RemainingQuestions

Questionsfrom2014….

• CanApplebruteforcepasscodes?• Wouldthey?

• Couldtheybeorderedto?• Hasthishappenedalready?

MoreHardwareQuestions

• CantheSecureEnclavesoftwarebeupdated?• Toalterthepasscodefailureprotections?• Doesitrequiredevicebeunlocked?

• AreanyoftheSEfunctionsinROM?

• Whereisthefailurecountlocated?

• OnSoCorflash?• WillSEcodeenforce10-trylimit?

Conclusion

GeneralBestPractices

• GoodadviceonApple’sPrivacyandSecuritypages• SelectnewerdeviceswithSecureEnclave• Selectalongpasscode

• Alphanumericisbest

• Evenwith5-seconddelayinSecureEnclave

• UseTouchIDfor“typical”dailyuse• Butdon’tforgetthepasscode!

• Ifyou’rearrested,turnoffphone• Orquicklytrytounlockwithwrongfinger

• Afterafewtries,fingerprintsdisabled

Conclusion• iOSsecurityhighlydependentuponencryption

• Complexandcomprehensive

• Nopublicly-knownmajordesignflaws

• Bypassingencryptiondependsonbreakingpasscode• Hardwareattacks(potentiallyexpensive)• Softwarebugs(usuallyfixedquickly)• Stillaslowprocess

• Orbreakingcryptoingeneral• WhichbreaksEVERYTHING

• Userscanfightbackwithstrongpasscode

References

• Apple“iOSSecurity”paper• “iPhonedataprotectionindepth”(Sogeti,HITBAmsterdam2011)

• “EvolutionofiOSDataProtectionandiPhoneForensics:fromiPhoneOStoiOS5”,(Elcomsoft,BlackHatAbuDhabi2011)

ThankYou

DavidSchuetzSeniorConsultant,[email protected]

@DarthNulldarthnull.org