Компании
<<  Bringing UE3 to Apples iPhone Platform Getting Streaming Video to Android, Apple iOS, Game Consoles and Other Devices  >>
Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document
Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document
The need for iOS forensics
The need for iOS forensics
iOS data protection
iOS data protection
iOS forensics
iOS forensics
iOS forensics: Logical Acquisition
iOS forensics: Logical Acquisition
iOS forensics: Physical Acquisition
iOS forensics: Physical Acquisition
iOS 4+ passcode
iOS 4+ passcode
iCloud
iCloud
iCloud services
iCloud services
iCloud Control Panel
iCloud Control Panel
iCloud backups: why
iCloud backups: why
iCloud backup - what
iCloud backup - what
iCloud backup - when
iCloud backup - when
iCloud backup - how
iCloud backup - how
iCloud CP: backups
iCloud CP: backups
Reverse-engineering iCloud backups
Reverse-engineering iCloud backups
iCloud backup protocol flow
iCloud backup protocol flow
Files in iCloud
Files in iCloud
iCloud backup: authentication
iCloud backup: authentication
iCloud backup: get auth
iCloud backup: get auth
iCloud backup: download files (1)
iCloud backup: download files (1)
iCloud backup: download files (2)
iCloud backup: download files (2)
iCloud encryption
iCloud encryption
iCloud backups - summary
iCloud backups - summary
iCloud protocol changes (March 2013)
iCloud protocol changes (March 2013)
Find My Phone
Find My Phone
FindMyPhone protocol
FindMyPhone protocol
FindMyPhone - demo output
FindMyPhone - demo output
iCloud documents
iCloud documents
iCloud CP: documents
iCloud CP: documents
Get files from iCloud
Get files from iCloud
iCloud backup: packages
iCloud backup: packages
iCloud docs: demo output
iCloud docs: demo output
Possible usage
Possible usage
The Tools
The Tools
The Tools
The Tools
Apple 2FA
Apple 2FA
Apple 2FA (Two-step Verification)
Apple 2FA (Two-step Verification)
Apple iOS 7 what’s new
Apple iOS 7 what’s new
Apple iOS 7
Apple iOS 7
iCloud keychain
iCloud keychain
iCloud keychain - cont-d
iCloud keychain - cont-d
Conclusion
Conclusion
Windows Phone backups
Windows Phone backups
Thank you
Thank you

Презентация: «Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage». Автор: V Katalov. Файл: «Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage.pptx». Размер zip-архива: 7834 КБ.

Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage

содержание презентации «Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage.pptx»
СлайдТекст
1 Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document

Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document

Storage

REcon 2013 Oleg Afonin, ElcomSoft Co. Ltd.

2 The need for iOS forensics

The need for iOS forensics

More than 5 years on the market 6 iPhones, 5 iPods, 5 iPads 600+ million iOS devices sold worldwide “Smart devices” – carry a lot of sensitive data Corporate deployments are increasing

3 iOS data protection

iOS data protection

Device passcode Protects unauthorized access to the device Bypassing is not enough (used in encryption) Disk encryption http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf Keychain System-wide storage for sensitive data (keys, passwords etc.) Data is encrypted

4 iOS forensics

iOS forensics

Logical acquisition (iTunes backups) Physical acquisition iCloud backups and storage

5 iOS forensics: Logical Acquisition

iOS forensics: Logical Acquisition

“Ask” the device to produce backup Device must be unlocked (by passcode or iTunes) Device may produce encrypted backup Limited amount of information

6 iOS forensics: Physical Acquisition

iOS forensics: Physical Acquisition

Boot-time exploit to run unsigned code or Jailbreak Device lock state isn’t relevant, can bruteforce passcode Can get all information from the device ... but not for iPhone 4S, 5 or iPad 4 :(

7 iOS 4+ passcode

iOS 4+ passcode

8 iCloud

iCloud

Introduced in Oct 2011 Introduced with iOS 5 5 GB free storage Up to 50 GB paid storage Over 300 million users in June 2013 Backups, documents, notes, calendar, Find My Phone

9 iCloud services

iCloud services

10 iCloud Control Panel

iCloud Control Panel

11 iCloud backups: why

iCloud backups: why

12 iCloud backup - what

iCloud backup - what

Contacts and Contact Favorites Messages (including iMessages) Call history Application data Device settings Camera roll (photos and videos) Purchases (music, movies, TV, apps, books) Mail accounts Network settings (saved Wi-Fi hotspots, VPN settings etc) Paired Bluetooth devices Offline web application cache/database Safari bookmarks, cookies, history, offline data ... and much more

13 iCloud backup - when

iCloud backup - when

Backup runs daily when the device is: Connected to the Internet over Wi-Fi Connected to a power source Locked Can force backup [Settings] | [iCloud] | [Storage & Backup] | [Back Up Now]

14 iCloud backup - how

iCloud backup - how

15 iCloud CP: backups

iCloud CP: backups

16 Reverse-engineering iCloud backups

Reverse-engineering iCloud backups

jailbreak iPhone Install Open SSH, get keychain (keychain-2.db) [Settings] | [iCloud] | [Delete Account] | [Delete from My iPhone] [Settings] | [General] | [Reset] | [Reset All Settings] reboot set up Wi-Fi connection (proxy) replace keychain with our own trusted root certificate (need key 0x835 & keychain) ... read all the traffic :) Key 0x835 : Computed at boot time by the kernel. Only used for keychain protection key835 = AES(UID, bytes("01010101010101010101010101010101"))

17 iCloud backup protocol flow

iCloud backup protocol flow

Dynamic: endpoints depend on Apple ID Built on Google Protocol Buffers (mostly) Files are split into chunks Apple provides file-to-chunks mapping, chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft) Encryption key depends on chunk data

18 Files in iCloud

Files in iCloud

19 iCloud backup: authentication

iCloud backup: authentication

query: https://setup.icloud.com/setup/authenticate/$APPLE_ID$, Authorization:Basic <authentication data> authentication data = mime64 (AppleID:password) returns: mmeAuthToken, dsPrsID example: GET /setup/authenticate/$APPLE_ID$ HTTP/1.1 Host: setup.icloud.com Accept: */* User-Agent: iCloud.exe (unknown version) CFNetwork/520.2.6 X-Mme-Client-Info: <PC> <Windows; 6.1.7601/SP1.0; W> <com.apple.AOSKit/88> Accept-Language: en-US Authorization: Basic cXR0LnRld3RAaWNtb3VkLmNvbTqRd2VydHkxMjM0NQ==

20 iCloud backup: get auth

iCloud backup: get auth

token, backup IDs, keys

query: https://setup.icloud.com/setup/get_account_settings Authorization:Basic <authentication data> authentication data = mime64 (dsPrsID:mmeAuthToken) returns: mmeAuthToken (new/other one!!) query: https://p11-mobilebackup.icloud.com/mbs/(dsPrsID) Authorization: <authentication data> authentication data = mime64 (dsPrsID:mmeAuthToken) returns: list of backup IDs (backupudid) query: https://p11-mobilebackup.icloud.com/mbs/2005111682/(backupudid)/getKeys

21 iCloud backup: download files (1)

iCloud backup: download files (1)

Enumerate snapshots HTTPS GET https://p11-mobilebackup.icloud.com/mbs/(dsPrsID)/(backupudid)/(snapshotid)/listFiles?offset=(offset)&limit=(limit) Get file authentication tokens HTTPS POST https://p11-mobilebackup.icloud.com/mbs/(dsPrsID)/(backupudid)/(snapshotid)/getFiles Get URLs for file chunks HTTPS POST https://p11-content.icloud.com/(dsPrsID)/authorizeGet

22 iCloud backup: download files (2)

iCloud backup: download files (2)

Download chunks Windows Azure: http://msbnx000004.blob.core.windows.net:80/cnt/g6YMJKQBPxQruxQAr30C?sp=r&sr=b&byte-range=154-31457433&se=2013-06-07T10:14Z&st=2013-06-07T09:19Z&sig=0EdHy75gGHCee%2BjKePZBqz8xbWxpTxaYyASwFXVx2%2Fg%3D 'se' contains iCloud authorization time (expires in one hour) Amazon AWS: http://us-std-00001.s3-external-1.amazonaws.com/I9rh20QBPX4jizMAr3vY?x-client-request-id=739A222D-0FF5-44DD-A8FF-2A0EB6F49816&Expires=1371208272&byte-range=25556011-25556262&AWSAccessKeyId=AKIAIWWR33ECHKPC2LUA&Signature=PxAdegw0PLyBn7GWZCnu0bhi3Xo%3D

23 iCloud encryption

iCloud encryption

Data stored at 3rd-party storage providers is encrypted Apple has encryption keys to that data Some files are further encrypted using keys from OTA (over-the-air) backup keybag Keychain items are encrypted using keys from OTA backup keybag Need key 0x835 (securityd) to decrypt most keys from OTA backup keybag

24 iCloud backups - summary

iCloud backups - summary

There is no user-configurable encryption for iCloud backups iCloud backups are stored in Microsoft and Amazon clouds in encrypted form Apple holds encryption keys and thus have access to data in iCloud backups If Apple stores 0x835 keys then it can also have access to Keychain data (i.e. passwords) Apple may have legal obligations to do this (e.g. legal enforcement)

25 iCloud protocol changes (March 2013)

iCloud protocol changes (March 2013)

Added: X-Apple-MBS-Protocol-Version: 1.7 Accept: application/vnd.com.apple.mbs+protobuf X-Apple-Request-UUID: 4EFFF273-5611-479B-A945-04DA0A0F2C3A Changed: X-MMe-Client-Info: <iPhone4,1> <iPhone OS;5.1.1;9B206> <com.apple.AppleAccount/1.0 (com.apple.backupd/(null))> User-Agent: MobileBackup/5.1.1 (9B206; iPhone4,1)

26 Find My Phone

Find My Phone

27 FindMyPhone protocol

FindMyPhone protocol

How: just sniffing HTTP traffic (www.icloud.com, Find My Phone)

Authorization: validate: https://setup.icloud.com/setup/ws/1/validate) ClientBuildNumber=1M.63768 (constant) ClientId (random GUID) <- instance login: https://setup.icloud.com/setup/ws/1/login AppleID extended_login id=sha1(apple_id+instance) password <- dsid

Get devices with location: initClient: https://p11-fmipweb.icloud.com/fmipservice/client/web/initClient refreshClient: https://p11-fmipweb.icloud.com/fmipservice/client/web/refreshClient id dsid <- content (location)

Requesting location via Find My Phone makes push request to the iOS device if Find My Phone and Location Services are enabled Constant location requests quickly drain iPhone battery, device heats up, can be noticed Location information stored for 3 hours

28 FindMyPhone - demo output

FindMyPhone - demo output

29 iCloud documents

iCloud documents

iCloud: documents in iWork format only EPBB: all formats

30 iCloud CP: documents

iCloud CP: documents

31 Get files from iCloud

Get files from iCloud

To get list of files Authentication request (with given AppleID & password). Client gets mmeAuthToken in return; which, in order, is used to create authentication token (together with dsid). dsid (Destination Signaling IDentifier) is an unique ID assigned to the user when registering at iCloud.com. Request to get AccountSettings. Client gets an URL (ubiquityUrl) with an address to get UUID (unique user identifier), file list, info on file tokens and for authorization. Request to get file list (POST). Output (for every file): file name file id parent folder id last change time checksum access rights To download a given file Request to get a file token (using file id, checksum and aliasMap). Authorization request. Returns information on file chunks and containers. Output: container list (with URLs) and chunk information.

32 iCloud backup: packages

iCloud backup: packages

KeyNote: PDF, Microsoft PowerPoint, KeyNote ’09 Pages: PDF, Microsoft Word, Pages ’09 Numbers: PDF, Microsoft Excel, Numbers ’09 Some other programs (1Password etc) Many documents are stored as packages Storage: plist + content (text, media files) Reguests: Validate https://setup.icloud.com/setup/ws/1/validate Login https://setup.icloud.com/setup/ws/1/login Export https://p15-ubiquityws.icloud.com/iw/export/(dsid)/export_document?... Check export status https://p15-ubiquityws.icloud.com/iw/export/(dsid)/check_export_status?... Download converted file https://p15-ubiquityws.icloud.com/iw/export/(dsid)/download_exported_document?

33 iCloud docs: demo output

iCloud docs: demo output

34 Possible usage

Possible usage

Backups in iCloud near-realtime acquisition (SMS, iMessage, mail, call logs) browse backup data without actual device download only data of specific type Find My Phone keep track using Google Maps (or whatever) track enter/leave pre-defined area 2+ devices simultaneously (meeting alert) Documents in iCloud open from 3rd party apps track changes download unsupported document data Forensics!

35 The Tools

The Tools

Elcomsoft Phone Password Breaker www.elcomsoft.com Retrieves all iCloud backups (last 3 backups are stored) Wireless or fixed connection Downloads individual files or converts to iTunes format Access to iCloud backups from the PC Incremental backups (faster downloading) On-the-fly decryption No 2FA warning

36 The Tools

The Tools

Oxygen Forensic Suite www.oxygen-forensic.com Comprehensive forensic analysis Built-in and third-party applications Deleted data analysis (from application databases) Calls, messages, contacts, event log, tasks, GPS locations Timeline: all user and system activities in a single view Communication circles Multiple devices analysis investigates interactions among users of multiple mobile devices

37 Apple 2FA

Apple 2FA

Requires to verify your identity using one of your devices before you can: Sign in to My Apple ID to manage your account. Make an iTunes, App Store, or iBookstore purchase from a new device. Get Apple ID-related support from Apple. Does NOT protect: iCloud backups (could it ever?) Find My Phone data (the only authorized device stolen?) Documents stored in the cloud iCloud backups restored onto a new iOS device = email from Apple iCloud backups retrieved with EPPB = no email

38 Apple 2FA (Two-step Verification)

Apple 2FA (Two-step Verification)

39 Apple iOS 7 what’s new

Apple iOS 7 what’s new

Disabling location services in iOS7 now requires Apple ID password (better chances of finding stolen devices) Keychain can be synced between Max OS X and iOS Keychain can be stored in iCloud, requires separate password Icons Downright Ugly

40 Apple iOS 7

Apple iOS 7

41 iCloud keychain

iCloud keychain

42 iCloud keychain - cont-d

iCloud keychain - cont-d

43 Conclusion

Conclusion

Balance between security, privacy and convenience iCloud security risks Use additional encryption Better 2FA implementation Need further work (photo streams, 3rd party apps data: 1Password etc)

44 Windows Phone backups

Windows Phone backups

What is saved: Internet Explorer Favorites List of installed apps Theme and accent configuration Call history App settings (where applicable - email and accounts, lock screen etc) Test messages (SMS conversations) Photos (good quality - uses data allowance) Can get with LiveSDK: Basic user information Contacts Calendars Files, photos, videos, documents Download full backup?

45 Thank you

Thank you

Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage

http://www.elcomsoft.com http://blog.crackpassword.com Facebook: ElcomSoft Twitter: @elcomsoft

REcon 2013 Oleg Afonin, ElcomSoft Co. Ltd.

«Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage»
http://900igr.net/prezentacija/ekonomika/cracking-and-analyzing-apple-icloud-backups-find-my-iphone-document-storage-236255.html
cсылка на страницу
Урок

Экономика

125 тем
Слайды
900igr.net > Презентации по экономике > Компании > Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage