breaking into the icloud keychain · icloud keychain: uses 256-bit aes encryption to store and...

ElcomSoft.comElcomSoft.com © 2017

Vladimir KatalovElcomSoft Co.Ltd.Moscow, Russia

BreakingintotheiCloudKeychain

ElcomSoft.com

[Someof]ourcustomers

ElcomSoft.com

Whatdowewanttohacktoday?

1.Alluser’spasswords2.Creditcarddata

ElcomSoft.com

What’sinsidethesmartphone?

(tip:almosteverything)

• Contacts&calendars• Calllogsandtextmessages• Emailsandchats• Accountandapplicationpasswords• WebandWi-Fipasswords• Creditcarddata• Documents,settingsanddatabases• Webhistory&searches• Picturesandvideos• Geolocationhistory,routesandplaces• 3rd partyappdata• Cachedinternetdata• Systemandapplicationlogs• Socialnetworkactivities

ElcomSoft.com

§ Problems§ Differentplatforms(Apple,Google,Microsoft)§ Manyvendor-specificclouds§ 3rd partycloudservices§ Credentialsneeded(passwordortoken)

§ Profits§ Nophysicalaccessneeded§ Maybeperformedsilently

§ Backup§ Nostandardwaytoget§ Mightnotbeavailable§ Almostalldatafromdevice

§ Sync§ Limitedsetofdata§ Mostcriticalreal-timedata§ Syncedacrossalldevices

§ Storage§ Onlyfiles/documents§ Easytoaccess

Dataacqusition methods|Cloudacquisitionprosandcons

§ JTAG/chip-off§ Notestaccessportonmanydevices§ Fulldiskencryption

§ Physical§ Limitedcompatibility§ Datamaybeencrypted

§ Logical§ Limitedcompatibility§ Bypassingscreenlockisneeded

§ Cloud§ Limitedsetofdata// oh,really?J§ Needcredentials§ Legalproblems

ElcomSoft.com

§ Fulldevicebackupsaresometimesavailable

§ 3rd partyapplicationdataisusuallynotavailable

§ Passwordsareadditionallyencryptedwithhardware-specific key

§ Dailybackups(inbestcase,untilforcedfromthedevice)

§ Backupscannotbeforcedremotely

§ 3rd partysoftwareisneeded

§ Almostnowaytomanage

§ Slowaccess,longdownload

§ Accountmightbelockeddueto‘suspiciousactivity’

Cloudservices:backups[iCloud]

ElcomSoft.com

Cloudservices:synceddata[iCloud]

§ Contacts§ Calllog§ Messages(SMS/iMessage,CallKit-compatibleapps)§ Calendars§ Mail(onlycloud-based)§ Internetactivities(visitedsites,searches)§ Mediafiles(photos,videos)§ Gamingdata§ Passwords§ Healthdata§ Creditcards

Other• ApplePay• Homedevices• Wallet• Maps(searches,bookmarks,routes)• Books• News,weather• Locationdata

ElcomSoft.com

MoreiClouddata

• Accountinformation• iCloudstorageinformation

• Contactinformation(billing/shippingaddress,emails,creditcards(last4digits)

• Connecteddevices• Customerservicerecords• iTunes(purchase/downloadtransactionsand

connections,update/re-downloadconnections,Matchconnections,giftcards)

• Retailandonlinestoretransactions• Maillogs• Familysharingdata• iMessage andFaceTimemetadata

• Deleteddata?

ElcomSoft.com

Applekeychains

§ iOSkeychain

§ Local(encryptedbackup)§ Local(notencryptedbackup)§ iCloud

View(iOS10):Settings|Safari|Passwords,AutoFillView(iOS11):Settings|Accounts&Passwords|App&WebsitePasswordsProtection:itdependsDecrypt/export:noway(3rd partysoftwareonly)

§ OSX(macOS)keychain

View:Keychainutility(onebyone)Protection:password(bydefault,sameaslogon)Decrypt/export:3rd partysoftwareonly

§ iCloudkeychain

View:Onlywhen/ifsyncedwithlocaldeviceProtection:well,strongJDecrypt/export:?

ElcomSoft.com

Backupvs iCloudkeychains

Backup iCloudWi-Fi + +

Websites + +

Creditcards + +

App-specific + Itdepends

AirPlay/AirPort + +

Encryptionkeys&tokens + Itdepends

Autocomplete + -

KeychaininiCloudbackupshavemostdataencryptedwithdevice-specifickey

ElcomSoft.com

iOSkeychain– passwords(Wi-Fi,email,webform)

<Name>AirPort(APname)</Name><Service>AirPort</Service><Account>APname</Account><Data>APpassword</Data><AccessGroup>apple</AccessGroup><CreationDate>20121231120800.529226Z</CreationDate><ModificationDate>20121231120800.529226Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>

<Name>accounts.google.com(email)</Name><Server>accounts.google.com</Server><Account>email</Account><Data>password</Data><Protocol>HTTPS</Protocol><AuthenticationType>form</AuthenticationType><Description>Webformpassword</Description><AccessGroup>com.apple.cfnetwork</AccessGroup><CreationDate>20150705071047.78112Z</CreationDate><ModificationDate>20150805133813.889686Z</ModificationDate><Label>accounts.google.com(email)</Label><ProtectionClass>CLASS:6</ProtectionClass>

<Name>imap.gmail.com([email protected])</Name><Server>imap.gmail.com</Server><Account>email</Account><Data>password</Data><Protocol>IMAP</Protocol><Port>143</Port><AccessGroup>apple</AccessGroup><CreationDate>20121231124745.097385Z</CreationDate><ModificationDate>20121231124745.097385Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>

ElcomSoft.com

iOSkeychain(creditcarddata)

<Name>SafariCreditCardEntries (BBA00CB1-9DFA-4964-B6B8-3F155D88D794)</Name><Service>SafariCreditCardEntries</Service><Account>BBA00CB1-9DFA-4964-B6B8-3F155D88D794</Account><Data><Dictionary><CardholderName>NAME</CardholderName><ExpirationDate>DATE</ExpirationDate><CardNameUIString>Visa</CardNameUIString><CardNumber>NUMBER</CardNumber></Dictionary></Data><Comment>ThiskeychainitemisusedbySafaritoautomaticallyfillcreditcardinformationinwebforms.</Comment><AccessGroup>com.apple.safari.credit-cards</AccessGroup><CreationDate>20131016100432.283795Z</CreationDate><ModificationDate>20150826181627.118539Z</ModificationDate><Label>SafariCreditCardEntry:Visa</Label><ProtectionClass>CLASS:6</ProtectionClass>

ElcomSoft.com

iOS[backup]keychainprotectionclasses

kSecAttrAccessibleAfterFirstUnlock(7)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly(10)Thedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAlways(8)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyThedatainthekeychaincanonlybeaccessedwhenthedeviceisunlocked.Onlyavailableifapasscodeissetonthedevice.

kSecAttrAccessibleAlwaysThisDeviceOnly(11)Thedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenUnlocked(6)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

kSecAttrAccessibleWhenUnlockedThisDeviceOnly(9)Thedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

• xxxThisDeviceOnly:encryptedusingdevice-specifichardwarekey(canbeextractedfrom32-bitdevicesonly)• Allothers:inpassword-protectedlocalbackups,encryptedwiththekeyderivedfrombackuppassword

ElcomSoft.com

iTunesbackuppasswordbreaking

§ Getmanifest.plist§ GetBackupKeyBag§ Checkpassword

§ iOS3▫ pbkdf2_sha1(2,000)

§ iOS4to10.1(but10.0)▫ Sameasabove,but10,000iterations

§ iOS10.0▫ Sameasaboveworks▫ Singlesha256hashisalsostored

§ iOS10.2+▫ pbkdf2_sha256(10,000,000)▫ pbkdf2_sha1(10,000)

§ UnwrapAESkeyfromKeyBag§ Decryptkeychain(+otherfiles?)

Hashesaresalted,sonorainbowtablesL

ElcomSoft.com

macOS keychain

ElcomSoft.com

iClouddataprotection

https://support.apple.com/en-us/HT202303

Mostofthedata:Aminimumof128-bitAESencryptioniCloudKeychain:Uses256-bitAESencryptiontostoreandtransmitpasswordsandcreditcardinformation.Alsousesellipticcurveasymmetriccryptographyandkeywrapping.

Keyisstoredalongwiththedata(exceptjusttheiCloudkeychain)!

• Notificationtoemailwhenthedataisaccessed• Accountmightbeblockedduetosuspiciousactivity(new!)• Two-stepverification(legacy,notrecommended)• Two-factorauthentication

• Immediatepushnotificationtoalltrusteddevices• Havetoallowaccess• Securitycode

• Aspushnotification• BySMStotrustedphonenumber• Generatedbytrusteddevice

Workaroundfor2FA:useauthenticationtokenfromthedevice(iPhone/iPad/iPod),PCorMac

ElcomSoft.com

iCloudsign-in

ElcomSoft.com

AboutiCloudkeychain

ElcomSoft.com

SetupiCloudkeychain– no2FA

ElcomSoft.com

Setup2FA

ElcomSoft.com

SetupiCloudkeychain–2FA

ElcomSoft.com

iOS11and2FA

ElcomSoft.com

iCloudsyncmodes

Recovery: recoveryfromkeychainbackup/storageintheiCloud

com.apple.sbd3(SecureBackupDaemon)

Keepbackupofkeychainrecords,andcopyingtonewdevices(whentherearenewtrustedones)

Sync:real-timesyncingacrosscloudanddevices

com.apple.security.cloudkeychainproxy3

Supportfor“trustedcircle”,addingnewdevicestoitetc

ElcomSoft.com

iCloudcircleoftrust

iOSSecurityGuide:https://www.apple.com/business/docs/iOS_Security_Guide.pdf

• Keychainsyncing• Circleoftrust• Publickey:syncingidentity(specifictodevice)• Privatekey(ellipticalP256),derivedfromiCloudpassword• Eachsynceditemisencryptedspecificallyforthedevice

(cannotbedecryptedbyotherdevices)• OnlyitemswithkSecAttrSynchronizable aresynced

• Keychainrecovery• Secureescrowservice(optional)• No2FA:iCloudsecuritycodeisneeded(+SMS)• No2FA,noiCSC:recoveryisnotpossible• 2FA:devicepasscodeisneeded• HardwareSecurityModule(WTFisthat?J)

ElcomSoft.com

iCloudkeychainrecoverymode

3:keyversion(GCMorCBCalgorythm;GCMhere).6:recordprotectionclass(KeyBag#6 here)0x48: wrappedkey sizeNext:encryptedkeydata

ElcomSoft.com

iCloudkeychainrecoveryprotection(no2FA)

iCSC- iCloudSecuritycode

NoiCSC

Syncmodeonly.KeychainrecordsarenotstoredintheiCloudandcannotberecoveredifalltrusteddevicesarelost/Accessispossibleonlythroughpushnotificationtothetrusteddevice.Themostsafe/secureconfig?;)

iCSC isset

• Pushnotificationtotrusteddevice(asabove)• iCSC pluscodefromSMS(6digits)

Note:iCSC isnotstoredanywhereinthecloud,justitshash(inEscrow).Threeoptionsareavailable:

• Simple(4or6digits,dependsoniOSversion)• Complex(anysymbols,upto32)• Device-generated/random(24symbols)

ElcomSoft.com

iCloudkeychainrecoveryprotection(2FA)

Foreverydevice,separaterecordiscreated(atEscrowProxy):

com.apple.icdp.<deviceHash>

Contents:BackupBagPassword(randomlygenerated)

Usage:RFC6637toencryptkeysfromiCloudKeychainKeybags

ElcomSoft.com

Escrowproxyarchitecture(1)

Escrowproxy

• SRP(SecureRemotePassword)protocol• SafefromMITM• Doesnotneedpasswordtobetransferredatall(evenhash)• Doesnotkeeppasswordonserver

ElcomSoft.com


CloudKeychainrecordsofinterestatEscrowProxy

• com.apple.securebackup: keepBackupBagPasswordfrom Keybag,whereiCloudKeychainisstoredfor‘fullrestore’

• com.apple.icdp.<deviceHash>:BackupBagPasswordfrom iCloudKeychainindividualrecordsfromgivendevices,storedforpartialrecovery

ElcomSoft.com


No2FA (iCSC)and2FA(DevicePasscode):

• Clientgeneratesrandom25-symbolKeyBagKey• PBKDF2(SHA256,10000)togenerateiCSC/passcodehash• KeyBagKey isencryptedwithAES-CBCusinghashasakey• EncryptedKeyBagKey isstoredinEscrowProxy

Note:if‘random’optionisselectedasiCSC,thenitisnothashed,andsaved‘asis’ItisfurtherusedforencryptingKeyBag withsetofkeysforiCloudKeychain.

ElcomSoft.com

EscrowproxyAPI

Command Action

/get_club_cert Returnscertificate,associatedwithaccount

/enroll Addnewsecurerecord

/get_records Getlistofstoredrecords

/get_sms_targets Getphonenumber,associatedwithaccount

/generate_sms_challenge Sendsapprovalcodeviasms toassociatednumber

/srp_init InitializesauthenticationviaSRP-6aprotocol

/recover SRPauthenticationfinalization.returnssecurerecordsonsuccess

/update_record Updatesrecordsinformationassociatedwithaccount

ElcomSoft.com

Escrowproxy:‘public’records

• Infoonkeyusedforprotection• Numberoffailedretries• Devicedata(model,version,passwordstrength)• ListofkeysforKeyBag decryption• ProtectedStorageServiceslist

ElcomSoft.com

SRPprotocol(v6)

iCSC-iCloudSecureCodeH–SHA256N,g–2048-bitgeneratorofthemultiplicativegroup(RFC5054)

TheuserenrollpasswordverifierandsalttoEscrowCache.EscrowCachestorespasswordverifierandsalt.

<salt>=random()x=SHA(<salt>|SHA(<dsid>|":"|<iCSC>))<passwordverifier>=v=g^x%N

Ifcom.apple.securebackup recordexists,thatmeansthatiCloudSecurityCodeisset.Otherwise,EscrowProxy containscom.apple.icdp.record.hash_of_device records,soiCloudKeychaincanbesyncedwhenoneofdevicepasswordsisprovided.

ElcomSoft.com

Recordname AuthenticationType

com.apple.securebackup MME+SMS

com.apple.icdp.record.hash_of_device PET

com.apple.protectedcloudstorage MME

AuthenticationtypeforaccessofEscrowrecord

Escrowproxy– accesstokens

• No2FA,iCloudSecurityCode:MMEtokenisenough;validationusesSMStotrustednumbersetinaccount

Howtoobtain:sameasforbackups,synceddata,iCloudPhotoLibraryetc

• 2FA,devicepasscode:PET(PasswordEquivalentToken);TTL=5minutes

Howtoobtain:passGSAauthentication(toapproveshort-timeaccessfromthegivendevice);newinmacOS10.11

ElcomSoft.com

Keychainissyncmode

Circleoftrust

trusted

trustedtrusted

Nottrusted

Insyncmode,KeyBag maycontainasfullrecordsinrecoverymode(BackupKeyBag,com.apple.securebackup.record)ortombs,uniqueforeverydomain(HomeKit,Wi-Fietc)

ElcomSoft.com

Tombs

• Keybag &metadata(ASN.1format)

• Keychain:recordsforthegivendomain,encryptedwithKeybag

• WrappedKey(foreveryRecordID):Keybag keywrappedwithRFC6637

Todecrypt

• gettombsfromcom.apple.sbd• findallRecordIDs• getBackupBagPassword forthe

givenRecordID,usingpasscodeofthedevice

• unwrapKeyBag key• decryptkeysfromKeyBag• DecryptKeychainrecords

ElcomSoft.com

Othercomponentsandalternativeapproaches

GSA(GrandSlam Authentication)

• gsa.apple.com• basedonSRPprotocol• introducedinmacOS 10.10(basic)• improvedinmacOS 10.11

AnisietteData

• MachineID +OTP• MachineID (60bytes):uniquefordevice• OTP(24bytes):random;refreshedevery

90seconds• codeishardlyobfuscated• implementedinApplePrivateAPI

Continuationtoken

• obtainedthroughGSA• meanstogettokensforotherservices• noneedtokeepAppleIDandpasswordon

device• canbeusedtogetupdated tokenswithshort

TTL• forfurtherrequests:useAlternateDSID &

Continuationtoken insteadofAppleID &password

ElcomSoft.com

Demo

No2FA

• AppleID• Password• iCloudsecuritycode• SMStotrustednumber

2FA

• AppleID• Passwordnoneedtopass2FAontrustedDesktop

• Passcodeofenrolleddevice

ElcomSoft.com

Conclusions/risks

• Syncandrecovery:differentapproaches• Trustedcircle:nothardtogetin,butleavestraces• Bothsyncandrecoverycanbeused(mixed)• Needtohavecredentials• Needtohavetrusteddevice

…orSMS• NeedtoknowiCSC

…ordevicepasscode• Legacy2SV:forgetit• With2FA,keychainisalwaysstorediniCloud• No2FA,noiCSC:mostsafefromTLA?

• GetContinuationtoken(+machineID) toobtainfullaccesswithoutanythingelse!• …implementationisstillrelativelysecureJ

ElcomSoft.com

Wait,onemorething…

• iCloudKeychaincontainsmoredatathanofficiallydocumented:notjustpasswords,butalsotokens(e.g.to2FA-protectedsocialnetworkaccounts)

• iCloudKeychainisbeingactivatedrightwhenyouenable2FA (orevenalwaysexist??),thoughcontainsonlysystemkeys,notuserdata

• iCloudKeychaincontainsencryptionkeyusedtolocksomenewiClouddata(iOS11)

• iCloudKeychainapproachcanbeusedeffectivelywhenlocalkeychainisnoteasilyaccessible

Whatelsedoyouhidefromus,Apple?:)

ElcomSoft.com

Thanks!Questions?

ElcomSoft