Apple’s iCloud protocols cracked and analyzed
Smartphones carry a lot of sensitive data that in theory should be accessible only to their owners. In practice, a lot of it can be exfiltrated from the devices and from the backups either stored on the device or in the cloud by employing different forensic methods.
In his presentation at the Hack in the Box Conference, co-founder and CEO of Russian password-cracking / recovery company ElcomSoft Vladimir Katalov has shared the results of their efforts in cracking and the discoveries they made by analysing Apple’s iCloud protocols, as well as those used for Windows Phone and BlackBerry backups.
First he showed us a short overview of the forensic methods that can be used on devices running one of the four leading mobile operating systems:
Different methods are applicable to different devices. For example, BlackBerry does not offer the option of cloud backup or the option of allowing users to locate lost or stolen phones, so that information obviously can’t be accessed in the cloud.
Logical and physical acquisition of data from iOS devices can be done, but the results are middling: with logical acquisition, the amount of information that can be extracted is limited and the device may produce encrypted backup. On the other hand, physical acquisition can provide all the information store on the device, provided that you can bruteforce the passcode, and the device in question isn’t iPhone 5 or iPad 4. And you have to bruteforce the password, not bypass it, because it’s used in disk and keychain encryption.
Cloud backup is a very popular option because of its conveniency: if you lose or break your smartphone, you can get another one and restore all the data saved in the cloud to it.
Since iOS 5, Apple offers backup in the iCloud – 5 GB free storage and up to 50 GB paid storage. In it you can store backups, contacts, messages, device settings, mail accounts, purchases, Safari bookmarks, network settings and more. Backup runs daily when the device is connected to the Internet over Wi-Fi, connected to a power source, and locked. Of course, the backing up can also be forced.
Katalov shared that reverse-engineering the iCloud backup protocol is possible if a bit complex. You *only* have to jailbreak the iPhone, install Open SSH, get the keychain, delete the user account from the device, reset all the settings, reboot it, set up a Wi-Fi connection (proxy), replace the keychain with your own trusted root certificate (but you need key 0x835 & keychain), and then you can read all the traffic.
The iCloud backup protocol flow is dynamic (endpoints depend on Apple ID), and is built mostly on Google Protocol Buffers. The files are split into chunks of different sizes and each of them encrypted with an encryption key that depends on the data in the chunk. Apple provides file-to-chunks mapping (every chunk container has a different URL), chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft).
Katalov showed that with simple queries it’s possible to get the authentication token for accessing the iCloud backup, backup IDs, and the encryption keys, then download the files either from Windows Azure and Amazon AWS, or both.
The data stored at 3rd-party storage providers is encrypted (and Apple has and stores the encryption keys to that data), and a few files additionally so by using keys from OTA backup keybag. Keychain items likewise.
If you are a user, you need to consider several things when using iCloud backup: first, that you can’t configure the encryption. Secondly, that your backups are stored with third-party providers (but are encrypted). Thirdly, that Apple does have the encryption keys for your backups, but also that If Apple stores these keys then it can also have access to Keychain data (i.e. your passwords contained in it). Of course, the company may be legally obliged to store them, but it’s good to know this so you can make an informed decision.
The FindMyPhone protocol and the protocol for getting files from iCloud was much easier to get to – it required only sniffing HTTP traffic.
Getting the files afterwards is easy:
It’s also good to know that Apple’s 2FA authentication (they call it 2-step verification) does not protect iCloud backups, Find My Phone data and the documents stored in the cloud.
As Katalov rightly points out, it’s not easy to find the right balance between security, privacy and convenience, and if you are trying to decide whether to use iCloud you should be aware of the security risks you open yourself to. A good move is to use additional encryption.
He also added that there is still a lot of Apple’s protocols that need to be analysed. For example, the new Touch ID authentication system on the new iPhone 5S – Apple says that the fingerprint information never leaves the device, but that claim needs to be checked.
When it comes to Windows Phone backups in the cloud, it’s much harder to analyse the protocol used, he shared. On the other hand, the protocols for downloading stored SMSes and email were much easier to crack.
In BlackBerry’s case, there is no cloud storage – only a local backup option. All the encryption done on the device, and according to Katalov, the reverse-engineering of this backup protocol was a nightmare because the multitude of different servers involved.