If you know what the usbmux protocol is, then you’re no doubt familiar with Marcansoft’s open source version of usbmuxd; this is a free variant to Apple’s own specialized daemon that tunnels IP across USB, allowing you to connect to network ports on connected iOS devices. The iPad and iPad Mini include Apple’s usb driver, to allow the camera connection kit to function. With usbmuxd running on an iPad or iPad Mini, you can also connect and talk to any other iOS device from your iPad. All you need is one of Apple’s Lightning-to-USB adapters.
How ironic that only a week or two after posting my article How to Pair-Lock Your iOS Device, we would see this talk coming out of Black Hat 2013, demonstrating how juice jacking can be used to install malicious software. The talk is getting a lot of buzz with the media, but many security guys like myself are scratching our heads wondering why this is being considered “new” news. Granted, I can only make statements based on the abstract of the talk, but all signs seem to point to this as a regurgitation of the same type of juice jacking talks we saw at DefCon two years ago. Nevertheless, juice jacking is not only technically possible, but has been performed in the wild for a few years now. I have my own juice jacking rig, which I use for security research, and I have also retrofitted my iPad Mini with a custom forensics toolkit, capable of performing a number of similar attacks against iOS devices. Juice jacking may not be anything new, but it is definitely a serious consideration for potential high profile targets, as well as for those serious about data privacy.
Given the vast amount of loose knowledge now out there in the community, and the increasing number of commercial tools available to conduct both law enforcement and private sector acquisition of an iOS device, I’ve decided to make my law enforcement guide, “iOS Forensic Investigative Methods” freely available to all. The manual contains a lot of useful low-level information about the iPhone and the different artifacts commonly found while performing a forensic analysis. Chapter 3 requires a set of tools to actually image the device (which are not presently available to the public), however there are a number of commercial and open source tools that can be substituted here to acquire a disk image. Anyone with a little experience should be able to figure out by now how to get a copy of their own device’s disk. There is plenty of knowledge in this manual to teach you the basics of where to find information, such as various caches and other data, on the device, and what kind of evidence to look for when conducting investigations. It may also give the informal geek a peek down the rabbit hole to see just what kind of data is stored by your device. I decided to release this for the betterment of technical knowledge in the community, so enjoy!
PDF: iOS Forensic Investigative Methods
Part of my job as a forensic scientist is to hack applications. When working some high profile cases, it’s not always that simple to extract data right off of the file system; this is especially true if the data is encrypted or obfuscated in some way. In such cases, it’s sometimes easier to clone the file system of a device and perform what some would call “forensic hacking”; there are often many flaws within an application that can be exploited to convince the application to unroll its own data. We also perform a number of red-team pen-tests for financial/banking, government, and other customers working with sensitive data, where we (under contract) attack the application (and sometimes the servers) in an attempt to test the system’s overall security. More often than not, we find serious vulnerabilities in the applications we test. In the time I’ve spent doing this, I’ve seen a number of applications whose encryption implementations have been riddled with holes, allowing me to attack the implementation rather than the encryption itself (which is much harder).
There are a number of different ways to manipulate an iOS application. I wrote about some of them in my last book, Hacking and Securing iOS Applications . The most popular (and expedient) method involves using tools such as Cycript or a debugger to manipulate the Objective-C runtime, which I demonstrated in my talk at Black Hat 2012 (slides). This is very easy to do, as the entire runtime funnels through only a handful of runtime C functions. It’s quite simple to hijack an application’s program flow, create your own objects, or invoke methods within an application. Often times, tinkering with the runtime is more than enough to get what you want out of an application. The worst example of security I demonstrated in my book was one application that simply decrypted and loaded all of its data with a single call to an application’s login function, [ OneSafeAppDelegate userIsLogged: ]. Manipulating the runtime will only get you so far, though. Tools like Cycript only work well at a method level. If you’re trying to override some logic inside of a method, you’ll need to resort to a debugger. Debugging an application gives you more control, but is also an interactive process; you’ll need to repeat your process every time you want to manipulate the application (or write some fancy scripts to do it). Developers are also getting a little trickier today in implementing jailbreak detection and counter-debugging techniques, meaning you’ll have to fight through some additional layers just to get into the application.
This is where binary patching comes in handy. One of the benefits to binary patching is that the changes to the application logic can be made permanent within the binary. By changing the program code itself, you’re effectively rewriting the application. It also lets you get down to a machine instruction level and manipulate registers, arguments, comparison operations, and other granular logic. Binary patching has been used historically to break applications’ anti-piracy mechanisms, but is also quite useful in the fields of forensic research as well as penetration testing. If I can find a way to patch an application to give me access to certain evidence that it wouldn’t before, then I can copy that binary back to the original device (if necessary) to extract a copy of the evidence for a case, or provide the investigator with a device that has a permanently modified version of the application they can use for a specific purpose. For our pen-testing clients, I can provide a copy of their own modified binary, accompanied by a report demonstrating how their application was compromised, and how they can strengthen the security for what will hopefully be a more solid production release.
The National Institute of Justice, in conjunction with the National Institute of Standards and Technology, has published test results validating the methods used in the forensic imaging tools and techniques used on this site. More information can be found at this link.
A white paper published by Andrew Hoog, Chief Investigative Officer at ViaForensics, has put together a compendium of available iPhone forensic techniques, and honored the “Zdziarski” method with the highest rating. The full white paper can be downloaded at this link. Among the scoring, the “Zdziarski” method received a score of 5/5 stars for installation, 4/5 for acquisition, and 4.2/5 for accuracy. As the tool suite is not a reporting tool, 3/5 stars were awarded for reporting, providing a total score of 4.1/5 stars.
[ Video ] Bypassing Passcode and Backup Encryption
[ Video ] Forensic Recovery of Raw Disk
[ Video ] What Kind of Data Can You Steal in 2 Minutes?
The above videos, courtesy of security researcher Jonathan Zdziarski, demonsrate just how easy it is to bypass an iPhone passcode and backup encryption in an iPhone 3G[s] within only a couple of minutes time. A second video shows how easily tools can pull an unencrypted raw disk image from the device. The seriousness of the iPhone 3G[s]‘ vulnerabilities may make enterprises and government agencies think twice before allowing these devices to contain confidential data. Apple has been alerted to and aware of these vulnerabilities for many years, across all three models of iPhone, but has failed to address them. Jonathan adds:
The 3G[s] has penetrated the government/military markets as well as top fortune-100s, possibly under the misleading marketing term “hardware encryption”, which many have taken at face value. Serious vulnerabilities such as these threaten to put our country’s national security at risk. Unfortunately, the only way Apple seems to listen is through addressing such problems publicly, as all previous attempts to talk with them have failed. I sincerely hope they fix these issues before a breach occurs.