Presentation Title iPhone Data Protection in-Depth
Smartphones contain valuable data and are a prime target for forensics investigators. The iPhone is no exception, and the technique introduced by Jonathan Zdziarski in 2008 can create a bit-by-bit copy of the phone data partition, by booting a custom ramdisk through BootROM DFU mode exploits, normally used for jailbreaking. This technique still works on newer devices like the iPhone 4, using the limera1n BootROM exploit released in October 2010 by geohot. Thus, with physical access to the phone, it is possible to extract lots of personal information, such as emails, pictures or text messages.
However, the data protection feature introduced with iOS 4 uses the phone passcode and device specific keys to secure master keys (class keys) protecting files and keychain items. We will describe the internals of the following iOS 4 features :
- Flash storage encryption / content protection
- Data wipe
- System keybag and escrow keybags
- Passcode derivation function
- Keychain storage
In order to retrieve all of the protected data, an attacker has to know the user passcode. The custom passcode derivation function used was designed to prevent off-device bruteforce attacks, by using the embedded hardware AES key (UID key).
Note: Presenting with Jean Sigwald
About Jean-Baptiste Bédrune
Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.
About Jean Sigwald
Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.