icloud keychain sector2017 - sector 2018 - security ... · breaking the icloud keychain more icloud...

SECTOR2017BREAKINGTHEICLOUDKEYCHAIN

ElcomSoft.com

VladimirKatalovElcomSoft Co.Ltd.Moscow,Russia

When Two-Factor Authentication is a Foe: Breaking the iCloud Keychain


Whatisitallabout?

• AppleiCloud• Two-factorauthentication• Alluser’spasswords• Creditcarddata• iOS11security‘improvements’• Attackscenarios


(tip:almosteverything)

• Contacts&calendars• Calllogsandtextmessages• Emailsandchats• Accountandapplicationpasswords• WebandWi-Fipasswords• Creditcarddata• Documents,settingsanddatabases• Webhistory&searches• Picturesandvideos• Geolocationhistory,routesandplaces• 3rd partyappdata• Cachedinternetdata• Systemandapplicationlogs• Socialnetworkactivities

What’sinsidethesmartphone?


Cloudservices:synceddata[iCloud]

• Completedevicebackups

• Contacts• Calllog• Notes• Calendars• Mail(onlycloud-based)• Internetactivities(visitedsites,searches)• Mediafiles(photos,videos)• Gamingdata• Healthdata• Messages(iOS11)• HomeKit devices• Health(iOS11)• Wallet• Maps(searches,bookmarks,routes)• iBooks• News,weather• Siridata• Documents(iCloudDrive)

• iCloudKeychain• Passwords• Creditcards


MoreiClouddata

• Accountinformation• iCloudstorageinformation• Contactinformation(billing/shippingaddress,

emails,creditcards(last4digits)• Connecteddevices• Customerservicerecords• iTunes(purchase/downloadtransactionsand

connections,update/re-downloadconnections,Matchconnections,giftcards)

• Retailandonlinestoretransactions• Maillogs• Familysharingdata• iMessage andFaceTimemetadata• Deleteddata?


Two-FactorAuthentication

§ ReplacesTwo-StepVerification

• System-levelprotection• iOS9andnewer

§ Wholeaccountprotection• ExceptFindMyPhone

§ Canbebypassedwithtokens• Systembackups:tokensareshort-lived• Thesametokencanexpireforaccessingsystembackups,butworkforaccessingsynceddata



§ Multipledeliverymethods

• Insecurebutobligatory:trustedphonenumber(SMS)• Secureandobligatory:interactiveprompt+6-digitcodepushedtoenrolleddevices

• TOTP:• 6-digitofflinecodes• Newcodeevery30seconds• Uniqueseedforeveryenrolleddevice(unlikeGoogleAuthenticatorapp)

§ Successfullypassing2FAliftsmanyrestrictions• Candomorewith2FA-protectedAppleIDaccountscomparedtoaccountswithno2FA



§ Howmuchmore?

• 2FArequiredforsomeContinuityfeatures(SMS/MMS)• If2FAisenabled,signingintoiCloudispossiblewithpasscodeonly(fromthedevice)• Onlyif2FAisenabled:canchange/resetiCloudpassword,removeiCloudlockwithoutevenknowinguser’sAppleIDpassword• iMessageiniCloudwillonlyworkon2FAaccounts



Applevs.Google

§ Push• Apple:canonlyuseiOSandmacOSdevicestoreceivepush6-digitcodes• Google:GooglePrompt(push-based2FA)availableoniOSandAndroid;simplytap“Yes”(nocodes)

§ Offlinecodes(TOTP)• Apple:uniqueseedperdevice;canonlyuseiOSandmacOSdevicestogenerateTOTPcodes

• Google:oneseedforalldevices;anydeviceandanyTOTP-compliantappcanbeused(Android,iOS,Windows,Linux,macOS,Ubuntuetc.)

§ SMS• Apple:trustedphonenumberREQUIREDtoenable2FA(insecure)• Google:treatsSMSdeliveryasinsecure,urgesusersmovetoGooglePromptinstead



Applevs.Microsoft

§ Push• Apple:canonlyuseiOSandmacOSdevicestoreceivepushcodes• Microsoft:Android,iOSandWindows10(includingW10M);simplytap“Yes”(nocodes);worksevenonlockedW10Mdevices(bug?)

§ Offlinecodes(TOTP)• Apple:uniqueseedperdevice;canonlyuseiOSandmacOSdevicestogenerateTOTPcodes

• Microsoft:oneseedforalldevices(6digitcodes)and uniqueseed(8-digitcodes;MSAuthenticatorapponly;Anrdoid/iOS/W10M);anydeviceandanyTOTP-compliantappcanbeused(Android,iOS,Windows,Linux,macOS,Ubuntuetc.)

§ SMS• Apple:trustedphonenumberREQUIREDtoenable2FA(insecure)• Microsoft:SMSoptional


Applekeychains

§ iOSkeychain• Local(encryptedbackup)• Local(notencryptedbackup)• iCloud

View(iOS10):Settings|Safari|Passwords,AutoFillView(iOS11):Settings|Accounts&Passwords|App&WebsitePasswordsProtection:itdependsDecrypt/export:noway(3rd partysoftwareonly)

§ OSX(macOS)keychainView:Keychainutility(onebyone)Protection:password(bydefault,sameaslogon)Decrypt/export:3rd partysoftwareonly

§ iCloudkeychainView:Onlywhen/ifsyncedwithlocaldeviceProtection:well,strongJDecrypt/export:?


Backupvs iCloudkeychains

Backup iCloudWi-Fi + +

Websites + +

Creditcards + +

App-specific + Itdepends

AirPlay/AirPort + +

Encryptionkeys&tokens + Itdepends

Autocomplete + -

KeychaininiCloudbackupshavemostdataencryptedwithdevice-specifickey


iOSkeychain– passwordsandCCdata

<Name>AirPort(APname)</Name><Service>AirPort</Service><Account>APname</Account><Data>APpassword</Data><AccessGroup>apple</AccessGroup><CreationDate>20121231120800.529226Z</CreationDate><ModificationDate>20121231120800.529226Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>

<Name>imap.gmail.com([email protected])</Name><Server>imap.gmail.com</Server><Account>email</Account><Data>password</Data><Protocol>IMAP</Protocol><Port>143</Port><AccessGroup>apple</AccessGroup><CreationDate>20121231124745.097385Z</CreationDate><ModificationDate>20121231124745.097385Z</ModificationDate><ProtectionClass>CLASS:7</ProtectionClass>

<Name>SafariCreditCardEntries (UUID)</Name><Service>SafariCreditCardEntries</Service><Account>BBA00CB1-9DFA-4964-B6B8-3F155D88D794</Account><Data><Dictionary><CardholderName>NAME</CardholderName><ExpirationDate>DATE</ExpirationDate><CardNameUIString>Visa</CardNameUIString><CardNumber>NUMBER</CardNumber></Dictionary></Data><AccessGroup>com.apple.safari.credit-cards</AccessGroup><CreationDate>20131016100432.283795Z</CreationDate><ModificationDate>20150826181627.118539Z</ModificationDate><Label>SafariCreditCardEntry:Visa</Label><ProtectionClass>CLASS:6</ProtectionClass>


iOS[backup]keychainprotectionclasses

kSecAttrAccessibleAfterFirstUnlockThedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnlyThedatainthekeychainitemcannotbeaccessedafterarestartuntilthedevicehasbeenunlockedoncebytheuser.

kSecAttrAccessibleAlwaysThedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenPasscodeSetThisDeviceOnlyThedatainthekeychaincanonlybeaccessedwhenthedeviceisunlocked.Onlyavailableifapasscodeissetonthedevice.

kSecAttrAccessibleAlwaysThisDeviceOnlyThedatainthekeychainitemcanalwaysbeaccessedregardlessofwhetherthedeviceislocked.

kSecAttrAccessibleWhenUnlockedThedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

kSecAttrAccessibleWhenUnlockedThisDeviceOnlyThedatainthekeychainitemcanbeaccessedonlywhilethedeviceisunlockedbytheuser.

xxxThisDeviceOnly:encryptedusingdevice-specifichardwarekey(canbeextractedfrom32-bitdevicesonly)Allothers:inpassword-protectedlocalbackups,encryptedwiththekeyderivedfrombackuppassword

kSecAttrSynchronizable:dataissyncedwithiCloud;notcompatiblewithThisDeviceOnly


iTunesbackuppasswordbreaking

§ Getmanifest.plist§ GetBackupKeyBag§ Checkpassword

§ iOS3▫ pbkdf2_sha1(2,000)

§ iOS4to10.1(but10.0)▫ Sameasabove,but10,000iterations

§ iOS10.0▫ Sameasaboveworks▫ Singlesha256hashisalsostored

§ iOS10.2+,iOS11▫ pbkdf2_sha256(10,000,000)▫ pbkdf2_sha1(10,000)

§ UnwrapAESkeyfromKeyBag§ Decryptkeychain(+otherfiles?)

Hashesaresalted,sonorainbowtablesL


macOS keychain


iOSkeychain


iClouddataprotection

• https://support.apple.com/en-us/HT202303

• Mostofthedata:Aminimumof128-bitAESencryption• iCloudKeychain:Uses256-bitAESencryptiontostoreandtransmitpasswordsandcreditcardinformation.Alsouses

ellipticcurveasymmetriccryptographyandkeywrapping.

• Keyisstoredalongwiththedata(exceptjusttheiCloudkeychain)!

• Notificationtoemailwhenthedataisaccessed• Accountmightbeblockedduetosuspiciousactivity(new!)• Two-stepverification(legacy,notrecommended)• Two-factorauthentication

• Immediatepushnotificationtoalltrusteddevices• Havetoallowaccess• Securitycode• Aspushnotification• BySMStotrustedphonenumber• Generatedbytrusteddevice

• Workaroundfor2FA:useauthenticationtokenfromthedevice(iPhone/iPad/iPod),PCorMac• ForiCloudbackups,thetokenTTLis12hoursonly


iCloudsign-in


AboutiCloudkeychain


SetupiCloudkeychain– no2FA


Setup2FA


SetupiCloudkeychain–2FA


iOS11and2FA:pushedagressively


iCloudsyncmodes

Recovery: recoveryfromkeychainbackup/storageintheiCloud

com.apple.sbd3(SecureBackupDaemon)

Keepbackupofkeychainrecords,andcopyingtonewdevices(whentherearenewtrustedones)

Sync:real-timesyncingacrosscloudanddevices

com.apple.security.cloudkeychainproxy3

Supportfor“trustedcircle”,addingnewdevicestoitetc


iCloudcircleoftrust

iOSSecurityGuide:https://www.apple.com/business/docs/iOS_Security_Guide.pdf

• Keychainsyncing• Circleoftrust• Publickey:syncingidentity(specifictodevice)• Privatekey(ellipticalP256),derivedfromiCloudpassword• Eachsynceditemisencryptedspecificallyforthedevice(cannotbedecryptedbyotherdevices)• OnlyitemswithkSecAttrSynchronizable aresynced

• Keychainrecovery• Secureescrowservice(optional)• No2FA:iCloudsecuritycodeisneeded(+SMS)• No2FA,noiCSC:recoveryisnotpossible• 2FA:devicepasscodeisneeded• HardwareSecurityModule(WTFisthat?J)


iCloudkeychainrecoveryprotection(no2FA)

iCSC- iCloudSecuritycode

NoiCSC

Syncmodeonly.KeychainrecordsarenotstoredintheiCloudandcannotberecoveredifalltrusteddevicesarelost/Accessispossibleonlythroughpushnotificationtothetrusteddevice.Themostsafe/secureconfig?;)

iCSC isset

• Pushnotificationtotrusteddevice(asabove)• iCSC pluscodefromSMS(6digits)

Note:iCSC isnotstoredanywhereinthecloud,justitshash(inEscrow).Threeoptionsareavailable:

• Simple(4or6digits,dependsoniOSversion)• Complex(anysymbols,upto32)• Device-generated/random(24symbols)


iCloudkeychainrecoveryprotection(2FA)

Foreverydevice,separaterecordiscreated(atEscrowProxy):

com.apple.icdp.<deviceHash>

Contents:BackupBagPassword(randomlygenerated)

Usage:RFC6637toencryptkeysfromiCloudKeychainKeybags


Escrowproxyarchitecture(1)

• SRP(SecureRemotePassword)protocol

• SafefromMITM• Doesnotneedpasswordto

betransferredatall(evenhash)

• Doesnotkeeppasswordonserver

No2FA (iCSC)and2FA(DevicePasscode):

• Clientgeneratesrandom25-symbolKeyBagKey• PBKDF2(SHA256,10000)togenerateiCSC/passcodehash• KeyBagKey isencryptedwithAES-CBCusinghashasakey• EncryptedKeyBagKey isstoredinEscrowProxy

Note:if‘random’optionisselectedasiCSC,thenitisnothashed,andsaved‘asis’ItisfurtherusedforencryptingKeyBag withsetofkeysforiCloudKeychain.


Escrowproxyarchitecture(2)

• CloudKeychainrecordsofinterestatEscrowProxy

• com.apple.securebackup: keepBackupBagPasswordfrom Keybag,whereiCloudKeychainisstoredfor‘fullrestore’

• com.apple.icdp.<deviceHash>:BackupBagPasswordfromiCloudKeychainindividualrecordsfromgivendevices,storedforpartialrecovery


EscrowproxyAPI

Command Action

/get_club_cert Returnscertificate,associatedwithaccount

/enroll Addnewsecurerecord

/get_records Getlistofstoredrecords

/get_sms_targets Getphonenumber,associatedwithaccount

/generate_sms_challenge Sendsapprovalcodeviasms toassociatednumber

/srp_init InitializesauthenticationviaSRP-6aprotocol

/recover SRPauthenticationfinalization.returnssecurerecordsonsuccess

/update_record Updatesrecordsinformationassociatedwithaccount


SRPprotocol(v6)

• Ifcom.apple.securebackup recordexists,thatmeansthatiCloudSecurityCodeisset.Otherwise,EscrowProxycontainscom.apple.icdp.record.hash_of_device records,soiCloudKeychaincanbesyncedwhenoneofdevicepasswordsisprovided.

iCSC-iCloudSecureCodeH–SHA256N,g–2048-bitgeneratorofthemultiplicativegroup(RFC5054)

TheuserenrollpasswordverifierandsalttoEscrowCache.EscrowCachestorespasswordverifierandsalt.

<salt>=random()x=SHA(<salt>|SHA(<dsid>|":"|<iCSC>))<passwordverifier>=v=g^x%N


Recordname AuthenticationType

com.apple.securebackup MME+SMS

com.apple.icdp.record.hash_of_device PET

com.apple.protectedcloudstorage MME

AuthenticationtypeforaccessofEscrowrecord

Escrowproxy– accesstokens

• No2FA,iCloudSecurityCode:MMEtokenisenough;validationusesSMStotrustednumbersetinaccount

• Howtoobtain:sameasforbackups,synceddata,iCloudPhotoLibraryetc

• 2FA,devicepasscode:PET(PasswordEquivalentToken);TTL=5minutes

• Howtoobtain:passGSAauthentication(toapproveshort-timeaccessfromthegivendevice);newinmacOS 10.11


Keychainissyncmode

Circleoftrust

trusted

trustedtrusted

Nottrusted

Insyncmode,KeyBag maycontainasfullrecordsinrecoverymode(BackupKeyBag,com.apple.securebackup.record)ortombs,uniqueforeverydomain(HomeKit,Wi-Fietc)


Tombs

• Keybag &metadata(ASN.1format)

• Keychain:recordsforthegivendomain,encryptedwithKeybag

• WrappedKey(foreveryRecordID):Keybag keywrappedwithRFC6637

Todecrypt

• gettombsfromcom.apple.sbd• findallRecordIDs• getBackupBagPassword forthe

givenRecordID,usingpasscodeofthedevice

• unwrapKeyBag key• decryptkeysfromKeyBag• DecryptKeychainrecords


PassingGSAtogetthetokens

PET=PasswordEquivalentToken

Returnedbyserverafteryoupass2FA,andbeingusedfurtherwithout2FA;TTL=5mins


Continuationtoken

~/Library/Keychains/login.keychain~/Library/Keychains/login.keychain-db (sincemacOS Sierra)

(encryptedwithuserlogonpassword)

Whatissaved:

• alternateDsid &ContinuationToken ofuserloggedintoiCloudPanel

• tokens(activeandexpired)usedtologinfromthisdevice

• SometimesevenpasswordtoAppleIDinaplainform!


Allthetokenstogether

Twosessions:

• GetContinuationToken(passing2FA)togetPETandMMEtokens;furtherinteractionwithEscrowserviceandKVStoobtainpasswordfromBackupBag recordsinKeychain

• UsingContinuatiomn Tokenandaworkaround(without2FA!)togetPETandMME

• Whentalkingtogsa.apple.com,AnisietteData isbeingused(fromiCloudpanel)

• Firstsessionrequiresuser’spasswordContinuation Token.


Othercomponentsandalternativeapproaches

GSA(GrandSlam Authentication)

• gsa.apple.com• basedonSRPprotocol• introducedinmacOS 10.10(basic)• improvedinmacOS 10.11

AnisietteData

• MachineID +OTP• MachineID (60bytes):uniquefordevice• OTP(24bytes):random;refreshedevery

90seconds• codeishardlyobfuscated• implementedinApplePrivateAPI

Continuationtoken

• obtainedthroughGSA• meanstogettokensforotherservices• noneedtokeepAppleIDandpasswordon

device• canbeusedtogetupdated tokenswithshort

TTL• forfurtherrequests:useAlternateDSID &

Continuationtoken insteadofAppleID &password


MMEvsContinuationtoken

Token MME NewMME Continuation

Accounts Usual,2SV 2FA 2FA

Requires Apple ID,passwordSecuritycode(for2SV)

-or- Mac/PC

Apple ID,passwordSecuritycode(for2FA)

Apple ID,passwordSecuritycode(for2FA)+user’spassword

Expires Onpasswordchange Onpasswordchange orafter5mins

Onpasswordchange;onlogoutfromiCloudpanel;onsuspicionactivity(i.e.MITM)

Usedfor GetCloudKit tokentointeractwithiCloudDrive

GetCloudKit tokentointeractwithiCloudDrive

Get/updateothertokens(e.g.PET)

Limitations DoesnotallowtogetiCloud Keychain

DoesnotallowtogetiCloud Keychain

Used onmacOS 10.11+(GSA);pinnedtothe

device


ObtainingiCloudkeychain:therequirements

No2FA

• AppleID• Password• iCloudsecuritycode• SMStotrustednumber

2FA

• AppleID• Passwordnoneedtopass2FAontrustedDesktop(orifwecangetcontinuationtoken)• Passcodeofenrolleddevice

With2FA,wecan:

• whetheranytrusteddevices(tosendthecode)exist

• ifyes,thelistofallphonenumbers(oftrusteddevices)

• currentnumberSMShasbeensentto


2FAissues

ChangeiCloudpassword:

• No2FA:securityquestions+oldpassword

• 2FA,passcodeisnotset:securitycode(bySMS)+oldpassword

• 2FA,passcodeisset:onlypasscode(noalways!)

Adding/removingtrustedphonenumbersdoesnotrequireanythingatall(onceyouarethere)!


Usagescenario

Requirements:

• LockediPhone,butpasscodeisknown• iClouduses2FA,passwordisNOTknown• iTunesbackupisprotectedwithstrongpassword• Nojailbreakavailable(orphoneis64-bit)

Steps:

• ChangeiCloudpassword(ifneeded,trustednumberaswell)• SignoutfromiCloud(incl.FindMyPhone)• ConnecttonewiCloudaccount• EnableiCloudkeychain• DownloadkeychaindirectlyfromiCloud


iOS11:Strongerandweaker

Greatersecurity

• Establishingtrustnowrequiresdevicepasscode• Extractingdatanotpossiblewithoutpasscode

(orlockdownrecord)• S.O.S.modediscretelydisablesTouchID/FaceID• Stillnojailbreak(thoughtherewassomePoC demo,

butitwillprobablynevergopublic)


iOS11:Strongerandweaker

Thewaybackwards

• Ifpasscodeisknown,logicalacquisitionistrivial• Completewiththekeychain• Forgetaboutbackuppasswords:justafewtapstoreset

• [comingsoon]iMessageiniCloud• [bug]CanremoveiCloudlockeasilyfor2FAaccounts• [stillthere]CanchangeiCloudpassword&trustedphone

numberforaccountswith2FA• [new]iCloudpasswordcanbechangedfromFindMyPhone app

onthedevice(withjustthepasscode)

Question:isiOS11moresecureorlesssecurethaniOS10?

Wearenolongersure…


Conclusions/risks

• Syncandrecovery:differentapproaches• Trustedcircle:nothardtogetin,butleavestraces• Bothsyncandrecoverycanbeused(mixed)• Needtohavecredentials• Needtohavetrusteddevice

…orSMS• NeedtoknowiCSC

…ordevicepasscode• Legacy2SV:forgetit• With2FA,keychainisalwaysstorediniCloud• No2FA,noiCSC:mostsafefromTLA?

• GetContinuationtoken(+machineID) toobtainfullaccesswithoutanythingelse!• …implementationisstillverysecure


Wait,onemorething…

• iCloudKeychaincontainsmoredatathanofficiallydocumented:notjustpasswords,butalsotokens(e.g.to2FA-protectedsocialnetworkaccountsandsecuremessengers)

• iCloudKeychainisbeingactivatedrightwhenyouenable2FA (orevenalwaysexist??),thoughcontainsonlysystemkeys,notuserdata

• iCloudKeychaincontainsencryptionkeysusedtolocksomenewiClouddata(iOS11)

• iOS10.2beta3:stillnoiMessage iniCloud

Whatelsedoyouhidefromus,Apple?:)


Thanks!Questions?

ElcomSoft