The iPhone 4 is at risk, but the forensics tool will only be sold to law enforcement, intelligence agencies, and forensics investigators.

Mathew J. Schwartz, Contributor

May 26, 2011

3 Min Read

Slideshow: Apple iPhone 4, A True Teardown

Slideshow: Apple iPhone 4, A True Teardown

Slideshow: Apple iPhone 4, A True Teardown(click for larger image and for full slideshow)

Russian digital forensics toolmaker Elcomsoft said that it's the first forensics company to have successfully cracked the data security scheme of the iPhone 4. What that means is that digital forensic investigators will be able to circumvent, in many cases, the hardware-based encryption introduced by Apple with iOS 4.

Elcomsoft, however, said that its related tool for cracking iPhone 4 encryption, released Monday, will only be made available to law enforcement agencies, intelligence agencies, and professional forensic investigators.

Why the one-year lag between the first release of iOS 4, and tools able to retrieve data from such devices? According to a blog post from Elcomsoft CEO Vladimir Katalov, his company "found a way to decrypt bit-to-bit images of iOS 4 devices. Decrypted images are perfectly usable, and can be analyzed with forensic tools such as Guidance EnCase or AccessData FTK--or any other tool which supports raw drive images and HFS+ file system."

Before iOS 4, he said, it was relatively easy to recover data from Apple iPhone, iPod Touch, and iPad devices by taking a bit-level snapshot of the devices' file system--akin to making a disk image or converting a DVD into an ISO file. But with iOS 4, Apple introduced hardware-based encryption, meaning that even though the file system can still be recovered, it's useless without knowing the encryption key.

To successfully extract data off of a device, an investigator must also have physical access to it until the data is decrypted. "Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition," said Katalov.

The information that can be recovered from an iOS 4 device is limited, however, unless a forensic investigator (or attacker) recovers the passcode for the device. Accordingly, one of the best ways to protect an iOS 4 device is to disable its "simple password" setting and to use a long, complex password that can't be guessed via dictionary attacks, since this makes it extremely difficult or even impossible to brute-force the password.

Interestingly, Elcomsoft's announcement parallels the release of new research that details iOS 4 data security protections. Security researchers Jean-Baptiste Bedrune and Jean Sigwald, who work at IT services company Sogeti, last week presented a paper at the Hack In The Box conference in Amsterdam that details security changes to iOS 4, as well as how to crack them.

They also released free tools to create a copy of the RAM disk for forensic purposes, decrypt iTunes backups (slowly, they said), and to brute-force simple passwords that contain four digits or fewer, in 20 minutes or less.

According to the researchers' presentation overview, "using the built-in iOS functions--that use the passcode--you can actually brute-force the passcode of the phone with a small application on the phone. If you boot the phone from a RAM disk you can do this without knowing the passcode. Using the brute-forced passcode, the Keychain can be read and decrypted."

Andrey Belenko, a security researcher at Elcomsoft, said his company's research occurred separately from the Sogeti researchers' investigations. "We did our research on our own," he said in a blog post. In addition, "our set of tools uses [a] somewhat different approach, which we believe allows for greater flexibility and compatibility."

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights