3 min read

FDE, SEP & Passcodes.. My iDevice Data Is Safe, Right?

FDE, SEP & Passcodes.. My iDevice Data Is Safe, Right?

Maybe not so much.

I was interested in how Cellebrite utilises the checkm8 exploit in order to pull a limited amount of information from a device without a valid PIN/Passcode. I decided to investigate in order to replicate that process, and here we are today! I began by modifying my iPhone-RootFS-Tool to pull a few select interesting directories.

This is the part of the article where I stop and remind you - this article is old. I've left this article active for comedic purposes, for the most part. Let's continue...

By default iOS encrypts a large amount of user data stored on your device, meaning without the passcode you cannot pull the majority of sensitive user data. This article won’t assist you cracking the Secure Enclave Processor (SEP), however it will guide you to retrieving some interesting information from the device like session keys (used for pulling new notifications before first unlock - could be misused to pull sensitive user data), the Apple ID set on the device, WiFi passwords and many other potentially sensitive information pertaining to the device and it’s owner.

For this research, I was originally planning to use my day-to-day iPhone which isn’t jailbroken, an iPhone X. I felt it would give the most reproducible results as it’s as close to stock as can be. I then come to the conclusion that with the amount of used space on my device, acquiring the root filesystem would take quite a while.

So I setup the next best thing, my iPhone 6S. I used it for a few hours, downloading some random applications, taking photos, sending iMessages to myself, normal things normal people do.

Let’s Begin The Extraction

I then 'checkra1n'ed' the iPhone and run my iPhone-RootFS-Tool over usb while the iPhone was locked, following a reboot (the BFU state). Around 30 minutes later, an 8GB tar appeared on my Mac :o! Let’s discuss where I searched in the acquisition of the locked phone, and what I found!

-  Apple ID Information - The first place I searched, naturally, was the accounts database ‘/var/mobile/Library/Accounts/Accounts3.sqlite’. After sifting through the file ( just search for the @ symbol )... you guessed it, my Apple ID! Let’s add this to a little text report, and see what information we build over the course of our exploration.

- Last used mobile number on-device -  A little less useful, but could prove valuable in a few odd situations where a sim card was physically destroyed or missing but the iPhone remains.

- WiFi Networks saved to the device, including pw’s! Not so surprising, as the iPhone requires this information to phone home to the Find My iPhone server at Apple. ‘/var/preferences/SystemConfiguration/com.apple.wifi.plist

- Device ON/OFF Logs - In an investigation where a device is recovered, this information could be very useful to an investigator, especially where other timestamped information is available. ‘/var/logs/lockdownd.log

- All Installed Applications - This information could assist an investigator understand the potential uses for the device. All the bundle identifiers are available which could help identify if Corporate Apps were downloaded to the device to assist with attribution. ‘/var/mobile/library/frontboard/applicationState.db

- That’s all well and good, but how do we know if that user USED the application in question? Well, we have the usage logs! Head over to ‘/private/var/mobile/AggregateDictionary/ADDataStore.sqlitedb’.

- iMessage contact images were also present in the Root Filesystem Acquisition.

This was all gained following a couple of hours using the phone. I’m going to acquire the root filesystem of my main iPhone tonight, and dig through all the BFU data to find locations of other interesting information!

I’m almost certain I’ll be able to grab tokens for connected accounts as well (mail and third party applications) due to notifications being pulled for installed applications before the first unlock, so they must be present in an accessible form...

Soon, i’ll be releasing a small project of mine, Zero-PIN Data Extraction Tool (ZPET) which is designed to pull some useful information from locked iOS devices that are vulnerable to the checkm8 exploit. Keep in mind this also includes devices the user hasn’t already jailbroken previously - every device vulnerable to checkm8 is vulnerable to this method of data extraction.

ZPET will pull specific files of interest if they are present, parse the files and present the end report to the user/investigator!

It's worth nothing that developers have power over which data is available in BFU, and which data is available in AFU. Often, though, developers make small mistakes leaving some information exposed. After all, no protection is actually the default...

Thank you for reading as always, and I hope you found this interesting and some insight into how your device may not be as secure as you previously thought. I’m very sure there will be a follow up article to this after I check out the rootFS of my day-to-day device!