2 min read

ZPET - A Non Technical Overview

ZPET - A Non Technical Overview

I’ve decided to write this article so that users who aren’t familiar with Data Forensics or Programming can understand what the ZPET Project is and how it’s potentially relevant to you. ZPET is a project that i’m releasing for educational purposes, so that users can understand the data their device is storing in an ‘unencrypted’ or unprotected form (BFU), meaning anybody with physical access to the device can access the data without a passcode or any form of user authentication. (where a device is vulnerable to the checkm8 bootrom exploit)

I Thought My iOS Device Was Protected While Locked?

For the most part, your iOS device is protected while locked.

iOS, in the background, like many other systems such as a TV Box or Desktop Computer, will ‘pre-load’ data such as your music album pictures, recent contacts list, and other information. Your devices pre-load information so that it can respond in a ‘snappy’ form as soon as you enter the passcode to ensure there are no delays when unlocking the device.

While this is a positive move for the user experience, it comes at the expense of their privacy and data security.

Okay, But My Recent Contact List Isn’t That Sensitive?

For the majority of readers, this information might not be so sensitive. But it doesn’t stop at you contacts list..

I’ve been able to integrate the extraction of a wide variety of information in the ZPET Project, including the following:

  • Apple ID information (Your Email Address).
  • Other Email Addresses added to your device for the purposes of reading mail.
  • Passes stored in Apple Wallet (Gift Cards, Loyalty Cards etc. (This includes the barcodes used to use the passes)).
  • The last 4 digits of your credit/debit cards and Start/Expiry dates of any Apple Pay card added to your device.
  • Identification & ‘Sync Keys’ used to update your app’s such as Instagram and Facebook. Using ZPET, we can extract these ‘Sync Keys’ and fully impersonate the user, as these Sync Keys essentially replace the users password (This can also affect banking applications).
  • iMessage Contact Photographs
  • VPN Credentials (If your device is connected to a corporate network, sensetive details can be captured using this)

As You Can See, The Amount Of Data Present In An Unprotected State Is Expanding

I’d argue this information can be used for malicious purposes including fraud - But could also be very valuable from a Law Enforcement point of view. The reason I’m developing and releasing ZPET is so ensure users are aware of the data that is available to an attacker.

What Can I Do?

Unfortunately, there’s nothing that can be done by the end user to mitigate these sorts of attacks, as it’s how Apple have set up their system, prioritising speed over security. I’m hoping upon this release Apple will improve general data security measures in iOS 14. [update: Apple did not implement mitigations in iOS 14]

-James