Cracking iOS5 securityNew iOS Forensic Toolkit circumvents iOS 5 security measures

Published 1 November 2011

While Apple gave a minor facelift to the whole security system in iOS5, it made significant changes regarding keychain protection, replacing the encryption algorithm entirely; but criminals thinking they can thus use the latest iPhone and iPad devices to store information may want to think again, as a new information acquisition solution cracks the latest iOS5 security measures

ElcomSoft Co. Ltd. Said it was updating its iOS Forensic Toolkit, adding iOS5 and doubling the acquisition speed. The company says that with iOS5 support, iOS Forensic Toolkit can recover device pass codes and perform physical acquisition of Apple devices running iOS 3.x, 4.x, and 5.

By more than doubling the acquisition speed of the earlier versions, the updated Elcomsoft iOS Forensic Toolkit can acquire a 16-Gb iPhone 4 in about twenty minutes, or a 32-Gb version in forty minutes.

The iOS Forensic Toolkit, by providing what the company describes as “near-instant forensic access” to encrypted information stored in the latest iPhone and iPad devices, enables access to protected file system dumps extracted from supported Apple devices even if the original device pass code is unknown.

The company notes that while the whole security system received a minor facelift in iOS5, Apple made significant changes regarding keychain protection, replacing the encryption algorithm entirely. In addition, Apple made Escrow Keybag useless to forensic specialists by protecting escrow keys with device pass code. It thus appears that the protection of iOS5 devices relies more heavily on device pass code than in earlier versions.

Keychains contain information valuable to forensic investigators. This includes stored login credentials to Web sites, Wi-Fi, e-mail and application passwords, and more. With new encryption employed to protect keychain items, Elcomsoft iOS Forensic Toolkit becomes the first commercially available product offering full support for recovering iOS5 keychains.

Elcomsoft iOS Forensic Toolkit can recover the original pass code by performing a brute-force attack. With plain-text pass code available, Elcomsoft iOS Forensic Toolkit can decrypt all items stored in the keychain.