.

Locked iPhone

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Mar 14, 2013 8:46 am

Locked iPhone

Hi everyone,

Ok first, I think most people here on this forum know me by now and I am not a bad guy. I say this because this story really look bad...  :-\

My accountant now has an iPhone 4S, but she still has her old iPhone 3G (no longer connect to a carrier). So she is only using her iPhone 4S. This old iPhone 3G was sync and backed up to iTunes, which was installed on her laptop. The problem is that last fall, somebody broke into her office and stole many things, including her laptop. And since she hasn't used her old iPhone 3G for a while, she couldn't remember her password. She tried login in many times and ended up locking her old phone...

The thing is she has pictures of her daughter that was taken by this phone and was backed up on her stolen laptop. She asked me if I could retrieve her pictures...

She contacted Apple and they said the only thing they can do is wipe out the phone for her (since they match the serial number to her name), but they cannot unlock it for her (which is a good thing!). So she came to me, knowing what I do for a leaving...

So you see? My story looks like the ones we get once in a while on this forum! I feel a bit lame for that...  :-[ But I have known her for many years now and I know she's telling the truth... The phone's id is under her name and there is a picture of her daughter in the logging screen... And no, I didn't steal/found an iPhone I try to steal data from.

I spent something around 6 hours trying to jailbreak this locked iPhone without success... I think she was using iOS 4.1 or something close to this.

So is it possible to recover pictures from a locked iPhone?

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Mar 14, 2013 11:04 am

Re: Locked iPhone

probably not much help, but did you see this?

http://lifehacker.com/5852948/what-to-d ... s-passcode

It says you can sync the phone even when it's locked. Not having an iphone, and not touching itunes in about 6 years, I don't know if you can add and sync a new device while it is locked.
Last edited by rattis on Thu Mar 14, 2013 11:05 am, edited 1 time in total.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Mar 14, 2013 2:11 pm

Re: Locked iPhone

Thanks chrisj but the problem with this is you need "the" iTunes that was used for the backup BEFORE the phone got locked. As you may or may not know, you can only sync your iPhone, iPod or iPad with a single version of iTunes. If she would still have her laptop (with the version of iTunes she used to sync with), she could recover her phone using this technique. Similarly, if she wouldn't care about her pictures, she could use this procedure with any iTunes to reset the phone to the factory state.

The problem is in the fact she wants her pictures back...

But thanks anyways!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Matthias2012

User avatar

Newbie
Newbie

Posts: 12

Joined: Mon Sep 17, 2012 3:08 pm

Location: Germany

Post Thu Mar 14, 2013 2:52 pm

Re: Locked iPhone

Hello H1t M0nk3y,

how good is your german?
On the last IT-Security Exhibition in Nuernberg/Germany the CIO of ssys.de showed how to get into a locked iPad. Maybe this will give you an idea..
He also said that an iPhone works similiar...
http://www.techcast.com/events/it-sa-li ... -schreiber
it shows him in action...

Regards
Matthias Dörfer
_______________________________________________________
eCPPT - C|EH - MCITP
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Thu Mar 14, 2013 3:24 pm

Re: Locked iPhone

Unfortunately, from what I've been able to find (as I'm sure you have), given the circumstances, your friend needs to start considering those pictures lost.:(

I hope to be proved wrong!
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Matthias2012

User avatar

Newbie
Newbie

Posts: 12

Joined: Mon Sep 17, 2012 3:08 pm

Location: Germany

Post Thu Mar 14, 2013 4:48 pm

Re: Locked iPhone

I looked at the video and then I looked at your first posting again and I`am afraid but if your tried to "bruteforce" the pin for the GUI, then the device will have deleted the AES-decryption keys after X attempts and even for a forensic expert the data is lost... :'(

Regards
Matthias Dörfer
_______________________________________________________
eCPPT - C|EH - MCITP
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Mar 14, 2013 5:33 pm

Re: Locked iPhone

I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Mar 14, 2013 10:08 pm

Re: Locked iPhone

H1t M0nk3y wrote:As you may or may not know, you can only sync your iPhone, iPod or iPad with a single version of iTunes.


This I did not know, I thought you could sync  / back up to multiple version of iTunes (like I said, haven't used in forever).

what about attaching it to a linux box and just mounting it as a local device? I don't remember having to do anything special when I had my ipod color.
OSWP, Sec+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Mar 15, 2013 11:02 am

Re: Locked iPhone

what about attaching it to a linux box and just mounting it as a local device? I don't remember having to do anything special when I had my ipod color.

@chrisj: I tried but the phone itself is locked, so it doesn't work either...

the device will have deleted the AES-decryption keys after X attempts and even for a forensic expert the data is lost...

@Matthias2012: I don't know german at all (regarding the video), but do you know at which iOS version Apple has started to do this?

I thought this was simple to do offline if you open up the phone and remove the storage device. Invalid attempts aren't going to wipe it since that depends on the running OS software. You should be able to do that almost instantly if she was only using a four-digit PIN. I don't work with this much, so I don't know the specific tools, but I swear I've heard this attack discussed multiple times.

@ajohnson: I think I may have to follow this route... I will research on this topic and post my findings. I hope I won't have to buy new hardware...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Fri Mar 15, 2013 11:29 am

Re: Locked iPhone

I was looking through these last night, you might find something of use in here:

iOS hacking resource collection
Last edited by m0wgli on Fri Mar 15, 2013 11:43 am, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

jjwinter

User avatar

Jr. Member
Jr. Member

Posts: 80

Joined: Mon Mar 05, 2012 10:33 pm

Post Sat Mar 16, 2013 11:24 am

Re: Locked iPhone

Did she use iCloud for backup?
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Sat Mar 16, 2013 11:34 am

Re: Locked iPhone

jjwinter wrote:Did she use iCloud for backup?


Unfortunately to use iCloud you need iOS 5 or higher, this isn't available for the iPhone 3G.
Last edited by m0wgli on Sat Mar 16, 2013 1:55 pm, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Mar 18, 2013 6:01 am

Re: Locked iPhone

Well, I think her pictures are gone forever now... :-[

Thanks everyone for you help. At least, I have learn quite a few things along the way...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Mar 18, 2013 9:37 am

Re: Locked iPhone

Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.

Have you tried something like this? https://www.youtube.com/watch?v=S6OIK0oL6SI

It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.
Last edited by dynamik on Mon Mar 18, 2013 9:39 am, edited 1 time in total.
The day you stop learning is the day you start becoming obsolete.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Mon Mar 18, 2013 4:03 pm

Re: Locked iPhone

H1t M0nk3y wrote:At least, I have learn quite a few things along the way...


Same here, I know now considerably more about iOS security than I did last week.

ajohnson wrote:Ah, turns out I was wrong. You can't do an offline attack because you need to extract the hardware key.


Elcomsoft also offer an iOS Forensic Toolkit which can extract the keys, however, it's availability is restricted to select government entities (such as law enforcement, forensic organizations and intelligence agencies).

ajohnson wrote:It looks like Elcomsoft has a commercial tool too: http://www.elcomsoft.com/eppb.html That might be worth a shot if nothing else works and the photos are worth $80 to her.


AFAIK this works on a backup of the device, not the physical device.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
Next

Return to Mobile

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software