Information Technology Reference
In-Depth Information
Bypassing the passcode
The iPhone provides an option for its users to set a passcode on their device to prevent un-
authorized access. Once a passcode is set, whenever the device is turned on or awakened
from sleep mode, the passcode is required to access the data. iOS supports a simple four-di-
git code and complex alphanumeric passcodes of any length. With the iPhone 5S, the user
fingerprint scan can also be used to lock/unlock the device. For iPhone 5S, the user can
also select a simple four-digit code to use in case the fingerprint is not recognized. By de-
fault, the passcode is a four-digit numeric code but by modifying the settings, it can be set
to be a complex passcode. The user also has the option to erase all the contents on the
iPhone after 10 failed passcode attempts.
Passcode-locked devices are being utilized more frequently due to general user awareness
of theft and security policies from organizations. Circumventing the passcode is not always
possible due to security improvements in iOS. The forensic examiner should try to secure
the passcode from the owner to prevent issues in acquiring data from newer, locked iOS
devices.
In the initial releases of iOS until iOS 3, the passcode for unlocking the device was stored
directly in the keychain, a place to store passwords securely on the iPhone. This passcode
security can be bypassed by just removing the record from the keychain or by removing the
UI setting that asks for the passcode after booting with the custom ramdisk.
Since iOS 4, the passcode is not stored on the device in any format. By setting a device
passcode, the user automatically enables data protection, which protects the data at rest.
With data protection, the data on the device is encrypted with a set of class keys stored in
the
System keybag
. The System keybag itself is protected with a passcode key, generated
from the user's passcode and the device's UID. So, in order to decrypt the protected key-
chain items and files on the file system, you first need to decrypt the System keybag. If
there is no passcode, the System keybag can be easily decrypted. If there is a simple four-
digit passcode, you will have to guess it to decrypt the System keybag. As the passcode is
tangled with the device's UID key, brute force attempts must be performed on the device.
Also, the same passcode on different devices generates different passcode keys as the UID
is unique per device. Passcode brute force attacks performed at the springboard level intro-
duce delays, lock the device, and may lead to the wiping of data. However, these protection
mechanisms are not applicable when you are performing a brute force attack on a kernel
extension (AppleKeyStore) to decrypt the System keybag. It is worth mentioning that some
tools will attempt to crack the passcode on an iOS device by accessing the host computer
for which that iOS device was connected and synced. The tool accesses the pairing key
