iOS 16 brings many changes to mobile forensics. Users receive additional tools to control the sharing and protection of their personal information, while forensic experts will face tighter security measures. In this review, we’ll talk about the things in iOS 16 that are likely to affect the forensic workflow.
Devices based on the Apple A11 Bionic chip, which includes the iPhone 8, 8 Plus, and iPhone X, are the oldest iPhones updated to iOS 16. They are also the only iPhones compatible with the checkm8 exploit that received iOS 16. In iOS 16, Apple were able to effectively block the ability to extract user data from these iPhones, but some forensic software vendors reported otherwise. What happened?
The public testing of iOS 16 started more than two months ago. At the same time, some third-party software vendors started adapting their products to iOS 16, which included the vendors of forensic software. Everything was well, and some forensic vendors reported checkm8 support in their tools days before the release of the final, official build of iOS 16.
Apparently, some vendors rush to be the first to announce something, not caring much about the quality of the final product and not conducting the thorough, comprehensive testing. We started researching starting from the first beta 16, testing everything in all imaginable combinations, and waited patiently until the official release to conduct the final test – which, in turn, revealed a very surprising result that pushed back our own release. You may read more about it in iOS 16: Extracting the File System and Keychain from A11 Devices.
Our goal is remaining fully transparent about everything we make. We strive to provide the most complete information about the limitations and compatibility (see for example our list of supported devices), and give as much information about the inner working of the things as we can. We have nothing to hide, and we want our customers to have full information about not just functionality but also the insides.
That final, official build now includes a brand-new SEP (Secure Enclave Processor) hardening patch that effectively prevents access to user data if a screen lock passcode was ever used on the device.
Historically, Apple already attempted to patch checkm8 extractions in iOS 14. At the time, the iPhone 7, 7 Plus, 8, 8 Plus, and iPhone X devices received a SEP hardening patch that blocked checkm8 extractions if a screen lock passcode was currently enabled. Removing the screen lock passcode in device settings re-enabled checkm8 extractions on these devices, albeit at the cost of not being forensically sound anymore. A SEP vulnerability was later discovered for A10 devices (iPhone 7 and 7 Plus), making it possible to bypass the requirement and use checkm8 on passcode-protected devices without removing the screen lock passcode. No such vulnerability was discovered for A11 Bionic.
Why it matters:
iOS 16 introduces Lockdown Mode, a special mode offering an additional level of security for the users who are likely to become targets of personal attacks. When describing the feature, Apple specifically mentions “sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware”. According to Apple, turning on Lockdown Mode hardens device defenses and limits certain functionalities, thus reducing the attack surface that potentially could be exploited by targeted spyware.
Activating Lockdown Mode requires toggling a setting and rebooting the iPhone. In this mode, some device functions will be restricted. The following limitations will initially apply (with additional protections potentially available over time):
The limitations are balanced enough for Lockdown Mode to be both useful and practically usable. We are yet to discover forensic implications of Lockdown Mode.
Passkeys are yet another attempt to re-invent authentication. Based on classic asymmetric cryptography, passkeys are aimed to eliminate the need to use passwords and jump through the hoops of two-factor authentication ever again.
Technically, passkeys are cryptographic key pairs of matching public and private keys as defined in asymmetric cryptography. A private key is stored on the iPhone in the keychain (and synchronized across devices via iCloud Keychain, which in turn is protected with end-to-end encryption), while a public key is stored on the service side. According to TechCrunch, Passkey is based on WebAuthn standard, so users can use biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. The standard is based on FIDO’s proposed multi-device credentials that allow users to store authentication keys across devices enabling users to log in without requiring a password. This means it should work across platforms, but Google and Microsoft are yet to implement the technology on their platforms. More information is available in What is Apple Passkey, and how will it help you go passwordless? | TechCrunch
From the forensic point of view, Passkeys are parts of credentials stored in the device keychain and iCloud Keychain. Experts can extract Passkeys from the device itself or use Elcomsoft Phone Breaker to download from iCloud Keychain. Since iCloud Keychain is end-to-end encrypted, accessing iCloud Keychain will require a screen lock passcode or system password of an enrolled device in addition to the user’s Apple ID and password.
Rapid Security Response is an interesting new feature that can install security patches without the need for a full iOS update. The exact forensic implications of Rapid Security Response are still unknown. On the one hand, Rapid Security Response may deliver critical security patches faster without pushing the users to update the OS, thus patching any potential vulnerabilities that might otherwise be used for low-level extractions. On the other hand, some sources suggest that updates delivered through Rapid Security Response can be uninstalled by going to Settings > General > About, tapping iOS Version, and then tapping Remove Security Update.
The iPhone 13 and 14 will be able to use Face ID in landscape orientation. This feature does not affect iOS forensics. As a reminder, Apple last improved Face ID in iOS 15.4 by adding the ability to unlock iPhones while wearing a medical mask. iOS 14.5 brought the ability to unlock iPhones while wearing a medical mask with Apple Watch. This latter feature may be a potential vector of attack.
Apple works hard on improving privacy protections. The features listed below are unlikely to affect forensic experts, with one notable exception.
According to Apple, Safety Check is designed to “check whom you’re sharing information with, restrict Messages and FaceTime to your iPhone, reset system privacy permissions for apps, change your passcode, change your Apple ID password, and more.” The feature enables reviewing and removing permissions granted to apps or people from a single point of access. Safety Check can be also used to restrict incoming messages and FaceTime calls to a single iPhone by disabling iCloud Messages and calling. As a reminder, iCloud Messages are end-to-end encrypted, and can be only extracted with Elcomsoft Phone Breaker if you have a screen lock passcode or system password of an enrolled device (in addition to login credentials and two-factor authentication).
iOS 14 introduced a pop-up bubble informing that a certain app accessed the clipboard. The message could not be disabled system-wide, and many users were irritated by constant pop-ups. iOS 16 attempts to solve this issue by introducing a new permission to access the clipboard in background. More information is available in UIPasteBoard’s privacy change in iOS 16 | Sarunw. When testing the feature, we found it to be half-baked since Apple did not provide a way to view or recall this permission. It turned out that the feature is, indeed, half-baked and buggy.
Prior to iOS 16, hidden albums were just that. Users could ‘hide’ a picture by placing it into a ‘hidden’ album. The image would then disappear from the main photo stream, yet simply opening the hidden album would instantly reveal such pictures.
iOS 16 adds an additional layer of protection, now keeping the hidden photos locked behind a passcode or Face ID by default. Users can disable the authentication requirement in the settings.
This feature does not affect the ability to extract media files in any way. The hidden photos remain available in backups, and they are easily accessible through AFC during advanced logical acquisition with iOS Forensic Toolkit without requiring any sort of extra authentication.
iOS 15.2 enabled Privacy Report, a feature that allows users to see details about how often apps access their data such as location, camera, microphone, and more. Users can also see information about each app’s network activity, as well as the web domains that all apps contact most frequently (About App Privacy Report). Earlier in iOS 14.5 Apple enabled App Tracking Transparency, a feature that gave users control over which apps are allowed to ask for permission if they want to track users’ activities across other apps and websites.
These thigs happened many months before the release of iOS 16. Why are we addressing them now?
“Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails obtained by The Associated Press”, say GARANCE BURKE and JASON DEAREN in Tech tool offers police ‘mass surveillance on a budget’ | AP News. According to the publication, the service named Fog Reveal was provided by Fog Data Science LLC, a company founded by two former high-ranking Department of Homeland Security officials.
Fog Reveal obtained the data from various ad mediators and owners of advertisement SDKs such as Waze, Starbucks, Meta, and many other companies collecting information about the users’ movements and interest. Such information is openly sold, albeit in anonymized form.
Using Fog’s data, which the company claims is anonymized, police can geofence an area or search by a specific device’s ad ID numbers, according to a user agreement obtained by AP. But, Fog maintains that “we have no way of linking signals back to a specific device or owner,” according to a sales representative who emailed the California Highway Patrol in 2018, after a lieutenant asked whether the tool could be legally used.
Despite such privacy assurances, the records show that law enforcement can use Fog’s data as a clue to find identifying information. “There is no (personal information) linked to the (ad ID),” wrote a Missouri official about Fog in 2019. “But if we are good at what we do, we should be able to figure out the owner.” (source)
It is exactly the devices’ unique advertising identifier that was used to uniquely identify each device, initially for the purposes of tracking and ad targeting. While each devices’ advertising identifier is anonymous, with enough data and some analysis it can be easily linked to a person. App Tracking Transparency gave users control over who can request permission to access the users’ advertising identifier, and Only 4 percent of US iPhone users have agreed to app tracking after iOS 14.5. Privacy Report, on the other hand, gives users important insight on which apps are abusing permissions and which Web sites they talk to.
In iOS 16, Apple went a long way to protect the users’ personal information and secure their devices. The SEP patch for A11 devices caught us by surprise, rendering checkm8 extraction effectively useless on iPhone 8, 8 Plus and iPhone X devices.
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.
Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.