JailPassing Technique for iPhones
Description, Impact, Cause & Mitigating Actions :
Sometime in late May 2010, one of our employees had set a passcode on one of our iPhones and subsequently forgot what the passcode was.
He didn't make a backup of the data and we needed to access the phone to recover some project test data. And we couldn't perform a restore via iTunes as that would have wiped out all data inside the data partition, data which we needed to retrieve.
So we went onto the internet and tried to see if there was any technique or tool which would allow a user to access a passcode protected iPhone without wiping or destroying any data inside the data partition. As it turns out, there wasn't any useful information available and although some people claimed to be able to do it, they were not disclosing their techniques.
And so our CTO, Chris, did some more research and came across the Spirit jailbreak software. The software itself does not do anything other than modify the iPhone to allow non-AppStore applications to be installed. However, Chris thought the software might be amenable to some custom code insertion. This was based on the widely-available information on how Apple stored the passcode on all firmware versions up to 3.1.3 in a particular file called keychain-2.db. He theorized that renaming the file would result in the iPhone not recognizing a passcode had been set.
Sure enough, by modifying the Spirit software and inserting some code that did the renaming when Spirit was run, Chris proved that the iPhone did not detect the renamed file and allowed us to access the phone without entering a passcode.
While recovering the information and backing it up, Chris also discovered that if he moved the file back to its original location and name, and if the Cydia software which came with the Spirit jailbreak was uninstalled, the phone would look as if it had never been accessed.
(and of course after we retrieved our data, we had our iPhone restored to factory defaults using iTunes :) )
Apple was informed of this and we held off announcing the technique (responsible disclosure) until Apple came out with a fix that stopped the Spirit jailbreak software (which this technique uses) from working. Apple mentioned the flaw was being addressed in the impending 4.0 release so, once firmware 4.0 was released, we ran a demo of the technique for a local reporter and the story ran in the Straits Times on 26 June 2010.
The short video clip below shows how Chris used the technique to bypass the passcode for the phone running 3.1.3 firmware.
In response to some armchair critics who raised the similarity between his technique and existing ones, Chris replies, "Looking at the 2 approaches taken by Jonathan Zdziarski (in his iPhone Forensics Book) and Brad Antoniewicz's whitepaper, my method to bypass the iPhone passcode using Spirit is different because it uses a userland jailbreak method. This is different from Jonathan's method of creating a custom RAM Disk or creating a custom firmware for the iPhone, and it is also different from Brad's method which gets rid of the passcode record via SQL query language from the keychain-2.db file before incorporating the updated passcode file into quickpwn jailbreak software. In fact, Zdziarski mentions in his website blog that "the only reason this hasn't gained much news is that it hasn't been something your kid brother can easily do", whereas the method which I found IS something my kid brother can easily do."
While this technique is intended to help employers legitimately access data on corporate iPhones which their employees have locked themselves out of, as with any method or tool, the ramifications of the technique are quite obvious going the other way.
If new jailbreaks are discovered for subsequent iPhone firmware releases, this "Jailpassing" method (being software-neutral) can theoretically be applied to ride on them unless Apple changes their passcode storage implementation.
For those using iPhone firmwares 3.1.3 and below, we strongly recommend that you upgrade your firmware to Apple's latest 4.0 release.
Christopher Low developed/refined this method from May to Jun 2010.
Update (1 Nov 2010): Chris has since extended this research to address a question from a visitor who asked, "Can an attacker exploit this Jailpassing weakness to load in a trojan? What could the attacker do in such a case?"
Read on here....
This Website Is Designed To Be Viewed At 1024x768 Resolution and 24-bit color using Arial, Stencil Std & Lucida Console fonts.
Copyright © 2004-2018 THINKSECURE® PTE LTD ("ThinkSECURE"). All Rights Reserved. Any reproduction, storage or transmission of any of the contents of this website, without the express and written consent of ThinkSECURE Pte Ltd is strictly prohibited. Use of this site is subject to our Terms & Conditions. The "THINKSECURE" brand name is a registered trademark of THINKSECURE PTE LTD in Singapore and a trademark of THINKSECURE PTE LTD in certain other countries. The ThinkSECURE device is a trademark of THINKSECURE PTE LTD in Singapore and certain other countries.