SlideShare une entreprise Scribd logo

Belenko, sklyarov dark and bright sides of i cloud (in)security

DefconRussia
DefconRussia
1  sur  40
Télécharger pour lire hors ligne
Dark and Bright Sides of the iCloud (In)Security Andrey Belenko Dmitry Sklyarov Sr. Security Engineer Lead Analyst viaForensics Positive Technologies Tuesday, 20 November 12 1
Disclaimer This work has been done in early 2012 while we have been still working for (and receiving paychecks from) Elcomsoft. Permission has been obtained prior to preparing this presentation and we are thankful to Elcomsoft for providing such permission. Elcomsoft also offers a commercial tool (based on this research) that can download iCloud backups. Tuesday, 20 November 12 2
Motivation Mobile device forensics Tuesday, 20 November 12 3
Motivation Devices are becoming increasingly interconnected but forensic tools are not ready for this (yet) Tuesday, 20 November 12 4
Motivation iCloud is the natural target as it is quite big and popular Tuesday, 20 November 12 5
Motivation So it is about iOS forensics in the first place Tuesday, 20 November 12 6
Forensics 101 Acquisition ➜ Analysis ➜ Reporting GOALS: 1. Assuming physical access to the device extract as much information as practical 2. Leave as little traces/artifacts as practical Tuesday, 20 November 12 7
iOS: Why Even Bother? • More than 5 years on the market • 360+ million iOS devices sold worldwide • 7 iPhones, 5 iPods, 5 iPads • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing There was, is, and will be a real need for iOS forensics Tuesday, 20 November 12 8
iOS Forensics 101 • Passcode • Prevents unauthorized access to the device • Bypassing passcode is usually enough • Keychain • System-wide storage for sensitive data • Encrypted • Disk encryption Tuesday, 20 November 12 9
iOS Forensics 101 • Logical: iPhone Backup • “Ask” device to produce backup • Device must be unlocked (by passcode or iTunes) • Device may produce encrypted backup • Limited amount of information Tuesday, 20 November 12 10
iOS Forensics 101 • Physical: filesystem acquisition • Boot-time exploit to run unsigned code • Device lock state isn’t relevant, can bruteforce passcode • Can get all information from the device • Physical+: flash memory acquisition • Same requirements as for physical • Also allows recovery of deleted files! Tuesday, 20 November 12 11
iOS Data Protection Every iOS device contains secure AES engine with two embedded keys: • GID – shared by all devices of same “family” • UID – unique per device • Newer devices have additional UID+ key There are no (publicly) known ways to extract GID or UID key from the device Tuesday, 20 November 12 12
iOS Data Protection • Content grouped by accessibility requirements: • Available only when device is unlocked • Available after first device unlock (and until power off) • Always available • Each protection class has a master key • Master keys are protected by device key and passcode • Protected master keys form system keybag • New keys created during device restore Tuesday, 20 November 12 13
iOS 4+ Passcode • Passcode is used to compute passcode key • Computation is tied to hardware key (UID/UID+) • Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock most keys from the system keybag • Most files are protected with NSProtectionNone and don’t require a passcode • Most keychain items are protected with ...WhenUnlocked or ...AfterFirstUnlock and require a passcode Tuesday, 20 November 12 14
iOS 4+ Passcode • Passcode-to-Key transformation is slow • Offline bruteforce currently is not possible • Requires extracting UID/UID+ key • On-device bruteforce is slow • 2 p/s on iPhone 3G, 7 p/s on iPad • System keybag contains hint on password complexity Tuesday, 20 November 12 15
iOS 4+ Passcode Tuesday, 20 November 12 16
iOS 5 Keychain • SQLite3 DB, all columns are encrypted • Available protection classes: • kSecAttrAccessibleWhenUnlocked (+ ...ThisDeviceOnly) • kSecAttrAccessibleAfterFirstUnlock (+ ...ThisDeviceOnly) • kSecAttrAccessibleAlways (+ ...ThisDeviceOnly) • Random key for each item, AES-GCM • Item key is protected with corresponding protection class master key 2 Class Wrapped Key Length Wrapped Key Encrypted Data (+Integrity Tag) 0 4 8 12 Tuesday, 20 November 12 17
iOS 5 Storage • Only User partition is encrypted • Available protection classes: • NSProtectionNone • NSProtectionComplete • NSFileProtectionCompleteUntilFirstUserAuthentication • NSFileProtectionCompleteUnlessOpen • Per-file random encryption key • File key protected with master key is stored in extended attribute com.apple.system.cprotect • No protection class – partition key is used • Filesystem metadata and unprotected files • Transparent encryption and decryption (same as pre-iOS 4) Tuesday, 20 November 12 18
iCloud • Introduced in Oct 2011 • Introduced with iOS 5 • Successor to MobileMe, .Mac, iTools • 5 GB free storage • Up to 50 GB paid storage Tuesday, 20 November 12 19
iCloud Services Tuesday, 20 November 12 20
iCloud Backup Tuesday, 20 November 12 21
iCloud Backup: What ? • Messages (including iMessages) • Application data • Device settings • Camera roll (photos and videos) • Visual voicemails • Purchases (music, movies, TV, apps, books) • Home screen arrangement • Ringtones Tuesday, 20 November 12 22
iCloud Backup : When? Backup runs daily when device is: • Connected to the Internet over Wi-Fi • Connected to a power source • Locked Can force backup • Settings - iCloud - Storage & Backup - Back Up Now Tuesday, 20 November 12 23
iCloud Backup : How? • Can be enabled/disabled per device, at any time • iCloud Control Panel shows list of backed up devices and space/quota used (no access to data though) Tuesday, 20 November 12 24
iCloud Backup : How? • Restore can only be done on clean device (i.e. new one or after a firmware restore) • No other ways to access/ browse/download backups in iCloud • Challenge accepted! :) Tuesday, 20 November 12 25
Master Plan • Capture traffic while device restores from the iCloud • Deduce protocol from traffic dump(s) and some RE, if needed • Create a tool that will speak iCloud backup/restore protocol and pull data from the cloud Tuesday, 20 November 12 26
Capturing Traffic • iCloud backup/restore happens over SSL • Need to plant CA certificate to do MITM • Trivial for backup (just install “profile”) • Not-so-trivial for restore: clean device, no usual apps (Safari, Settings) and limited UI • Yet, there are ways to do this • Tethered jailbreak and add certificate to TrustStore.sqlite3 • iPhone Configuration Utility may also help • Kiosk-mode hack/bypass on iOS anyone? :) Tuesday, 20 November 12 27
Traffic Flow • Authenticate: send Apple ID and password, receive authentication token • Get list of devices/backups • Get OTA backup keybag • Build list of files to download • iCloud backups are incremental and 3 most recent snapshots are maintained • Download file data (encrypted and chunked, from Amazon/Microsoft clouds!) Tuesday, 20 November 12 28
Protocol • Dynamic: endpoints depend on Apple ID • Built on Google Protocol Buffers (mostly) • Files are split into chunks • Apple provides file-to-chunks mapping, chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft) • Encryption key depends on chunk data (deduplication?) Tuesday, 20 November 12 29
Protocol Flow /mbs/<personId> List of backups /mbs/<personId>/<backupUDID>/getKeys OTA backup keybag /mbs/<personId>/<backupUDID>/<snapshotId>/listFiles iCloud File manifest /mbs/<personId>/<backupUDID>/<snapshotId>/getFiles File auth tokens /mbs/<personId>/authorizeGet Info about containers of chunks for files (FileGroups) Request containers of chunks (FileGroups) Containers of chunks Tuesday, 20 November 12 30
Message Definitions message  FileGroups  {    repeated  FileChecksumStorageHostChunkLists  file_groups            =  1;    repeated  FileError                                                  file_error              =  2;    repeated  FileChunkError                                        file_chunk_error  =  3;    optional  uint32                                                        verbosity_level    =  4; } message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  FileChecksumChunkReferences  {    required  bytes                    file_checksum        =  1;    repeated  ChunkReference  chunk_references  =  2; } message  ChunkReference  {    required  uint64  container_index  =  1;    required  uint64  chunk_index          =  2;   } Tuesday, 20 November 12 31
Message Definitions message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  StorageHostChunkList  {    required  HostInfo    host_info                                                          =  1;    repeated  ChunkInfo  chunk_info                                                        =  2;    required  string        storage_container_key                                  =  3;    required  string        storage_container_authorization_token  =  4; } message  HostInfo  {    required  string                hostname                                      =  1;    required  uint32                port                                              =  2;    required  string                method                                          =  3;    required  string                uri                                                =  4;    required  string                transport_protocol                  =  5;    required  string                transport_protocol_version  =  6;    required  string                scheme                                          =  7;    repeated  NameValuePair  headers                                        =  8; } Tuesday, 20 November 12 32
Message Definitions message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  StorageHostChunkList  {    required  HostInfo    host_info                                                          =  1;    repeated  ChunkInfo  chunk_info                                                        =  2;    required  string        storage_container_key                                  =  3;    required  string        storage_container_authorization_token  =  4; } message  ChunkInfo  {    required  bytes    chunk_checksum              =  1;    optional  bytes    chunk_encryption_key  =  2;    required  uint32  chunk_length                  =  3; } Tuesday, 20 November 12 33
Encryption • Data stored at 3rd-party storage providers is encrypted • Apple has encryption keys to that data • Few files are further encrypted using keys from OTA backup keybag • Probably files encrypted by Data Protection • Keychain items are encrypted using keys from OTA backup keybag • Need key 0x835 (securityd) to decrypt most keys from OTA backup keybag Tuesday, 20 November 12 34
Encryption Apple ID + Password or Key 0x835 AuthToken Files + – Files encrypted by + + Data Protection Keychain Records + + Tuesday, 20 November 12 35
Key 0x835 • Device-specific key, computed from unique hardware-embedded key (UID) at startup • Apple can have a list of those keys • Apple claims not to store UID key but it’s not clear whether they store keys derived from it • Few things that are encrypted in iCloud backups are encrypted using key 0x835 Tuesday, 20 November 12 36
Summary • There is no user-configurable encryption for iCloud backups • iCloud backups are stored in Microsoft and Amazon clouds in encrypted form • Apple holds encryption keys and thus have access to data in iCloud backups • If Apple stores 0x835 keys then it can also have access to Keychain data (i.e. passwords) • Apple may have legal obligations to do this (LE, USG, etc) Tuesday, 20 November 12 37
Conclusions There is no privacy or confidentiality (not exactly news, go ask ex-CIA director if you don’t believe us) Tuesday, 20 November 12 38
Thank You! Questions? Tuesday, 20 November 12 39
Dark and Bright Sides of the iCloud (In)Security Andrey Belenko Dmitry Sklyarov Sr. Security Engineer Lead Analyst viaForensics Positive Technologies Tuesday, 20 November 12 40

Recommandé

Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Icloud
IcloudIcloud
IcloudDeepak Soni
 
Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar reportRicha Dewani
 
Icloud by Apple
Icloud by AppleIcloud by Apple
Icloud by AppleKokonda Nikhil Kumar
 
iCloud Presentation Notes
iCloud Presentation NotesiCloud Presentation Notes
iCloud Presentation Notesavsorrent
 
Icloud
IcloudIcloud
IcloudMuditGoyal13
 
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...Harold Kelly
 
Ad hoc zaduk
Ad hoc zaduk Ad hoc zaduk
Ad hoc zaduk Sam Zaduk, MBA
 

Recommandé

Troopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovTroopers14 Advanced Smartphone forensics - Vladimir Katalov
Troopers14 Advanced Smartphone forensics - Vladimir KatalovJose Moruno Cadima
 
Icloud
IcloudIcloud
IcloudDeepak Soni
 
Icloud seminar report
Icloud seminar reportIcloud seminar report
Icloud seminar reportRicha Dewani
 
Icloud by Apple
Icloud by AppleIcloud by Apple
Icloud by AppleKokonda Nikhil Kumar
 
iCloud Presentation Notes
iCloud Presentation NotesiCloud Presentation Notes
iCloud Presentation Notesavsorrent
 
Icloud
IcloudIcloud
IcloudMuditGoyal13
 
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...
Harold Kelly Keynote for CaterSource2014 iDevice management #CSES2014 #ipad #...Harold Kelly
 
Ad hoc zaduk
Ad hoc zaduk Ad hoc zaduk
Ad hoc zaduk Sam Zaduk, MBA
 
I-cloud
I-cloudI-cloud
I-clouduniversity of education,Lahore
 
iCloud
iCloud iCloud
iCloud amanmanocha
 
iCloud - get your head in the iCloud
iCloud - get your head in the iCloudiCloud - get your head in the iCloud
iCloud - get your head in the iCloudNewington College
 
Ppt by saikumar icloud
Ppt by saikumar icloudPpt by saikumar icloud
Ppt by saikumar icloudSai Kumar
 
Apple iCloud
Apple iCloudApple iCloud
Apple iCloud우일 권
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
iCloud
iCloudiCloud
iCloudCarmen Saunders, MSN, FNP-BC
 
I twin report
I twin reportI twin report
I twin reportSumit Kumar Sharma
 
Intro to Unity
Intro to UnityIntro to Unity
Intro to UnityEnvarh
 
iCloud by Apple
iCloud by AppleiCloud by Apple
iCloud by AppleHimanshu Soni
 
Module 004 browsing the internet with safari
Module 004 browsing the internet with safariModule 004 browsing the internet with safari
Module 004 browsing the internet with safariMostafa Al Ashery
 
I cloud
I cloudI cloud
I cloudRahul prajapati
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Mobile slide
Mobile slideMobile slide
Mobile slideboeingrl
 
Extensions
ExtensionsExtensions
ExtensionsManjula Jonnalagadda
 
Internet security
Internet securityInternet security
Internet securityAntony Mathew
 
iTwin Technology
iTwin TechnologyiTwin Technology
iTwin TechnologyIRJET Journal
 
X2x pitch deck
X2x pitch deckX2x pitch deck
X2x pitch deckx2xproject
 
5penpctechnology
5penpctechnology5penpctechnology
5penpctechnologyvennela venni
 
iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 

Contenu connexe

Tendances

iCloud - get your head in the iCloud
iCloud - get your head in the iCloudiCloud - get your head in the iCloud
iCloud - get your head in the iCloudNewington College
 
Ppt by saikumar icloud
Ppt by saikumar icloudPpt by saikumar icloud
Ppt by saikumar icloudSai Kumar
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Intro to Unity
Intro to UnityIntro to Unity
Intro to UnityEnvarh
 
Module 004 browsing the internet with safari
Module 004 browsing the internet with safariModule 004 browsing the internet with safari
Module 004 browsing the internet with safariMostafa Al Ashery
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.DataArt
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.DataArt
 
Mobile slide
Mobile slideMobile slide
Mobile slideboeingrl
 
X2x pitch deck
X2x pitch deckX2x pitch deck
X2x pitch deckx2xproject
 

Tendances (20)

I-cloud
I-cloudI-cloud
I-cloud
 
iCloud
iCloud iCloud
iCloud
 
iCloud - get your head in the iCloud
iCloud - get your head in the iCloudiCloud - get your head in the iCloud
iCloud - get your head in the iCloud
 
Ppt by saikumar icloud
Ppt by saikumar icloudPpt by saikumar icloud
Ppt by saikumar icloud
 
Apple iCloud
Apple iCloudApple iCloud
Apple iCloud
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
iCloud
iCloudiCloud
iCloud
 
I twin report
I twin reportI twin report
I twin report
 
Intro to Unity
Intro to UnityIntro to Unity
Intro to Unity
 
iCloud by Apple
iCloud by AppleiCloud by Apple
iCloud by Apple
 
Module 004 browsing the internet with safari
Module 004 browsing the internet with safariModule 004 browsing the internet with safari
Module 004 browsing the internet with safari
 
I cloud
I cloudI cloud
I cloud
 
Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.Никита Корчагин - Introduction to Apple iOS Development.
Никита Корчагин - Introduction to Apple iOS Development.
 
Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.Ярослав Воронцов — Пара слов о mobile security.
Ярослав Воронцов — Пара слов о mobile security.
 
Mobile slide
Mobile slideMobile slide
Mobile slide
 
Extensions
ExtensionsExtensions
Extensions
 
Internet security
Internet securityInternet security
Internet security
 
iTwin Technology
iTwin TechnologyiTwin Technology
iTwin Technology
 
X2x pitch deck
X2x pitch deckX2x pitch deck
X2x pitch deck
 
5penpctechnology
5penpctechnology5penpctechnology
5penpctechnology
 

Similaire à Belenko, sklyarov dark and bright sides of i cloud (in)security

iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry ForensicsAndrey Belenko
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectionAndrey Belenko
 
Synapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapseIndiaiPhoneApps
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption SystemsPeter Teufl
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)Sam Bowne
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app developmentDusan Klinec
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in DepthSeguridad Apple
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption SystemsPeter Teufl
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testingeightbit
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseSeth Law
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?Reality Net System Solutions
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation TestJongWon Kim
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testingeightbit
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 

Similaire à Belenko, sklyarov dark and bright sides of i cloud (in)security (20)

iOS and BlackBerry Forensics
iOS and BlackBerry ForensicsiOS and BlackBerry Forensics
iOS and BlackBerry Forensics
 
iOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data ProtectioniOS Forensics: Overcoming iPhone Data Protection
iOS Forensics: Overcoming iPhone Data Protection
 
Synapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloudSynapse india iphone apps presentation oncracking and analyzing apple icloud
Synapse india iphone apps presentation oncracking and analyzing apple icloud
 
iOS Forensics
iOS Forensics iOS Forensics
iOS Forensics
 
IOS Encryption Systems
IOS Encryption SystemsIOS Encryption Systems
IOS Encryption Systems
 
CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)CNIT 128 2. Analyzing iOS Applications (Part 2)
CNIT 128 2. Analyzing iOS Applications (Part 2)
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
iOS secure app development
iOS secure app developmentiOS secure app development
iOS secure app development
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in Depth
 
Mobile Device Encryption Systems
Mobile Device Encryption SystemsMobile Device Encryption Systems
Mobile Device Encryption Systems
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
CactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and DefenseCactusCon - Practical iOS App Attack and Defense
CactusCon - Practical iOS App Attack and Defense
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?iOS Forensics: where are we now and what are we missing?
iOS Forensics: where are we now and what are we missing?
 
Hacking and Securing iOS Applications
Hacking and Securing iOS ApplicationsHacking and Securing iOS Applications
Hacking and Securing iOS Applications
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 

Plus de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Plus de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Belenko, sklyarov dark and bright sides of i cloud (in)security

  • 1. Dark and Bright Sides of the iCloud (In)Security Andrey Belenko Dmitry Sklyarov Sr. Security Engineer Lead Analyst viaForensics Positive Technologies Tuesday, 20 November 12 1
  • 2. Disclaimer This work has been done in early 2012 while we have been still working for (and receiving paychecks from) Elcomsoft. Permission has been obtained prior to preparing this presentation and we are thankful to Elcomsoft for providing such permission. Elcomsoft also offers a commercial tool (based on this research) that can download iCloud backups. Tuesday, 20 November 12 2
  • 3. Motivation Mobile device forensics Tuesday, 20 November 12 3
  • 4. Motivation Devices are becoming increasingly interconnected but forensic tools are not ready for this (yet) Tuesday, 20 November 12 4
  • 5. Motivation iCloud is the natural target as it is quite big and popular Tuesday, 20 November 12 5
  • 6. Motivation So it is about iOS forensics in the first place Tuesday, 20 November 12 6
  • 7. Forensics 101 Acquisition ➜ Analysis ➜ Reporting GOALS: 1. Assuming physical access to the device extract as much information as practical 2. Leave as little traces/artifacts as practical Tuesday, 20 November 12 7
  • 8. iOS: Why Even Bother? • More than 5 years on the market • 360+ million iOS devices sold worldwide • 7 iPhones, 5 iPods, 5 iPads • “Smart devices” – they do carry a lot of sensitive data • Corporate deployments are increasing There was, is, and will be a real need for iOS forensics Tuesday, 20 November 12 8
  • 9. iOS Forensics 101 • Passcode • Prevents unauthorized access to the device • Bypassing passcode is usually enough • Keychain • System-wide storage for sensitive data • Encrypted • Disk encryption Tuesday, 20 November 12 9
  • 10. iOS Forensics 101 • Logical: iPhone Backup • “Ask” device to produce backup • Device must be unlocked (by passcode or iTunes) • Device may produce encrypted backup • Limited amount of information Tuesday, 20 November 12 10
  • 11. iOS Forensics 101 • Physical: filesystem acquisition • Boot-time exploit to run unsigned code • Device lock state isn’t relevant, can bruteforce passcode • Can get all information from the device • Physical+: flash memory acquisition • Same requirements as for physical • Also allows recovery of deleted files! Tuesday, 20 November 12 11
  • 12. iOS Data Protection Every iOS device contains secure AES engine with two embedded keys: • GID – shared by all devices of same “family” • UID – unique per device • Newer devices have additional UID+ key There are no (publicly) known ways to extract GID or UID key from the device Tuesday, 20 November 12 12
  • 13. iOS Data Protection • Content grouped by accessibility requirements: • Available only when device is unlocked • Available after first device unlock (and until power off) • Always available • Each protection class has a master key • Master keys are protected by device key and passcode • Protected master keys form system keybag • New keys created during device restore Tuesday, 20 November 12 13
  • 14. iOS 4+ Passcode • Passcode is used to compute passcode key • Computation is tied to hardware key (UID/UID+) • Same passcode will yield different passcode keys on different devices! • Passcode key is required to unlock most keys from the system keybag • Most files are protected with NSProtectionNone and don’t require a passcode • Most keychain items are protected with ...WhenUnlocked or ...AfterFirstUnlock and require a passcode Tuesday, 20 November 12 14
  • 15. iOS 4+ Passcode • Passcode-to-Key transformation is slow • Offline bruteforce currently is not possible • Requires extracting UID/UID+ key • On-device bruteforce is slow • 2 p/s on iPhone 3G, 7 p/s on iPad • System keybag contains hint on password complexity Tuesday, 20 November 12 15
  • 16. iOS 4+ Passcode Tuesday, 20 November 12 16
  • 17. iOS 5 Keychain • SQLite3 DB, all columns are encrypted • Available protection classes: • kSecAttrAccessibleWhenUnlocked (+ ...ThisDeviceOnly) • kSecAttrAccessibleAfterFirstUnlock (+ ...ThisDeviceOnly) • kSecAttrAccessibleAlways (+ ...ThisDeviceOnly) • Random key for each item, AES-GCM • Item key is protected with corresponding protection class master key 2 Class Wrapped Key Length Wrapped Key Encrypted Data (+Integrity Tag) 0 4 8 12 Tuesday, 20 November 12 17
  • 18. iOS 5 Storage • Only User partition is encrypted • Available protection classes: • NSProtectionNone • NSProtectionComplete • NSFileProtectionCompleteUntilFirstUserAuthentication • NSFileProtectionCompleteUnlessOpen • Per-file random encryption key • File key protected with master key is stored in extended attribute com.apple.system.cprotect • No protection class – partition key is used • Filesystem metadata and unprotected files • Transparent encryption and decryption (same as pre-iOS 4) Tuesday, 20 November 12 18
  • 19. iCloud • Introduced in Oct 2011 • Introduced with iOS 5 • Successor to MobileMe, .Mac, iTools • 5 GB free storage • Up to 50 GB paid storage Tuesday, 20 November 12 19
  • 20. iCloud Services Tuesday, 20 November 12 20
  • 21. iCloud Backup Tuesday, 20 November 12 21
  • 22. iCloud Backup: What ? • Messages (including iMessages) • Application data • Device settings • Camera roll (photos and videos) • Visual voicemails • Purchases (music, movies, TV, apps, books) • Home screen arrangement • Ringtones Tuesday, 20 November 12 22
  • 23. iCloud Backup : When? Backup runs daily when device is: • Connected to the Internet over Wi-Fi • Connected to a power source • Locked Can force backup • Settings - iCloud - Storage & Backup - Back Up Now Tuesday, 20 November 12 23
  • 24. iCloud Backup : How? • Can be enabled/disabled per device, at any time • iCloud Control Panel shows list of backed up devices and space/quota used (no access to data though) Tuesday, 20 November 12 24
  • 25. iCloud Backup : How? • Restore can only be done on clean device (i.e. new one or after a firmware restore) • No other ways to access/ browse/download backups in iCloud • Challenge accepted! :) Tuesday, 20 November 12 25
  • 26. Master Plan • Capture traffic while device restores from the iCloud • Deduce protocol from traffic dump(s) and some RE, if needed • Create a tool that will speak iCloud backup/restore protocol and pull data from the cloud Tuesday, 20 November 12 26
  • 27. Capturing Traffic • iCloud backup/restore happens over SSL • Need to plant CA certificate to do MITM • Trivial for backup (just install “profile”) • Not-so-trivial for restore: clean device, no usual apps (Safari, Settings) and limited UI • Yet, there are ways to do this • Tethered jailbreak and add certificate to TrustStore.sqlite3 • iPhone Configuration Utility may also help • Kiosk-mode hack/bypass on iOS anyone? :) Tuesday, 20 November 12 27
  • 28. Traffic Flow • Authenticate: send Apple ID and password, receive authentication token • Get list of devices/backups • Get OTA backup keybag • Build list of files to download • iCloud backups are incremental and 3 most recent snapshots are maintained • Download file data (encrypted and chunked, from Amazon/Microsoft clouds!) Tuesday, 20 November 12 28
  • 29. Protocol • Dynamic: endpoints depend on Apple ID • Built on Google Protocol Buffers (mostly) • Files are split into chunks • Apple provides file-to-chunks mapping, chunk encryption keys, and full request info to 3rd-party storage provider (Amazon/Microsoft) • Encryption key depends on chunk data (deduplication?) Tuesday, 20 November 12 29
  • 30. Protocol Flow /mbs/<personId> List of backups /mbs/<personId>/<backupUDID>/getKeys OTA backup keybag /mbs/<personId>/<backupUDID>/<snapshotId>/listFiles iCloud File manifest /mbs/<personId>/<backupUDID>/<snapshotId>/getFiles File auth tokens /mbs/<personId>/authorizeGet Info about containers of chunks for files (FileGroups) Request containers of chunks (FileGroups) Containers of chunks Tuesday, 20 November 12 30
  • 31. Message Definitions message  FileGroups  {    repeated  FileChecksumStorageHostChunkLists  file_groups            =  1;    repeated  FileError                                                  file_error              =  2;    repeated  FileChunkError                                        file_chunk_error  =  3;    optional  uint32                                                        verbosity_level    =  4; } message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  FileChecksumChunkReferences  {    required  bytes                    file_checksum        =  1;    repeated  ChunkReference  chunk_references  =  2; } message  ChunkReference  {    required  uint64  container_index  =  1;    required  uint64  chunk_index          =  2;   } Tuesday, 20 November 12 31
  • 32. Message Definitions message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  StorageHostChunkList  {    required  HostInfo    host_info                                                          =  1;    repeated  ChunkInfo  chunk_info                                                        =  2;    required  string        storage_container_key                                  =  3;    required  string        storage_container_authorization_token  =  4; } message  HostInfo  {    required  string                hostname                                      =  1;    required  uint32                port                                              =  2;    required  string                method                                          =  3;    required  string                uri                                                =  4;    required  string                transport_protocol                  =  5;    required  string                transport_protocol_version  =  6;    required  string                scheme                                          =  7;    repeated  NameValuePair  headers                                        =  8; } Tuesday, 20 November 12 32
  • 33. Message Definitions message  FileChecksumStorageHostChunkLists  {    repeated  StorageHostChunkList                storage_host_chunk_list            =  1;    repeated  FileChecksumChunkReferences  file_checksum_chunk_ref_list  =  2; } message  StorageHostChunkList  {    required  HostInfo    host_info                                                          =  1;    repeated  ChunkInfo  chunk_info                                                        =  2;    required  string        storage_container_key                                  =  3;    required  string        storage_container_authorization_token  =  4; } message  ChunkInfo  {    required  bytes    chunk_checksum              =  1;    optional  bytes    chunk_encryption_key  =  2;    required  uint32  chunk_length                  =  3; } Tuesday, 20 November 12 33
  • 34. Encryption • Data stored at 3rd-party storage providers is encrypted • Apple has encryption keys to that data • Few files are further encrypted using keys from OTA backup keybag • Probably files encrypted by Data Protection • Keychain items are encrypted using keys from OTA backup keybag • Need key 0x835 (securityd) to decrypt most keys from OTA backup keybag Tuesday, 20 November 12 34
  • 35. Encryption Apple ID + Password or Key 0x835 AuthToken Files + – Files encrypted by + + Data Protection Keychain Records + + Tuesday, 20 November 12 35
  • 36. Key 0x835 • Device-specific key, computed from unique hardware-embedded key (UID) at startup • Apple can have a list of those keys • Apple claims not to store UID key but it’s not clear whether they store keys derived from it • Few things that are encrypted in iCloud backups are encrypted using key 0x835 Tuesday, 20 November 12 36
  • 37. Summary • There is no user-configurable encryption for iCloud backups • iCloud backups are stored in Microsoft and Amazon clouds in encrypted form • Apple holds encryption keys and thus have access to data in iCloud backups • If Apple stores 0x835 keys then it can also have access to Keychain data (i.e. passwords) • Apple may have legal obligations to do this (LE, USG, etc) Tuesday, 20 November 12 37
  • 38. Conclusions There is no privacy or confidentiality (not exactly news, go ask ex-CIA director if you don’t believe us) Tuesday, 20 November 12 38
  • 39. Thank You! Questions? Tuesday, 20 November 12 39
  • 40. Dark and Bright Sides of the iCloud (In)Security Andrey Belenko Dmitry Sklyarov Sr. Security Engineer Lead Analyst viaForensics Positive Technologies Tuesday, 20 November 12 40