Research on iPhone Forensic Method Based on Checkm8 Vulnerability

doi:10.3969/j.issn.1671-1122.2021.12.007

Abstract

Abstract:

The Checkm8 vulnerability is a hardware vulnerability based on the device firmware upgrade(DFU) mode of the iPhone firmware. This paper proposed a method of using Checkm8 vulnerability to bypass password verification to extract iPhone data, and demonstrated the exploitation of the vulnerability, digital data mining and extraction, data decryption analysis and evidence display. At the same time, the heap vulnerabilities were utilized to upgrade the highest authority, obtain the authority of port communication and transmission on the iPhone in the locked state, which could solve the problem of data extraction in the absence of passwords. This method has high practical value for forensic science.

Key words: digital forensics, iPhone, Checkm8 vulnerability, lockdown password

CLC Number:

TP309

CHEN Guangxuan, WU Jiajian, CAO Danni, XIE Qingquan. Research on iPhone Forensic Method Based on Checkm8 Vulnerability[J]. Netinfo Security, 2021, 21(12): 44-50.

Figures/Tables 9

References 18

[1]	SPAULDING J, KRAUSS A, SRINIVASAN A. Exploring an Open WiFi Detection Vulnerability as A Malware Attack Vector on iOS Devices[C]// IEEE. 7th International Conference on Malicious and Unwanted Software, October 16-18, 2012, Fajardo, PR, USA. New Jersey: IEEE, 2012: 87-93.
[2]	CHRISTIAN C J D, CHOO K, YANG L Y. Data Exfiltration from Internet of Things Devices: IOS Devices as Case Studies[J]. IEEE Internet of Things Journal, 2016, 4(2):524-535. doi: 10.1109/JIOT.2016.2569094 URL
[3]	CHRISTIAN D O, CHOO K. A Generic Process to Identify Vulnerabilities and Design Weaknesses in iOS Healthcare Apps[C]// IEEE. 48th Annual Hawaii International Conference on System Sciences(HICSS), January 5-8, 2015, Kauai, Hawaii State, USA. New Jersey: IEEE, 2015: 5175-5184.
[4]	LIN Chunhan, YU Fang, JIANG J H R, et al. Static Detection of API Call Vulnerabilities in iOS Executables[C]// IEEE. 40th ACM/IEEE International Conference on Software Engineering(ICSE), May 27-June 3, 2018, Gothenburg, Sweden. New Jersey: IEEE, 2018: 394-395.
[5]	Sxi0mx. EPIC JAILBREAK: Introducing Checkm8[EB/OL]. https://twitter.com/axi0mX/status/1177542201670168576, 2019-09-28.
[6]	TAMMA R, MAHALIK H, SKULKIN O, et al. Practical Mobile Forensics: A Hands-on Guide to Mastering Mobile Forensics for the iOS, Android, and Windows Phone platforms[M]. Birmingham: Packt Publishing, 2018.
[7]	Apple. Glossary[EB/OL]. https://support.apple.com/en-gb/guide/security/sec93292bfa6/web, 2021-09-14.
[8]	GARG S, BALIYAN N. Comparative Analysis of Android and iOS from Security Viewpoint[EB/OL]. https://doi.org/10.1016/j.cosrev.2021.100372, 2021-08-11.
[9]	GUNNAR A, STEFAN A, GEIR O D. Chip Chop-smashing the Mobile Phone Secure Chip for Fun and Digital Forensics[EB/OL]. https://doi.org/10.1016/j.fsidi.2021.301191, 2021-04-14.
[10]	IEEE. 1619-2007-IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices[EB/OL]. https://ieeexplore.ieee.org/document/4493450, 2008-03-04.
[11]	DING Liping, LIU Xuehua, CHEN Guangxuan, et al. Overview of Digital Forensics Technologies of RAM in Android Devices[J]. Netinfo Security, 2019, 19(2):10-17.
	丁丽萍, 刘雪花, 陈光宣, 等. Android 智能手机动态内存取证技术综述[J]. 信息网络安全, 2019, 19(2):10-17.
[12]	KIPERBERG M, LEON R, RESH A, et al. Hypervisor-assisted Atomic Memory Acquisition in Modern Systems[C]// IEEE. 5th International Conference on Information Systems Security and Privacy(ICISSP), February 23-25, 2019, Prague, Czech Republic. New Jersey: IEEE, 2019: 155-162.
[13]	LIU Pengfei. The Analyses and Prevention of Attact Methods of iOS Applications[D]. Chengdu: University of Electronic Science and Technology of China, 2014.
	刘朋飞. iOS应用程序的攻击手段分析及防护[D]. 成都:电子科技大学, 2014.
[14]	XU Xin, ZHANG Songnian, HU Jianwei. Research on ASLR Bypass Technology Based on Arbitrary Function Address[J]. Netinfo Securtiy, 2016, 16(7):47-52.
	徐鑫, 张松年, 胡建伟. 基于任意函数地址的ASLR绕过技术研究[J]. 信息网络安全, 2016, 16(7):47-52.
[15]	GAO Qiang. A First Look at the Encryption Techniques Commonly Used in iOS Development[J]. Computer Knowledge and Technology, 2021, 17(10):51-53.
	高强. iOS开发过程中常用的加密技术初探[J]. 电脑知识与技术, 2021, 17(10):51-53.
[16]	DEMPSEY P. The Teardown-apple iPhone X[J]. Engineering & Technology, 2018, 1(13):80-81.
[17]	KO H J, HUANG Chengta, ZHUANG Zhiwei. et al. Cloud Evidence Tracks of Storage Service Linking with iOS Systems[J]. Journal of Supercomputing, 2021, 77(1):77-94. doi: 10.1007/s11227-020-03255-5 URL
[18]	LIU Feng, LIU Kesheng, CHANG Chao, et al. Research on the Technology of iOS Jailbreak[C]// IEEE. 6th International Conference on Instrumentation and Measurement, Computer, Communication and Control(IMCCC), July 21-23, 2016, Harbin, China. New Jersey: IEEE, 2016: 644-647.

序号	数据保护方法	说明
1	密码保护机制	包括数字字母密码、指纹密码、脸部认证
2	沙箱运行模式	限制应用访问其他资源
3	文件系统加密	使用硬件密钥进行加密
4	数据保护机制	使用强密钥二次加密,防止设备锁定时的数据访问
5	内存地址空间布局随机化	随机化对象在内存中的位置
6	权限控制	用户只能使用低权限进行操作
7	栈保护	防止栈溢出攻击
8	数据执行限制	通过区分代码和数据减少攻击
9	数据擦除	通过数据加密密钥的擦除完成
10	激活锁	调用高权限的身份认证
11	安全启动链	基于机器公钥的设备启动机制

	检材信息		提取信息
	iPhone 5s	iPhone SE	Linux	MacOS X
系统版本	iOS 12.4	iOS 14.2	Ubuntu 20.04	MacOS 10.16
checkra1n版本	/	/	0.9.7	0.12.2
libimobiledevice	/	/	apt-get安装	brew安装
SSH工具	/	/	SSHPASS	usbmuxd
提取前状态	未越狱	未越狱	root	root
root密码	alpine	alpine	用户自定义	用户自定义
芯片信息	A7	A9	Inter i7-9750H	Inter Core i5
内存信息	2 GB	2 GB	32 GB	8 GB

内容	iPhone SE检材结果	iPhone 5s检材结果
Chip UniqueID	7105110176120	6276159644976
BasebandCertld	3840149528	3554301762
UniqueDevicelD	f69aad5a72222285e50cd64cb9860cfc6b88c904	9006aa682a8f1e59829e6985df4a0d8d54047b20
WiFiAddress	98:9e:63:51:db:d7	24:e3:14:36:b3:29
系统版本	14.2	12.4
设备名称	测试机	iPhone
提取速度	4375.1 kbps	4643 kbps