LAPD cracks iPhone 5S in murder case, but it probably wasn't encrypted

Posted:
in iPhone edited May 2016
An iPhone 5S being held as evidence in the investigation of a 2014 murder has reportedly been unlocked by the Los Angeles Police Department, though the timing of the crime suggests that the phone in question may not have been protected by encryption.




Detectives seized the phone shortly after the murder of April Jace, late wife of actor Michael Jace, according to court records reviewed by the Los Angeles Times. While the phone has been in the LAPD's possession since 2014, they were only recently able to access its contents.

Standing in their way was the phone's passcode, making for a circumstance similar to the now-infamous San Bernardino case.

However, the iPhone 5S used by the victim has been in police possession since before iOS 8 -- with stronger encryption enabled by default -- was released. This means the device in question was running iOS 7, which did not ship with strong, system-wide encryption enabled and left many portions of the system open to recovery.

As a result, it's likely that the phone was not protected by anything more substantial than the passcode lock.

The LAPD notes in its court filings only that it contracted a "forensic cellphone expert" who could "override the locked iPhone function." The warrant was issued without going into further detail, though a number of methods for bypassing the passcode lock on various iOS devices -- many revolving around the iPhone's power circuitry -- have been detailed in recent years.

Comments

  • Reply 1 of 19
    RosynaRosyna Posts: 87member
    "This means the device in question was running iOS 7, which did not ship with encryption enabled."

    Encryption has been mandatory, non-optional since the iPhone 3GS and iOS 3.

    In iOS 7, all third party app data was encrypted with a key derived from the passcode. As was email. Here's a quick primer on iOS encryption: http://www.darthnull.org/2014/10/06/ios-encryption

    What's far more likely was that they used a brute force method that exploited a bug only fixed in iOS 8.1.1. The IP-BOX is an example of a third party device that does this cheaply. http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/
  • Reply 2 of 19
    gatorguygatorguy Posts: 22,826member
    Yeah, I think the article author was momentarily confused. AFAICS both iOS data and that from 3rd party apps was encrypted by default in iOS7.  What the author perhaps had intended to point out was that unless you used a passcode there would be no encryption (which changed with iOS8 didn't it?). Without a passcode tho it seems the LAPD could have accessed that phone long ago. 
    edited May 2016
  • Reply 3 of 19
    foggyhillfoggyhill Posts: 4,767member
    Don't get what their saying, if there is a passcode and its a 5s, it's encrypted.

    They may have used whatever unpacted exploits to brute force the passcode though, though even that would not have worked if someone had touchID (to make more likely to use a long passcode) and actually used a 8 alpha character passcode.
  • Reply 4 of 19
    RosynaRosyna Posts: 87member
    gatorguy said:
    Yeah, I think the article author was momentarily confused. AFAICS both iOS data and that from 3rd party apps was encrypted by default in iOS7.  What the author perhaps had intended to point out was that unless you used a passcode there would be no encryption (which changed with iOS8 didn't it?). Without a passcode tho it seems the LAPD could have accessed that phone long ago. 
    It is always encrypted. This encryption is non-optional. If the is a passcode set, then the master decryption key for that protection class of data is encrypted with a key derived from the passcode. If there is no passcode set, the key is only encrypted with a key derived from the UID and GID.

    This "double encryption" is used so users can easily change the passcode without having to re-encrypt all user data. It's also so employers that provide iPhones to employees can use MDM to get a backdoor decryption token without needing to know the user's passcode.

    FileVault2 on Mac OS X also uses this double encryption method to support multiple users and recovery keys.
    edited May 2016 mwhite
  • Reply 5 of 19
    dick applebaumdick applebaum Posts: 12,527member

    I assume the LA police had the body in the morgue ... if the iPhone used TouchID ...   

  • Reply 6 of 19
    gatorguygatorguy Posts: 22,826member
    Rosyna said:
    gatorguy said:
    Yeah, I think the article author was momentarily confused. AFAICS both iOS data and that from 3rd party apps was encrypted by default in iOS7.  What the author perhaps had intended to point out was that unless you used a passcode there would be no encryption (which changed with iOS8 didn't it?). Without a passcode tho it seems the LAPD could have accessed that phone long ago. 
    It is always encrypted. This encryption is non-optional. If the is a passcode set, then the master decryption key for that protection class of data is encrypted with a key derived from the passcode. If there is no passcode set, the key is only encrypted with a key derived from the UID and GID.

    This "double encryption" is used so users can easily change the passcode without having to re-encrypt all user data. It's also so employers that provide iPhones to employees can use MDM to get a backdoor decryption token without needing to know the user's passcode.

    FileVault2 on Mac OS X also uses this double encryption method to support multiple users and recovery keys.
    Thanks, I did not know that. A good detailed (and quite polite!) explanation.
    mwhite
  • Reply 7 of 19
    RosynaRosyna Posts: 87member

    I assume the LA police had the body in the morgue ... if the iPhone used TouchID ...   

    As it has been far than 48 hours, that isn't possible. Furthermore, the source article says the device had been turned off, which also makes it impossible to use TouchID.
    nolamacguyjbdragonsteveh
  • Reply 8 of 19
    gatorguygatorguy Posts: 22,826member

    I assume the LA police had the body in the morgue ... if the iPhone used TouchID ...   

    Still in the morgue? Gosh I would hope not! LOL
  • Reply 9 of 19
    ppietrappietra Posts: 242member
    Rosyna said:
    "This means the device in question was running iOS 7, which did not ship with encryption enabled."

    Encryption has been mandatory, non-optional since the iPhone 3GS and iOS 3.

    In iOS 7, all third party app data was encrypted with a key derived from the passcode. As was email. Here's a quick primer on iOS encryption: http://www.darthnull.org/2014/10/06/ios-encryption

    What's far more likely was that they used a brute force method that exploited a bug only fixed in iOS 8.1.1. The IP-BOX is an example of a third party device that does this cheaply. http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/
    Only with iOS 8 did all user data become encrypted with a key derived from the passcode. In iOS7 many of the in-built iOS apps, like Messages, didn’t follow such policy, and since the investigation wanted to look at messages... 
  • Reply 10 of 19
    RosynaRosyna Posts: 87member
    gatorguy said:
    Rosyna said:
    It is always encrypted. This encryption is non-optional. If the is a passcode set, then the master decryption key for that protection class of data is encrypted with a key derived from the passcode. If there is no passcode set, the key is only encrypted with a key derived from the UID and GID.

    This "double encryption" is used so users can easily change the passcode without having to re-encrypt all user data. It's also so employers that provide iPhones to employees can use MDM to get a backdoor decryption token without needing to know the user's passcode.

    FileVault2 on Mac OS X also uses this double encryption method to support multiple users and recovery keys.
    Thanks, I did not know that. A good detailed (and quite polite!) explanation.
    I absolutely love the idea of double encryption because it also means the real master decryption key can be securely generated, without depending on the strength of the user's passcode. It's why directly brute forcing decryption on the NAND of iOS devices isn't possible. It has to be done on device.
  • Reply 11 of 19
    RosynaRosyna Posts: 87member
    ppietra said:
    Rosyna said:
    "This means the device in question was running iOS 7, which did not ship with encryption enabled."

    Encryption has been mandatory, non-optional since the iPhone 3GS and iOS 3.

    In iOS 7, all third party app data was encrypted with a key derived from the passcode. As was email. Here's a quick primer on iOS encryption: http://www.darthnull.org/2014/10/06/ios-encryption

    What's far more likely was that they used a brute force method that exploited a bug only fixed in iOS 8.1.1. The IP-BOX is an example of a third party device that does this cheaply. http://www.teeltech.com/mobile-device-forensic-tools/ip-box-iphone-password-unlock-tool/
    Only with iOS 8 did all user data become encrypted with a key derived from the passcode. In iOS7 many of the in-built iOS apps, like Messages, didn’t follow such policy, and since the investigation wanted to look at messages... 
    As the encryption primer said, the only stuff not encrypted with a passcode derived key in iOS 7 were things in Apple apps like Contacts, Photos, Massages. 

    However, you don't need access to the device to get any of that data. Photos are available by subpoenaing Apple for iCloud data (Photostream). Contacts are available via either iCloud or the cell phone carrier. Messages can be retrieved via cell carrier (SMS). And sending a subpoena to Apple can tell LEOs of all users a person contacted with iMessage (even if it won't contain the text) due to the nature of public key cryptography.

    And for Contacts and Photos, numerous lock screen bypasses existed in iOS 7 and 8 that permitted access to both.
    edited May 2016
  • Reply 12 of 19
    ppietrappietra Posts: 242member
    Rosyna said:
    ppietra said:
    Only with iOS 8 did all user data become encrypted with a key derived from the passcode. In iOS7 many of the in-built iOS apps, like Messages, didn’t follow such policy, and since the investigation wanted to look at messages... 
    As the encryption primer said, the only stuff not encrypted with a passcode derived key in iOS 7 were things in Apple apps like Contacts, Photos, Massages. 

    However, you don't need access to the device to get any of that data. Photos are available by subpoenaing Apple for iCloud data (Photostream). Contacts are available via either iCloud or the cell phone carrier. Messages can be retrieved via cell carrier (SMS). And sending a subpoena to Apple can tell LEOs of all users a person contacted with iMessage (even if it won't contain the text) due to the nature of public key cryptography.

    And for Contacts and Photos, numerous lock screen bypasses existed in iOS 7 and 8 that permitted access to both.
    Messages includes everything in iMessage not just SMS. That is what they were looking for in this investigation, so no "passcode" encryption involved, its data is automatically decrypted and only protected by the lock screen.
    As for contacts, photos, etc, is not very relevant to this case, but I would say that your assumptions would prove false in many situations, since not everyone uses iCloud that way nor contacts are just phone numbers
  • Reply 13 of 19
    RosynaRosyna Posts: 87member
    ppietra said:
    Rosyna said:
    As the encryption primer said, the only stuff not encrypted with a passcode derived key in iOS 7 were things in Apple apps like Contacts, Photos, Massages. 

    However, you don't need access to the device to get any of that data. Photos are available by subpoenaing Apple for iCloud data (Photostream). Contacts are available via either iCloud or the cell phone carrier. Messages can be retrieved via cell carrier (SMS). And sending a subpoena to Apple can tell LEOs of all users a person contacted with iMessage (even if it won't contain the text) due to the nature of public key cryptography.

    And for Contacts and Photos, numerous lock screen bypasses existed in iOS 7 and 8 that permitted access to both.
    Messages includes everything in iMessage not just SMS. That is what they were looking for in this investigation, so no "passcode" encryption involved, its data is automatically decrypted and only protected by the lock screen.
    As for contacts, photos, etc, is not very relevant to this case, but I would say that your assumptions would prove false in many situations, since not everyone uses iCloud that way nor contacts are just phone numbers
    And as I said, LEOs can get the names of the people contacted over iMessage easily, so they weren't looking for that.
  • Reply 14 of 19
    NemWanNemWan Posts: 118member

    I assume the LA police had the body in the morgue ... if the iPhone used TouchID ...   

    Others mentioned the time limit. Touch ID also won't work directly with a dead finger due to the lack of electrical charge. The corpse could be used as the source of prints to make fake fingers that would fool the sensor, causing additional delay that would have be finished within the 48 hour window.
  • Reply 15 of 19
    bobborriesbobborries Posts: 151member
    Like my gun you can only get my iPhone from my cold dead fingers, then you can use TouchID to open it.
  • Reply 16 of 19
    I forget. But I think all photos on an iPhone running iOS 7 were available to any computer because they were in the dcim folder. Just as you expect them to be using a digital camera. I think if the phone was unlocked any computer could browse dcim as an external drive , no iCloud needed 

    when iOS 8 came out the dcim folder feature was disabled. Now if you are running Windows and you see a dcim folder in explorer. it's only three because you have iTunes installed. On an iPhone running iOS 8 and a Windows computer without iTunes installed , all the photos stay on the iPhone because you can't browse it with explorer. 


  • Reply 17 of 19
    Also I recall any data on the iPhone running iOS 7 were able to be retrieved by Apple. iOS 8 randomized the key making apple unable to access the iPhone. 
  • Reply 18 of 19
    themacmanthemacman Posts: 151member
    This and the SB iPhone were accessed through iTunes and a vulnerability that's a year old that effect the way iTunes updates iPhone. Neither case had nothing to do with passkey or Touch ID or the secure enclave. 
  • Reply 19 of 19
    RosynaRosyna Posts: 87member
    Also I recall any data on the iPhone running iOS 7 were able to be retrieved by Apple. iOS 8 randomized the key making apple unable to access the iPhone. 
    No, the case was that in iOS 7, Apple signed software could bypass the "Trust this Computer" dialog. With allowed Apple to get encrypted data that wasn't encrypted with the passcode (so this meant it could only get Photos, Contacts, Messages, all of ehich can be grabbed via alternative methods).

    But it still didn't permit access to the most important data, third party app data, as it was encrypted with a passcode derived key.

    In iOS 8, Apple Signed software can no longer bypass the "Trust this computer" dialog.
Sign In or Register to comment.