Preservation and Acquisition of a Locked iPhone Using Access Point Name Hijacking to Back up to iCloud
Primary Investigator:
Marcus Thompson
Christine Utz, Marcus Thompson
Abstract
Contemporary mobile devices such as smartphones, tablets, and smartwatches bundle an unprecedented amount of user data that can provide very detailed insights into the device owner’s personal life. Recent years thus have seen an increasing demand for security features in mobile operating systems to protect the sensitive user data stored on the device, ranging from full-disk encryption to cloud-based services that allow for remote locking or even erasing the device in case it is lost or stolen. These features also render forensic examinations in criminal investigations more difficult. While it is still possible to create a bit-wise copy of an encrypted device’s memory, the acquired data is useless to the examiner because it is encrypted. In early 2016, this caused a prolonged debate between Apple and the FBI when an iPhone 5c belonging to one of the perpetrators of the San Bernardino shooting was found in a locked state and no method to acquire the data from the device could initially be found. When the FBI sought to legally force Apple to provide an iOS backdoor to circumvent the anti-password brute-forcing mechanism, one of the alternatives discussed to obtain the data from the device was to trigger it to automatically perform a backup to iCloud. In the San Bernardino case, this idea was not pursued further because the iCloud account credentials had been changed in the meantime. This paper investigates whether an automatic backup to iCloud can be initiated on a locked iPhone.