per Renato Marinho, by Morphus Labs
Despite the efforts that Apple has been making for an iPhone lost or stolen become a simple paper weight, we continue to see reports that these devices are unlocked without the consent of their true owners.
Given the challenges that make unlocking an iPhone protected by a digital code and fingerprint practically impossible, criminals have used alternative ways and social engineering techniques to achieve this same result many times with minimal effort.
During the treatment of an incident carried out by Morphus Labs involving the theft of an iPhone, we ended up with one of these alternative techniques that could be making many victims. In this article we share some details of this case and simple measures that we can implement to avoid even more serious risks.
An iPhone 6s blocked by a six-digit numeric code and fingerprint was stolen a week ago and the victim evidenced that, shortly after the incident, criminals reset the passwords of some of their online services like iCloud (Apple ID) and Gmail. They even tried to impersonate her to reset the password to access her bank! All of this happened in a short period of time after the theft.
But how did criminals manage to reset their iCloud and Gmail passwords from a locked device? To better understand the scenario, we collected some information from the victim:
QUESTION: Was this a targeted attack, that is, was the thief determined to steal this iPhone specifically? Perhaps the thief previously obtained the victim's credentials using an email schemephishingor something similar?ANSWER: Probably no. Based on the information we collected, the iPhone was the last item the thief asked the victim during the approach.
Q: Was any document with information about the victim also stolen? This would be important to understand if the thief knew the victim's name or email.A: No. No identity document or similar has been stolen. All they took was the locked iPhone and a sum of money.
Q: How long did it take before the victim blocked the iPhone and the SIM card?A: Approximately 2 hours after the theft.
Q: Was the iPhone password easy to guess?A: No. The six-digit password was not easy to guess and had nothing to do with the victim's license plate or other information the thief might have.
So, considering this mysterious scenario, we decided to dive into the situation to better understand how it all happened.
Through conversations with the victim and access to the change records in his Apple and Google accounts, we established a timeline of events, as can be seen below:
- 14:00 – The theft occurred;
- 16:03 – The victim activated the “Lost mode” and requested that the data on the iPhone be erased by iCloud;
- 16:28 – The victim's Gmail account password has been changed;
- 16:37 – An email arrived at the victim's Gmail account with a link to reset your Apple ID password;
- 16:38 – A new email arrived informing that the Apple ID password has been changed;
- 16:43 – A new email arrived saying that the iPhone was found;
- 16:43 – A last email arrived saying that the iPhone was deleted.
The actions of criminals began only 16h28, when they changed their Gmail password, and then 16h37, changed the Apple ID password.
We know that Apple implemented a feature called Activation Lock a few years ago, in order to minimize theft of iPhones. In short, it makes iPhones (in addition to iPads, iPod touch and Apple Watches) linked to an iCloud account so that a device cannot be activated without these credentials. Thus, in the case of the theft of an iPhone, the criminal would have to know the victim's iCloud access credentials so that he could reset and reuse the device no wonder that some muggers even ask for the iCloud password for the victim.
We also know that Apple allows the user to use an alternative email account in their iCloud registration for the purpose of recovering the service access password. The victim informed us that the iCloud password recovery email was exactly the Gmail account that was compromised at 4:28 pm.
Based on this information, everything suggested that, from the victim's Gmail account, it was possible to reset the iCloud password and then unlock the iPhone. But how was the Gmail password compromised?
In order for the criminal to have been able to reset the victim's Gmail password, he would first have to have the address of this email address. We did some analysis and found that Gmail allows you to obtain a specific email address based on a person’s phone, first and last name. As the phone number could be easily discovered in this incident, getting the name and surname did not seem to be a very difficult task.
We then decided to simulate the scenario from the criminal's point of view. The victim bought another iPhone 6s, configured it exactly like the previous one and kindly gave it to us so we could do this analysis. In this way, our scenario was as close as possible to the real, we even use the same Google and Apple accounts.
Finding out the victim's phone number
Getting that iPhone's phone number was a trivial task. We simply removed the SIM card from that device (Apple didn't invent a lock for it yet) and inserted it into another one. As the SIM card was not password protected, it was easy to identify the phone number.
Finding the first and last name
Okay, the number was easy. Now we will need the victim's name and surname. We initially did a search on the internet using the phone number, but nothing useful was returned. Then, we did a search on social networks. We know that Facebook allows you to search for a profile based on the phone number that the person has used in their registration. But, again, to no avail.
Of course, there could be a different way to find out a person's name based on their cell phone, but we decided to insist a little on the strategy of getting this information from the iPhone we had in hand.
I then remembered that if you are in a group on WhatsApp and receive a message from a person who is not in your contact list, their name appears right after the phone number (Example: 99999-9999 ~ Mike Arnold). So, if it were possible to send a message from the blocked iPhone to a group on WhatsApp, we can obtain the name associated with that profile. Let's try it!
First, we made sure that the iPhone was configured to show WhatsApp notifications on the lock screen by sending at least a single message. The message was displayed as expected. The next step was to try to respond to that message from the locked iPhone. So, using the 3D Touch functionality, we were able to respond message without difficulty. Remembering that 3D Touch is not necessary for this (previous models of the device allow the response on the lock screen through other gestures).
Initial validations completed, it was time to try the group message approach. We then created a group and included the contact associated with the blocked iPhone. As there is no validation for you to join a new WhatsApp group, when we did this a new message was shown on the iPhone screen informing that now that contact was associated with the new group.
As we had to create a contact associated with the iPhone number on the smartphone that created the group, we had to include a third party. He had no contact information related to the iPhone number.
So, everything was ready. We sent a message from one of the group participants. As expected, the message appeared on the iPhone screen. We responded from the blocked iPhone and, again as expected, the message sent to the third participant came associated with the name and surname WhatsApp profile of the iPhone.
Now all that was needed was to use the newly discovered phone number, first name and surname information to obtain the email address through the Google form. Information sent and, after one more verification by SMS, the website returned the email address associated with the iPhone number. That is, step completed!
Changing your Gmail password
This step was very simple. Using the option I forgot my Gmail password, Google offered us the option of recovering the password through an SMS confirmation. We moved forward, we received the SMS code that could also be accessed from the iPhone's locked screen (again) and we did the password reset.
Changing your iCloud password
Now it was time to use the option I forgot my password on the Apple website. As expected, the site reported that it had just sent a password change confirmation email to the Gmail address and, well, the rest of this paragraph is easy to guess. We were successful in changing the password associated with the Apple ID of the locked iPhone owner.
Unlocking the new iPhone
Respecting the facts that occurred in the real incident, it was time to simulate the commands to block and delete data from the iPhone we were using. We did this from iCloud and the iPhone was locked and deleted.
I could bet that, in the real scenario, these procedures helped the criminal to access the iPhone, since, after the process of reset, iPhone asks to enter the Apple ID and password that were previously associated with the device. With this information, it was easy to access and configure the “new” iPhone.
Well, of course, we may have followed a different path compared to criminals, but the result was the same. The iPhone has been successfully unlocked.
However, to achieve this result, there are some premises that we will consider here as vulnerabilities that must be avoided by all of us.
VIEWING NOTIFICATIONS WITH PHONE LOCKED
Allowing your smartphone to show notifications while it is blocked is a great convenience, but at the same time, it poses a great risk to your security and privacy.
As we showed in our experiment, this feature allowed us to read SMSs, WhatsApp messages and, worse, answer them without unlocking the device.
We strongly recommend turning off the display of notifications on your locked smartphone. Depending on your platform (iOS or Android) or the application itself, there are different ways to configure this.
THE SIN CARD
This episode reminded us of how important it is to protect the SIM card, that is, the cell phone operator's chip. We all care about locking our smartphones with a strong password, fingerprint authentication, a file system with strong encryption and so on, but sometimes we forget how important it is to protect our SIM card as well.
As we could see in the experiments that we did in this research, SMS is a very important part nowadays in terms of validating transactions and authentication services. In this case, it was used to receive the code from Google to reset the password, but it could be to authenticate many types of transactions.
A path very similar to this was used in the hijacking of an internet domain a week ago. Through accessing the Gmail account that was associated with the organization's DNS domain operator account, the criminals directed all victim addresses to sites with malicious codes. The details of this incident can be seen here.
Therefore, we recommend that you set a password (PIN) for your SIM card. This way, you will considerably reduce the risk of violations of your information if you lose or have your cell phone stolen.
Depending on your smartphone, the way to set the SIM card password may vary. We recommend that you contact your operator for assistance with this procedure. Remember that, after setting the SIM card PIN, you will have to enter it each time you restart your smartphone.
THE AUTHENTICATION OF TWO FACTORS
Last but not least, please enable two factor authentication on your internet accounts right now!
Two-factor authentication means that you have to provide a combination of at least two entries to prove your identity for the system you are using. The factors can be: something you know, like a password; something you have, like a token hardware or software; It is something that you, for example, your fingerprint.
Nowadays, almost all internet services (such as emails and social networks) offer the option of using two-factor authentication normally, a password and a password. token. There is an option for the second factor to be sending an SMS, but we know that SMS can be fragile. Preferring the use of applications, such as Google Authenticator, for example, to generate a token different with each authentication.
This strategy will greatly reduce the risk of unauthorized access to your account. If the victim of this incident was using two-factor authentication, it would have been impossible to change your password using the SMS strategy.
If you would like more information about Apple's two-factor authentication, visit this page.
Given the short period between theft and unauthorized access to accounts, we believe that this strategy is a common practice for unlocking lost or stolen devices.
In this article, we present one of the strategies used to unlock lost or stolen iPhones. Another very common one through emails from phishing. In this case, an email sent to the owner of the stolen iPhone impersonating Apple and stating that the iPhone was found. The email has a link that directs the user to a website very similar to iCloud. There, the criminals collect the victim's credentials and unlock the iPhone from iCloud.
Regardless of the financial loss directly involved in subtracting the device, this case brings us an important reflection. Would it be an exaggeration to compare an unlocked SIM card to an important password that you carry every day, in plain text, next to your smartphone?
Renato Marinho (@renato_marinho) researcher at Morphus Labs, laboratory of advanced studies in Information Security, and director of Morphus. He has more than 15 years of practical experience in the area and certifications such as CISSP, CRISC and PMP. Master in Computing, he shares his knowledge teaching Computer Forensic Expertise in the post-graduation course in Information Security at the University of Fortaleza and lecturing at national and international events, such as: Security BSides, Mind The Sec, Security Leaders, Brazilian Forum of CSIRTs, GTER / GTS, WSKS Portugal, ISC2 Latin America, among others.