Private Photo Vault keeps your photos and videos safe by requiring a password to view them.Update 2: Thanks to a tip from a reader, it was brought to my attention that PPV iOS made some pretty big changes in a recent update (early August 2021 – version 11.9). FAQ: KDT-111714-PRV-05Hide these private pics and vids securely with Photo Vault. Unless you can provide a password that the drive will accept, the data on the drive will be lost. Also, the number of failed password attempts cannot be increased. Even if you create a new password, the data on the drive is erased and a new encryption key is created. The data on the drive cannot be recovered.This is an important step for keeping your Keepsafe Photo Vault secure.Protect your most important files with passwords. 4) After submitting your name and email address, you will receive a verification email to secure your Keepsafe login. 3) Enter your name and email address.This is a solid security upgrade to PPV as previously one could glean a lot of information about what the encrypted media might be by simply looking at the database (and observing things like album titles).Media items are now protected using a unique key per item. Despite this, it is fully compatible with SQLCipher viewing tools like DB Browser for SQLCipher. The database can be found a directory up from its previous location, with the extension ‘.ecd’ (short for Encrypted Core Data).Also having an option for custom alphanumeric would be nice to see.There is now a ‘cloud backup’ option available (for a fee). Still, having any cap on the length at all seems unnecessary. (10^4+10^5+10^6+10^7+10^8)
Imagine a scenario where their backup server gets breached, and the only thing standing between the attacker and your most sensitive media is 10,000 rounds of PBKDF2-SHA1. The patch notes clearly state that the separate ‘cloud password’ is never backed up to their server, but even without the password I would have a lot of questions about how strong of a KDF is being used on the password, what are the minimum password strength requirements, etc. This is not a reflection on PPV itself (I have no knowledge of the developer), but I have seen enough abhorrent things with other vault apps with this type of offering to default to alarm bells. I will say that non-CloudKit (iCloud) based storage for an app like this, for me, is on its own reason enough to exercise extreme caution. These opinions are based on generalized concepts that would apply to any vault app with such a feature. I decided not to force myself to procure content and instead wait until I had something I really wanted to write about. You can do so on the DFIR Discord or Twitter post: It’s been a while since I posted anything, and I suppose that’s a natural part of having a blog. Rather than make them publicly available, please contact me and I will be happy to share the scripts with you. I also created a Python based decryptor script (instead of the C# one attached to this post). Does PPV have the resources to respond to legal orders, such as warrants or preservation orders? It is only a matter of time before CSAM gets uploaded to their server.Update 9: I have since done a bit more work with this app and have found a way to bruteforce the PIN without keychain access. The fact that a paid subscription is required means that PPV will indirectly have access to a lot more PII of their users than they otherwise would, which could be used to associate media to a specific identity. Passoword Requirement For Photo Vault On Code Had BeenI figured revisiting this same app in 2019 could be fun/interesting just to see how far it has or hasn’t come since then. In November 2015, a detailed breakdown was published by Michael Allen at IOActive and he found that the app didn’t actually encrypt anything! It’s security amounted to blocking users from seeing any media inside until the passcode had been entered and this was extremely easy to defeat. Why target this app specifically?Com.enchantedcloud.photovault or “ Private Photo Vault” (hereafter PPV) has been the subject of security research before. I am however planning a follow-up post with a whole pile of lessons learned as I think there are a lot of gotchas and overall frustrations that could very possibly be skipped. This has been an absolute blast to learn about, although I will admit it was frustrating at times.This article focuses more on the outcome of my research, without dwelling too much on exactly how I got there. I remove mac cleaner from firefoxRNCryptor is open source and we can absolutely use that to our advantage. I do believe it is possible though.PPV uses RNCryptor, an encryption library with implementations available in ObjectiveC, C#, JS etc. For examiners obtaining logical type extractions (iTunes backup, UFED 4PC, Magnet ACQUIRE, etc.) decryption will be more challenging and further reversing work will be required. For examiners with filesystem type extractions (GrayKey / Cellebrite CAS / jailbroken devices), the security of PPV is trivial to defeat and I will demonstrate how below. Locate and jailbreak test iOS device (I used Electra root for my test device, an iPhone 6S running iOS 11.2.1). Basic Outline of the Process / Tools Used Secure Enclave makes sure that this key never sees the light of day but this is not true for keychain data. This might seem like a poor design choice, but it’s actually how your iPhone works too and it can be quite secure as long as the master key is well protected. The first two bytes can be safely ignored, the next 16 bytes are the IV (Initialization Vector), and the remaining bytes are the cipher text with the exception of the last 32 bytes which are related to HMAC and can safely be ignored.Once generated, the master encryption key never changes even if you change your PIN. The plaintext PIN, which is a maximum 4 digits, is also stored in the keychain as “ppv_uuidHash1”.Each encrypted media file (found with its original in the app’s sandbox at /Library/PPV_Pics/) is essentially a container. Used frida-ios-dump by AloneMonkey to obtain decrypted binary of the target app (recommend Python 3.7) Installed and verified operation of frida-server on the device – I did this using Sileo but should be doable via Cydia as well. Setup access over USB with ITNL (iTunnel) and obtained root access to device via SSH. The biggest breakthrough here was that the encryption key doesn’t change when you change the passcode, and that it is stored in keychain.plistPIN change does not affect our encryption key, which conveniently gets stored in this device’s keychain.plist Switched back and forth between Hopper and Frida console until I established a good idea of what was going on. (I targetted LSLCrypt and RNCryptor classes on PPV)Note the test passcode of 1234 at the end of the giant SHA256 string. With my newly discovered knowledge I fired up Frida with this little gem: ObjC Method Observer, an awesome codeshare script by mrmacete ( to snoop on iOS method invocations of a specific class on a live device. This app is not free but the trial is fully functional for 15 minutes – make sure you hurry! □Static analysis using Hopper – this class looks like it might be of use! I had great success with searching for a value from the plist I believed to be associated to crypto. You will need to plugin your AES Key as base64 in the “USER CONFIGURATION REQUIRED” section □ ! I call this a PoC because it does zero error checking and may or may not work for you without tweaking. It uses only native libraries. Develop PoC in C# using the amazing LINQpad to decrypt media in PPV_Photos given the keychain.plistThis script is C# and was written in/for Linqpad, but could be adapted to a Visual Studio project very easily.
0 Comments
Leave a Reply. |
AuthorTonya ArchivesCategories |