You have an iPhone 6S protected by a 6 digits password plus the touch ID fingerprint and you may think that nobody can unlock it without the code, right? Wrong! At least not, according to the incident we analyzed this week at Morphus Labs.
An iPhone 6S, exactly as described in the previous paragraph, was stolen three days ago. The victim told us that, right after the incident, the criminals did reset some of their online services passwords, like Apple ID and contacted his bank pretending to be him in an attempt to retrieve the bank account’s passwords. Fortunately, they couldn’t reach the victim’s money, but, how could they reset the Apple ID password from a locked device?
To better understand this scenario, we’ve collected more information about the victim:
a) Could it have been a targeted attack, I mean, was the thief focused on stealing that iPhone specifically? Could the thief have previously grabbed the victim’s credentials using an e-mail phishing scam or something like that?
Probably not. According to the information we collected, the iPhone was the last item that the thief asked the victim.
b) Did some ID or other documents with the victim’s information also stolen? It is important to understand if the thief knew the victim’s name or e-mail address.
No. No ID or document with the victim’s name or any other information was stolen. They just asked for money and the iPhone.
c) How long did it take to the victim to lock the iPhone and SIM card?
Approximately 2 hours after the theft.
d) Was the iPhone password “guessable”?
No. The 6 digits password wasn’t easily guessable and had no relation to the victim’s car plate number or personal information that the thief might have.
So, given this mysterious scenario, we decided to dive into the situation and understand how the victim’s iPhone was unlocked.
2. The timeline
We will now establish a timeline to organize the facts that happened last October 14th afternoon:
a) 14:00 – the theft occurred;
b) 16:03 – the victim activated the lost mode of its iPhone and asked for it to be remotely erased through iCloud;
c) 16:28 – the victim’s Google Account password was changed;
d) 16:37 – the victim received an e-mail with a link to redefine its Apple ID’s password;
e) 16:38 – a new e-mail informing the victim that the Apple ID password has been changed;
f) 16:43 – a new e-mail informing that the iPhone has been located;
g) 16:43 – a new e-mail informing that the iPhone was being erased;
So, as we can see, the victim’s Google and Apple accounts passwords were reset by the thief of the iPhone. As we all know, unlocking an iPhone without the proper credentials is a “hard to unfeasible” work. So, how did they do it?
Based on the facts that we established on the timeline, we started to work on some questions that might explain what happened:
1) To change a Google account password, you have to inform at least your login, in other words, your e-mail address. How the e-mail address might have been discovered?
Despite the fact the latest IOS version shows information and notifications even on a locked iPhone, in our simulations, nothing appeared on the screen that could give the user’s Gmail address away;
2) Is there a way to discover the Apple ID from the device’s IMEI?
We searched on the Web and found paid services that offer exactly that: “discover the Apple’s ID from a given IMEI”. But all of them inform that this isn’t an online process. It could take 24 to 48 hours for you to get the information you want. This was not the case. The whole process took around 2 hours.
3) Is there a way to discover a Gmail account based on the only information that the criminal had, that is, the phone number?
We did some search again and realized that Google offers a way to discover an e-mail address based on some given data: the phone number that you associate to your account, a name and a surname. As the phone number could be easily discovered in this scenario, discovering the name and surname from that phone number could be less than hard. We’re starting to get somewhere…
3. The hypothesis simulation
So, we decided to follow that way and try to find the name and surname of the victim from the perspective of the thief. This time, arranging our lab wasn’t a tough task. The victim bought a new iPhone 6S smartphone, configured exactly the way the stolen one was and gave to us for the purpose of this research. That way, our scenario was as close as possible to the real scenario – including the same Google and Apple accounts.
3.1. Discovering the phone number
To obtain the phone number, we removed the SIM card from the iPhone and inserted it on another phone. Similar to the real scenario, no PIN lock was in place. On the other phone, it was easy to identify the phone number.
3.2. Low-hanging fruit
Now, having the phone number, we followed the “low-hanging fruit” strategy at first. We tried to find the victim’s name putting his phone number on the Internet search engines. Unfortunately, we didn’t find anything useful.
The next approach was to look for the phone number on Facebook. We know that if you have your phone number associated to your profile, it’s easy to find you by your phone number. Once again, nothing was found.
3.3. Thinking outside the box
Nothing on the low-hanging fruit, so, time to think outside the box. Of course that there could exist different ways to find out a person name by its phone number, but we decided to insist a little more in finding it with the information we have on our hands.
So, I remembered that recently I changed my smartphone. While configuring the new one, my WhatsApp profile came with my photo – and I didn’t restore if from the backup. But I didn’t remember if it came with my profile name and I decided to see if this strategy could give us the victim’s name.
To do so, we removed the SIM card from the locked iPhone and inserted it on a second smartphone with Whatsapp installed. We followed the initial configuration, receiving the SMS and so on, but unfortunately (of fortunately), WhatsApp did not load the profile name. It brought just the profile photo and status.
Yet related to WhatsApp, a second idea came into place. You might remember that if you are in a WhatsApp group and receive a message from a person that is not in your contact list, its name appears just after its phone number (ie: 9999-9999 ~Mike Arnold). So, it would be possible to send a message from that locked iPhone to a WhatsApp group, we could get the name associated to that profile.
3.4. (Whatsapp + Locked screen notification response) hacking
So, firstly, we confirmed that the iPhone was configured to show WhatsApp notifications on the locked screen sending it a single message. The message was shown as expected. The next step was to try to answer that message from the locked iPhone. Using the “3D touch” functionality, we were able to answer that message.
Initial validations were done, time to try the group message approach. We created a group and included the contact associated with the locked iPhone’s number. As there is no validation for you to enter a new group, as we did this and a new message was shown on the locked iPhone screen informing that it is now part of that new group.
As we had to create a contact associated with the iPhone number on the smartphone that created the group, we had to include a third participant in the same group. This third participant has no contact data related to the iPhone’s number.
So, that was all set. We sent a message from one of the group participants. As expected, the message arrived on the locked iPhone screen. We answered it from the locked iPhone and, as expected again, the message sent to the third participant came associated to the iPhone’s Whatsapp profile name. Stage completed.
The next and easiest step was to put those three parameters we discovered (phone number, name and a surname) in the Google form and get the e-mail address associated with that person. Stage completed.
3.4. Changing the Google account password
Now, let’s try to replay the password change made by the criminal. The next steps were:
– Enter Google login screen;
– Choose “forget my password” option;
– Insert any text on the “last password that you remember”;
– On the next screen, Google asks for the phone number associated with the account. They only show a partial of the phone number, but the last two digits allowed us to believe we were on the right track;
– Inserting the iPhone’s phone number, Google sent to iPhone a code through SMS to be inserted on the next screen;
– After doing that, Google offered us to input a new password for that account.
At that moment, we reproduced the Google account password change by mimicking what the criminal did and started to think how easy it could be, depending on the way it was set, to change someone’s Google account password having only its phone or SIM card and its first and last name – even for some minutes (or seconds).
3.5. Changing the Apple ID password
So, we continued following the incident timeline. On the next step we used the previous discovered Google e-mail as the Apple ID account login and choose the option “forget password” again. After that, a message was shown informing that an e-mail was sent to the Google account with a link to reset the password. The rest of this paragraph is easy to figure out. We had success changing the password associated with that Apple ID.
3.6. Unlocking the “new” iPhone
Based on the facts that occurred in the real incident, it was time to remotely lock and erase the iPhone we were using to do the simulations.
I could bet these procedures helped the criminal getting access to the iPhone. After the erase process, the iPhone asks you to enter the Apple ID and password that was previously associated to that device. And, as we have that information, it was easy to access and configure the “new” iPhone from scratch.
4. Vulnerabilities and Recommendations
Well, of course we might have followed a different strategy compared to that of the criminals, but the result was the same – an iPhone unlocked without its credentials.
However, to achieve this result, there are some assumptions that we will consider as vulnerabilities that should be avoided:
a) Locked phone notifications
Allowing your smartphone to show notifications while locked is a great convenience. But at the same time, allowing them may represent a great risk to your privacy and security.
As shown in our experiment, this feature allowed us to read SMS and WhatsApp messages and, worst, answer it without unlocking the device.
We strongly recommend disabling “show notifications on your locked smartphone” (advice for users). Depending on your platform (Android or IOS) or App, there are different ways to configure this.
b) The ‘Sin’ Card
This episode remembered us how important it is to protect the SIM card. We all take care of locking our smartphones with strong passwords and fingerprint auth, strong encryption and so on (don`t we?), but we have to remember the importance of properly securing the SIM card.
As we could see on the experiments we did on this research, the SMS is an important peace nowadays in terms of transaction validation and authentication services. We used it to receive the Google unlock code, but it could be used to authenticate other kinds of transactions.
So, we recommend to set a password protection (PIN) to your SIM card. That way, you considerably reduce the risk of impersonation if you lose or you have your cell phone stolen.
Depending on your smartphone, there are different ways to configure it. Remember that, after you set your SIM card PIN, you have to insert it every time you reboot your smartphone (which is not very usable).
c) Two-factor authentication
Last but not least, please, enable two-factor authentication on your accounts right now! Two-factor authentication means that you have to provide a combination of at least two methods to prove your identity to the system you are dealing with. The possible factors you can pick from are these three: something that you know, like a password; something that you have, like a hard or soft token and something that you are, like your fingerprint.
Nowadays, almost all of the Internet services offers you the option to configure two-factor authentication – usually a password and token. There is an option for the second factor to be sending you an SMS, but we know that it may be fragile. Preferably, choose to use an App, like Google Authenticator, to generate the token.
This strategy will strongly reduce the risks of unauthorized access to your account. If the victim of this incident was using two-factor authentication, it would be impossible to change their password by using the SMS strategy.
5. Final words
Given the short period of time between the theft and the accounts hacking process, we believe that this strategy is widely used to unlock lost and stolen devices.
Aside from the financial loss directly involved with having an iPhone lost/stolen, this case brings us an important reflection. Are we protecting our SIM cards and SMS messages as we should? The potential impact, like improper information access or disclosure in scenarios like the one from this article, could be even more devastating. It would be an overkill to compare an unlocked SIM card to an important password that you carry every day, in clear text, attached to your smartphone?
About the Author:
Edited by Pierluigi Paganini
(Security Affairs – hacking, iPhone)