Paper 2021/460

Let’s Take it Offline: Boosting Brute-Force Attacks on iPhone’s User Authentication through SCA

Oleksiy Lisovets, David Knichel, Thorben Moos, and Amir Moradi

Abstract

In recent years, smartphones have become an increasingly important storage facility for personal sensitive data ranging from photos and credentials up to financial and medical records like credit cards and person’s diseases. Trivially, it is critical to secure this information and only provide access to the genuine and authenticated user. Smartphone vendors have already taken exceptional care to protect user data by the means of various software and hardware security features like code signing, authenticated boot chain, dedicated co-processor and integrated cryptographic engines with hardware fused keys. Despite these obstacles, adversaries have successfully broken through various software protections in the past, leaving only the hardware as the last standing barrier between the attacker and user data. In this work, we build upon existing software vulnerabilities and break through the final barrier by performing the first publicly reported physical Side-Channel Analysis (SCA) attack on an iPhone in order to extract the hardware-fused device-specific User Identifier (UID) key. This key – once at hand – allows the adversary to perform an offline brute-force attack on the user passcode employing an optimized and scalable implementation of the Key Derivation Function (KDF) on a Graphics Processing Unit (GPU) cluster. Once the passcode is revealed, the adversary has full access to all user data stored on the device and possibly in the cloud. As the software exploit enables acquisition and processing of hundreds of millions of traces, this work further shows that an attacker being able to query arbitrary many chosen-data encryption/decryption requests is a realistic model, even for compact systems with advanced software protections, and emphasizes the need for assessing resilience against SCA for a very high number of traces.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published by the IACR in TCHES 2021
Keywords
iPhoneSCAPasscode Recovery
Contact author(s)
oleksiy lisovets @ rub de
david knichel @ rub de
thorben moos @ rub de
amir moradi @ rub de
History
2021-04-09: received
Short URL
https://ia.cr/2021/460
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/460,
      author = {Oleksiy Lisovets and David Knichel and Thorben Moos and Amir Moradi},
      title = {Let’s Take it Offline: Boosting Brute-Force Attacks on iPhone’s User Authentication through SCA},
      howpublished = {Cryptology ePrint Archive, Paper 2021/460},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/460}},
      url = {https://eprint.iacr.org/2021/460}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.