33

Four months ago I lost all my data after an iTunes update automatically restored my phone to factory defaults. I lost all the pictures of my newborn.

I understand that when you do a factory reset the decryption key is discarded so the data is unretrievable. There's nothing I can do now. But is there any chance I'll be able to recover the pictures in the future? I have kept the phone in my drawer.

I have created a group with so many moms like me; we all lost photos of our little one due to unexpected factory resets. It's not an isolated issue.

**This question is about iPhone data decryption in the future but not how should I find my lost data with my laptop, backup file, etc. I have tried all methods.

Vivi
  • 341
  • 3
  • 7
  • 34
    Sorry about that, what you want is the same power as three-word agencies. It is better you inform your group to keep backup of your lovely ones photos. – kelalaka Jan 04 '21 at 10:00
  • 19
    I'm sorry that this happened to you. Unfortunately you've learned the hard way that backups are a necessity. There are many, many causes of data loss: hardware failure, software errors, human errors, natural disasters, malicious software... Plan and implement a backup strategy for all your important data on all devices as soon as possible. Otherwise it's a matter of time until this happens again. – gronostaj Jan 04 '21 at 12:11
  • You should use android device with SD card support. Nowadays, a damaged device costs less than losing data. – defalt Jan 04 '21 at 14:21
  • 29
    Wait wait wait. iPhones automatically back up photos to iCloud and iPhone updates have been delivered OTA for years (can you even do an update via iTunes anymore)? Even when you did do updates via iTunes I don’t recall it ever doing a factory reset on your phone without manually forcing it. – Darren Jan 04 '21 at 15:48
  • 7
    @kelalaka Even the three-word agency possesses no such power https://www.nytimes.com/2020/01/07/technology/apple-fbi-iphone-encryption.html. I do not personally like Apple products due to limited customizability and planned obsolescence but I will say that their dedication to user privacy is unrivaled. – MonkeyZeus Jan 04 '21 at 19:24
  • 1
    @MonkeyZeus I should say what you want is the same power that the three-word agencies wanted. – kelalaka Jan 04 '21 at 19:25
  • 1
    With current technology it looks like it would take a minimum of 34,000 years to crack the encryption https://crypto.stackexchange.com/q/48667. Moore's Law is set to expire in 2022 so even if the computational power doubled then you're still looking at 17,000 years to crack the encryption. I'm sorry for the loss of your pictures. I have a 2 and 3 year old and I'm not sure how I would be able to handle losing any of their pictures. – MonkeyZeus Jan 04 '21 at 19:34
  • 1
    If Moore's law doesn't expire then you would need to wait 20 years and from that point wait 33.2 years to decrypt the data. – MonkeyZeus Jan 04 '21 at 19:36
  • Odds are high that the phone hardware will flat out fail by then and the storage inside your phone has simply degraded past the point of booting up. – MonkeyZeus Jan 04 '21 at 19:38
  • 3
    @MonkeyZeus, the answer you linked there assumes a 128-bit AES key. iPhones use 256-bit encryption, so the keyspace is approximately 10^38 times larger than that. – Seth R Jan 04 '21 at 22:59
  • 28
    I'm curious that nobody's addressing the premise: an iTunes update resetting the phone to factory settings, really? And simultaneously removing everything from iCloud, really? – Asteroids With Wings Jan 05 '21 at 03:52
  • 8
    @AsteroidsWithWings iTunes would not do a reset automatically on an update, but if the update fails it will prompt you with a "You can try restoring a backup, or factory reset" option. And iPhones are not automatically backed up to iCloud. You have limited space there. My backup is on my PC, and backed up to my server. – Logarr Jan 05 '21 at 06:25
  • Thank you everyone for your comments. I have read through all the comments carefully. I appreciate your kind explanation and suggestions. I have learned from the data loss, and take serious actions to back up data already. I've been using a new phone and keep the factory reset one in a drawer. – Vivi Jan 05 '21 at 07:34
  • @SethR I trust what you're saying but I'm not positive how to visualize the time difference. Would it quadruple the 34,000 years estimate? – MonkeyZeus Jan 05 '21 at 13:47
  • 1
    Nevermind, at https://scrambox.com/article/brute-force-aes/ there is a chart labeled "Recap: brute force exhaustive search of AES-256" and if every single computer on Earth worked in unison then we're looking at trillions of years; an utterly incomprehensible timeframe. All stars in the universe will have died and we'd have returned to singularity and big-bang several times over; or suffer heat death, whichever theory you subscribe to. – MonkeyZeus Jan 05 '21 at 13:56
  • @MonkeyZeus, correct, it would multiply the time estimate by 10^38 (a 1 with 38 zeroes after it). Trillions (a 1 with only 12 zeroes after it) of years is a vast understatement. You will experience the death and rebirth of the universe trillions of times before an AES-256 key is cracked. – Seth R Jan 05 '21 at 14:50
  • @MonkeyZeus - *"it looks like it would take a minimum of 34,000 years to crack the encryption"* - Imprecise language there. There is a possibility (although infinitesimal) that you could crack it at the first try. Therefore the actual *minimum* is a few seconds. I suggest, *"it looks like it could take up to 34,000 years to crack the encryption"* - I imagine that the mean solution time would be half that, i.e. 17,000 years. – chasly - supports Monica Jan 06 '21 at 15:06
  • @chasly-supportsMonica At this point that comment is moot. See the additional comments about the trillions of years estimate. I don't think that halving trillions is going to be significant. But yes, "Up to trillions of years" would be more accurate :) – MonkeyZeus Jan 06 '21 at 15:16
  • SMH, this is what happens when developers turn the security dial to "max for everyone", *automatically and by default*. That, and Wikipedia becoming inaccessible for hundreds of millions of disadvantaged people. Supersecurity is great for the "takes naked pix of self" gang, not so good for the parent gang. – Harper - Reinstate Monica Jan 06 '21 at 19:14
  • Didn't the FBI get into that terrorist's iphone a few years back without the password. They used an outside company to do it, and they kept the method secret as far as I know, but its possible the same method would work here as well... – user4574 Jan 07 '21 at 05:53
  • 1
    @user4574, as discussed in comments under one of the other answers, the FBI (most likely) circumvented the feature that wipes the phone after too many unlock attempts. That allowed them to brute force the user PIN to unlock the phone and get the decryption key. It won't work if the key is gone entirely, which a factory reset will do. I also would not expect the method they used to become commercially available ever. – Seth R Jan 09 '21 at 07:17

6 Answers6

64

Modern encryption is strong enough that there is no way to retrieve the lost data without the key. Although it's possible that it could be doable in the future in theory, consider that even the cipher 3DES, a trivial modification to a cipher designed nearly half a century ago in the 1970s, cannot be broken in the manner you want, and that was cryptography in its infancy. Modern iPhones use AES which has held up to 20 years of analysis and is showing no signs of meaningfully weakening.

Ciphers are never secure one day and fatally broken the next. There is virtually never a massive breakthrough that renders a cipher useless, as attacks are improved incrementally. If AES ever gets broken badly enough that you would be able to recover the encrypted data without the key, there would have been decades of slow improvements to the attack and we would all have known for years that it's too weak to even consider using. If that were the case now, I'd tell you to wait a few decades and maybe, just maybe, a key recovery attack would be released, but that's not the case.

The data is gone. Plan for keeping backups in the future to avoid a repeat of this issue.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Hi Forest, thank you for your reply. I want to upvote you, but my account is new, so I cannot do it. Do you mean that the AES is so strong and there will be no solution in near future. And even simpler encryption such as 3DES is still with no meaningful way to decrypt the data? Is there any research working on decrypting phone? – Vivi Jan 04 '21 at 03:30
  • 2
    @Vivi You are correct. The ciphers used are strong enough that there is effectively no chance to recover it. There is a lot of research that is constantly going on into breaking strong ciphers like AES and despite all that, it has held up since it was first created. – forest Jan 04 '21 at 03:31
  • Technology might have a breaking point after long-period investment and research. Comparing to a phone, the data is more important so I will keep my phone in the drawer. – Vivi Jan 04 '21 at 03:35
  • 7
    @Vivi There's nothing wrong with keeping it in a drawer, but a break of AES to the extent that you would need is incredibly unlikely. AES is designed to be secure enough that one can trust their life with it. _Maybe_ in the 22nd or 23rd century, but certainly not anytime in the foreseeable future. – forest Jan 04 '21 at 03:38
  • I see. Thank you. You give me a good idea of the expectation. – Vivi Jan 04 '21 at 03:42
  • 50
    I would add a human comment here. No more tech. I believe that keeping the phone in a drawer for decades will just hurt feelings with false hopes. It's bad to lose unique moments. Whoever suffered a data loss knows that. From the psychological/social point of view, it could be better to focus on future moments than past. Maybe recreating some, even for purpose of fun. I was trying to find record of someone who did. – usr-local-ΕΨΗΕΛΩΝ Jan 04 '21 at 11:49
  • 5
    I'd like to add that in the unlikely event AES is broken, it would completely turn the cybersecurity world on its head and cause absolute chaos across the technology field. Most of the strategies we have for ensuring privacy and confidentiality rely on that algorithm, or ones like it. It would be a very bad thing. – Seth R Jan 04 '21 at 15:40
  • @SethR - It seems possible that the length of keys used in that iPhone might eventually one day with faster systems be vulnerable to brute force attacks though? That isn't "breaking AES". – T.E.D. Jan 04 '21 at 17:25
  • @SethR - IIRC, the FBI was trying in court to get Apple to do it for them, Apple refused, a 3rd party commercial company came to the FBI and said "we can do it for you", and then the FBI dropped the case (presumably after availing themselves of said service). Most likely that company is still out there... – T.E.D. Jan 04 '21 at 17:40
  • 7
    @SethR The key is not generated from the short PIN. The key is held in the Trusted Execution Environment and is a randomly generated 128 or 256 bit number (can't recall which). Access to this key (well, more strictly speaking, access to the decryption function which uses the key) is controlled by the PIN. When you do a factory reset the key itself is erased, so even if the OP knew the PIN and the algorithms used to protect the key, she could still not recover the data. The data is gone. Take your phone out of the drawer and use it again. – throx Jan 04 '21 at 22:08
  • @throx, interesting. I figured the AES key was a hash of the PIN generated by the TEE and could be recovered by brute forcing all possible PIN combinations, if not for the device wipe after too many attempts (I thought the FBI, or their contractor, just figured out how to bypass the wipe feature with some micro surgery on the hardware). iPhones do use 256-bit encryption. No way to brute force that. I'll delete my previous comment. – Seth R Jan 04 '21 at 22:41
  • @SethR Cellebrite (the contractor), I believe, did circumvent the wipe feature as you suggest through some defect in system design. That still lets you present every combination of PIN to the TEE to eventually have it unlock the key for you. I have no idea for certain how they did it, and they obviously aren't disclosing details. :) – throx Jan 04 '21 at 23:40
  • In _theory_ someone could spend a ridiculous amount of money to take a look at the secure storage on the iPhone to get a "ghost" of an old key left there (in theory the operation to replace the key erased the old one, but sometimes electronics can "leak" old values. If their storage did this, this would be a screwup by apple, but...). This is also insanely unlikely to work, and figuring out how to do it would be nation-state level effort (or ridiculously skilled security researcher) ... and even then would almost certainly fail. – Yakk Jan 05 '21 at 06:48
  • 1
    @usr-local-ΕΨΗΕΛΩΝ Thank you, you are very kind and gentle. I've been using a new phone to take pictures & videos for my little one. I created a separate cloud album for my son and update selected pictures on a daily basis, and then share the album with grandma, grandpa, etc. I am also planning a family trip to the places we've visited after the Covid-19. – Vivi Jan 05 '21 at 07:50
  • Even if the cipher itself might be broken in the far future, your raw, encrypted data might no longer be intact by then. The NAND flash memory, which is used by iPhones for internal storage, is designed for speed and [not data longeivity](https://en.wikipedia.org/wiki/Flash_memory#Archival_or_long-term_storage). This might be fixed by simply keeping a charge in the battery, or might require turning the phone on (I'm not aware under what circumstances is the memory controller powered). Sorry to be a bearer of the bad news, but you should know even the data themselves won't last forever. – Marty Cagas Jan 05 '21 at 20:09
  • My understanding (which could be wrong) is that Cellebrite's attack involved voltage glitching to prevent the counter of how many attempts to guess the PIN had been made from being updated. Either way, the general thesis (that after a reset the PIN is useless even if recovered) holds. – Charles Duffy Jan 06 '21 at 21:20
  • "Although it's possible that it could be doable in the future in theory" - the use of the word theory may be mistakenly taken to mean that someone already has a theoretical method for how to break this, but we don't. Unless our understanding of physics has some very unexpected breakthrough, we believe it to be impossible to break, even with quantum computing which at best would effectively halve the bits, making 256 bit still quite secure. – thomasrutter Jan 07 '21 at 06:43
  • @thomasrutter "In theory" just refers to the fact that AES does not provide information theoretic security. And all the existing theoretical methods of breaking AES (they do exist on the full round cipher) only weaken the security by a trivial margin and are completely impractical to carry out, so it's still considered secure. – forest Jan 09 '21 at 22:09
  • @forest yes that's true, to clarify I understand the intention but just wanted to point out a naive person's interpretation of "in theory" may be that there currently exists a theory for breaking AES, and it's just a matter of putting that theory into practice. There is of course no such thing - your way of using "in theory" was a nod to "we can never be totally sure there will never be a way of breaking AES" – thomasrutter Jan 11 '21 at 04:56
31

Every time I updated my iPhone with iTunes, iTunes automatically made a backup of the iPhone. These backups can be checked in:

iTunes >> Edit Menu >> Preference >> Devices >> Device backups

(Some backups might even be automatically moved to the Recycle bin)

Isn't it possible to use one of these backups to restore to a (new) iPhone as described by Apple Support?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Henk Groot
  • 411
  • 2
  • 4
  • Hi Schroeder, thank you for your suggestion. I don't have any backup files since I did the update at DFU mode. The only possibility for me as of now is to wait for future solutions to decrypt data. But I appreciate your response and I wish you a very good week ahead. – Vivi Jan 06 '21 at 05:10
  • @Henk, the OP has clarified that the question is indeed about decryption and not about file recovery. – schroeder Jan 06 '21 at 08:06
  • 1
    @Vivi this is not my answer. I only edited it. – schroeder Jan 06 '21 at 08:07
  • Hi @Henk, thank you for your response. And Schroeder, thank you for your edit as well. – Vivi Jan 06 '21 at 09:58
  • This looks for me as a partial answer. I see no reason for it to exist in the VLQ queue. – peterh Jan 06 '21 at 10:46
8

Modern smartphones encrypt data backed by Trusted Execution Environment (TEE). TEE stores keying material that is used together with master key and screen lock code to derive a key that encrypts and decrypts keys for device encryption. This is one possible way of protecting device encryption keys using TEE, Apple's implementation can be slightly different. On factory reset, TEE flushes master key and regenerates new key on first boot.

There are no scalable and affordable techniques to extract data out of TEE. If their Evaluation Assurance Level (EAL) is 4+, they can be as secure as smart card which is tamper resistant by design. If there would be such a forensic tool in future that could recover deleted keys from TEE, you might be able to decrypt recovered data if it's not already overwritten at present. You will be needing electron microscope for this.

defalt
  • 6,231
  • 2
  • 22
  • 37
  • 1
    If in the first part of the answer you said that keys are flushed from the TEE after the reset, why do you still talk about methods to extract keys from the TEE? – J. Doe Jan 05 '21 at 00:10
  • @ J. Doe If it was possible to read flash storage of TEE and Secure Element (SE), it would be possible to recover deleted keys as well if it's not already overwritten. OP is asking for future technology, it might become possible but might not be affordable. – defalt Jan 05 '21 at 04:58
  • Well today any TEE can be broken with a scanning electronic microscope for example. TEE are meant to be secure against thefts not advanced attackers. – J. Doe Jan 08 '21 at 13:13
  • 1
    @J. Doe That's not true. Samsung Electronics' Secure Element `S3FV9RR` chip has EAL 6+ which is in Samsung S20 and it is as secure as extracting keys from smart card. Google Titan M chip and Apple T2 chip EAL certification is not known but it has to be atleast 4+ to be certified as Secure Element. – defalt Jan 08 '21 at 14:05
  • exactly, and you can still extract keys from smart cards or others chips with the right equipment (like a good scanning electronic microscope) https://archive.org/details/youtube-YM5I8yR7yCw. Stuff like TEE or smart cards still is blackbox security, so you can do whatever you want (expensive and slow, but you can) – J. Doe Jan 08 '21 at 16:04
  • 1
    @J.Doe You can _potentially_ extract _existing_ keys, not keys that have been wiped. – forest Jan 09 '21 at 22:07
3

An absolutely true, correct and technical answer is yes, there is hope, and even a certainty that one day that will be possible. A practical answer is that your iPhone will be hit by an asteroid, before your newborn will get to see those pictures.

Apart from the obvious issue with decryption being difficult, even if technology appears in 30 years, it is unlikely that there will be readily available technology to read that iPhone then. And even if you also store a PC with all the necessary software by then, the storage in your phone is not meant to last 30 years, even if not used. Electrons are lost slowly but surely until all your data is spread in the universe. If you'd want to slow this process, you should keep the phone charged in a cold and dry environment, and still take the phone out once in a while to recharge it. Even like this, it is still more likely that by the time the technology will be available, the information will be corrupted beyond repair.

Disclaimer: Never believe when people tell you what the future will be like. 30 years ago really smart people thought we'd have holograms and that 640KB is enough memory for anyone in the world (corrected based on comment). We're still working on those holograms, and your iPhone has a million times more memory than 640KB (ok, only the most expensive one).

The lesson is, as many people already said, but it's a lesson worth repeating:

Remember to always back up!

Andrei
  • 209
  • 1
  • 6
  • 1
    Even the falsely attributed quotes about 640KB do not, as far as I know, propose that quantity of storage for the entire world. – Ben Voigt Jan 06 '21 at 19:36
  • @BenVoigt I don't know why you say it's falsely attributed, but indeed the claim is wrong, the original claim was that 640KB is enough for any individual in the world, not all the individuals in the entire world, which is different, but captures the same idea. Nevertheless, I corrected this. Thanks. – Andrei Jan 07 '21 at 17:02
  • https://skeptics.stackexchange.com/q/2863/2954 – Ben Voigt Jan 07 '21 at 17:12
2

There is some chance that quantum computing will be able to crack these keys. I would bet it will be at least 2-3 decades from now.

Note, you still have no chance to access the raw, block-level data of your iPhone. It is because Apple cheated you - you bought the iPhone thinking that it will be yours and you will be able to do this what you want to. Truth is that you still can do with your iPhone what Apple allows. They don't allow you to access the flash on the block level.

Beside the appearance of the practically usable quantum computers capable to break strong AES, you will also need to crack your own phone, in order to access your own data. Doing that is not yet a criminal offense in the USA, hopefully it won't be even in this far future.

Many encrypted hard disks, with lost keys, but with important data, are waiting for that, around the world. :-)

The hope looks today still small, but this is the one what we have.

peterh
  • 2,938
  • 6
  • 25
  • 31
  • 2
    Incorrect, iPhones use 256-bit AES, which [quantum computers will **not** be able to crack](https://security.stackexchange.com/q/241991/235964) – nobody Jan 06 '21 at 10:55
  • @nobody Thanks. But it only says that it is impossible with Grovel's algorithm. There is no proof that it is impossible with QC. It is a very hot CS topic, having an $O(\sqrt{n})$ crack by QC means that having, maybe a yet better crack will be once available. – peterh Jan 06 '21 at 11:00
  • Well, for that matter there is no proof that the algorithm can't be cracked on a classical computer (since a significant cryptanalytic breakthrough is possible albeit unlikely). However, Grover's Algorithm is optimal and bruteforcing a 256 bit key on quantum computers is infeasible. – nobody Jan 06 '21 at 11:05
  • @nobody Is there a proof that there is no better QC algorithm? – peterh Jan 06 '21 at 11:34
  • For bruteforcing black box function, its been proven asymptotically optimal. Any better algorithm would have to rely on weaknesses in the internal structure of the encryption algorithm (but that amounts to cryptanalysis of the algorithm, which is possible even without quantum computers but currently doesn't seem likely in the near future) – nobody Jan 06 '21 at 11:42
  • @peterh-ReinstateMonica is there proof that there is not god? – J. Doe Jan 08 '21 at 16:21
1

Short answer: as others have said, no. However, depending on the iPhone hardware version, iOS version, and any future discovery of weaknesses in the methods they used for generating keys, there is a small to moderate likelihood that recovery may be possible in the forseeable future. That doesn't imply it will be easy or accessible to people without access to specialized tools or funds to pay people who have sufficient knowledge and access.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • 8
    I know you're just hedging with "small to moderate likelihood," but it seems unkind to give false hope here. Given our current understanding of technology and physics "negligible to minuscule likelihood" seems more realistic. Breaking AES would have world-changing implications, probably won't happen in our lifetimes, and even if it did happen--say 30 years from now when the newborn is grown up--the iPhone memory might already be toast by then. The photos are gone. – GrandOpener Jan 06 '21 at 04:26
  • @GrandOpener I think he's talking about weakness in the hardware random generator, not in the cipher. However even in that case it's exceedingly unlikely. It would have to have a very bad bug, since creating a few hundred bits of entropy is not that difficult. – forest Jan 09 '21 at 22:04