View profile

How to steal Bitcoin from an iPhone

The Bitcoin Consultancy
How to steal Bitcoin from an iPhone
By David Veksler • Issue #18 • View online
In my last post, I teased that I extracted a crypto wallet recovery seed from an iPhone for a client who forgot their wallet PIN.
Here is exactly how I did it:

How to Extract a Crypto Seed from an iPhone
1: Jailbreak The iPhone
A “jailbreak” (or “root” for Android devices) means gaining super-user permissions on your iPhone. These permissions allow apps to escape the “sandbox” that limits what apps can normally do on IOS. There have been dozens of different jailbreaks, but they all work the same way: a jailbreak finds a vulnerability (“exploit”) in IOS that allows it to remove software restrictions. Once the jailbreak is complete, it is possible to install software that has full access to the device.
The most recent Jailbreak is unc0ver, but you must check for the best Jailbreak available for your iPhone version. It’s normal to wait several years for an exploit to be available for the current iPhone device and IOS version. Each jailbreak has its own process, so read the instructions carefully.
2: Install SSH server
Jailbreaks will typically install the Cydia alternative app store. Cydia can be used to install the apps actually needed to perform the exploit. The first app you will need is remote access to the iPhone via SSH: Open SSH.
3: Install File Browser
The Filza File Manager can be used to browse, download, and upload files to the iPhone. Don’t bother looking for keys in the filesystem, as they are only found in the Keychain database. However, this is a convenient way to upload the exploit app and download the dumped keychain.
4: Dump The Keychain
The Keychain is a database that IOS provides for apps to store confidential information. Crypto wallets use the Keychain to store secure information.
The Keychain Dumper app used to work to export the keychain on Jailbroken iPhone. However, I could not get it to work on iOS 14.7. You can copy keychain_dumper using Filza, then run it over SSH.
If that does not work, the Elcomsoft iOS Forensic Toolkit uses a modified version of Keychain Dumper to dump IOS credentials. The toolkit basically wraps a script around this tool, but again, running the toolkit directly did not work for me. However, by looking at the error output of this toolkit and manually copying the binaries, I was able to successfully dump the keychain into a text file, then copy it to my computer.
5: Locate The Seed In The Keychain Dump
Search the seed dump for the word “mnemonic”. I have noticed several wallets using this key to indicate the seed phrase, but of course, they may be others. It will look like this:
Internet Password
-----------------
Server: 
Account: 71DB0E1D-A6D6-4F29-8FA4-7E3D8AFB525wallets
Entitlement Group: 8LPM4195XY.com.crypto.wallet
Label: (null)
[31mAccessible Attribute: kSecAttrAccessibleAfterFirstUnlock, protection level 1
[37mKeychain Data: {"uuid":"A1C823E4-3118-43BD-8BC7-2E48507AB90C","isActive":true,"name":"CODENAME","mnemonic":"[SEED]"}
Now you can load the seed into a new wallet.
What is Money? AEF #6 David Veksler
What is Money? AEF #6 David Veksler
Austrian Economics Forum #6: David Veksler
What is a Medium of Exchange? What are the types of Currencies? Is Bitcoin a good store of value?
00:00 Introduction
00:49 What is Currency? (Medium of Exchange)
03:17 Commodity Currency (Gold)
04:56 Fiat Currency (USD)
07:45 Hybrid Currency (Crypto / BTC)
11:29 Crypto Currency Ledgers (Blockchain)
19:50 Bitcoin Future / Predictions
How I Brute Force Blockchain.info Wallets
Here is the actual command I used to recover a recent wallet. The recovery took about a week on an Nvidia RTX 3060 graphics card. This is a batch of 300 million passwords, but it took over 1 billion total passwords to crack this wallet because my process involves ever-larger password sets.
Pro Tip: Blockchain.info/Blockchain.com wallets should really be run on a graphics card because it’s over 10x faster than running on a CPU. I use a special mining driver, as Nvidia limits the hash rate in its new cards/drivers, and the limit can also apply to brute forcing.
The hardware to do this costs a few thousand dollars, but neither the hardware nor software is especially difficult or expensive. The tricky part is almost always defining the list of tokens in such a way that the search can be completed in hours and days rather than millennia.
python btcrecover.py --tokenlist tokens5.txt --wallet wallet.aes.json --enable-opencl --dsw --max-eta 500 --no-dupchecks --typos 1 --typos-delete --typos-closecase --typos-repeat --typos-swap --typos-insert %p
OpenCL: Available Platforms
Platform 0 - Name NVIDIA CUDA, Vendor NVIDIA Corporation
OpenCL: Auto Selecting Best Platform
OpenCL: Using Platform: 0
OpenCL: Using Work Group Size: 1024
Wallet Type: btcrpass.WalletBlockchain
Wallet difficulty: 5,000 PBKDF2-SHA1 iterations
Counting passwords ...
Done
2022-01-11 08:40:37 : Using 2 worker threads
275224793 of 296110434 [###########################---] 10:53:17, ETA: 0:49:34
Password found: '#######'
David Veksler ₿🔑👌
@WSJ In the 1980's, CPI included home prices and didn't have nonsense like "hedonic adjustments." If we used the same CPI metric today, inflation would be 12-15%. With nearly $30 trillion in debt and 0 interest rates, today's situation is far worse.
Did you enjoy this issue?
David Veksler

The Bitcoin Consultancy (Formerly WalletRecovery.info)
A weekly newsletter about the history, finance, and technology behind Bitcoin.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue