Elcomsoft Phone Password Breaker and Elcomsoft iOS Forensic Toolkit have been around for a while, acquiring user information from physical iPhone/iPad devices or recovering data from user-created offline backups. Both tools required the investigator to have access to the device itself, or at least accessing a PC with which the iOS device was synced at least once. This limited the tools’ applications to solving the already committed crime, but did little to prevent crime that’s just being planned.
The new addition to the family of iOS acquisition tools turns things upside down. Meet updated Elcomsoft Phone Password Breaker – a tool that can now retrieve information from suspects’ phones without them even noticing. The newly introduced attack does not need investigators to have access to the phone itself. It doesn’t even require access to offline backups produced by that phone. Instead, the new attack targets an online, remote storage provided by Apple. By attacking a remote storage, the updated tool makes it possible watching suspects’ iPhone activities with little delay and without alerting the suspects. In fact, the tool can retrieve information from the online storage without iPhone users even knowing, or having a chance to learn about the unusual activity on their account.
How It Works
First and foremost, there’s no magic. We still need the user’s original Apple ID and password to access their iCloud information. If Apple ID and password are not known or no longer valid (e.g. user changed the password), Phone Password Breaker will be unable to retrieve information from iCloud.
In order to understand how the whole thing works, let’s look how iPhone backups work.
When it comes to backing up their devices, iPhone users have choices. The backup can be stored locally on their PC. It can also be uploaded into a dedicated cloud storage managed by Apple Inc. Apple introduced iCloud in June, 2011. The new service allows iOS users backing up the content of their devices to a remote location. By doing that, the users get an additional benefit of being able to share their files between multiple iOS devices such as an iPhone and an iPad. Using iCloud is as simple as selecting a check box when setting up an iOS device, which is the reason an estimated 125 million Apple customers are using iCloud as of April 2012.
iCloud backups hold essentially the same information as stored in offline backups, which includes accounts and passwords , call logs and text messages, calendars, appointments, contacts and organizer information . Pictures and Web browsing history including URLs of recently visited sites are also included.
When configured to use the iCloud service, iPhones automatically connect to iCloud network and backup their content every time a docked device gets within the reach of a Wi-Fi access point. iCloud backups are incremental, which means that the uploading may take a while during the first backup, but will work blazing fast for each subsequent backup. This is to say, iCloud backups represent a fresh, near real-time copy of information stored in iPhone devices, including information about recently made and received calls, sent and received text and email messages. This is the type of information that can be used to monitor and prevent criminal activities, and exactly the reason that data can be essential for investigators and other forensic customers.
ElcomSoft researchers analyzed the communication protocol connecting iPhone users with Apple iCloud, and were able to emulate the correct commands in order to retrieve the content of iOS users’ iCloud storage. It’s important to note that, unlike offline backups that may come encrypted and must be broken into (a time-consuming operation), data retrieved from iCloud is received in plain, unencrypted form . The 5GB of storage space can be retrieved in reasonable time, while receiving incremental updates is even faster. The ability to retrieve iCloud backups is now part of Elcomsoft Phone Password Breaker. Existing customers are welcome to upgrade.
Read the official press-release on ElcomSoft breaking into Apple iCloud backups.
Sign up for EPPB webinar! http://www.elcomsoft.com/webinars.html
In this one-hour webinar scheduled for June we will demonstrate EPPB in action and answer all your questions online.