Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force

December 17th, 2014 by Vladimir Katalov

We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.

So what exactly has changed in this version?

First, we’ve added support for two-factor authentication and expanded your ability to download from iCloud without Apple ID and password. When it comes to old-school brute force, we managed to nearly double the speed of attacks when recovering passwords to Apple’s offline backups using of your existing NVIDIA boards. Finally, we added support for the latest AMD and NVIDIA boards, enabling you to benefit from yet higher recovery speeds with newest acceleration hardware. But before we cover the new features, let’s have a look at new usage scenarios unlocked by this build of Elcomsoft Phone Breaker.

  • I have a computer that was used to sync with iCloud.
    • Boot it up and extract the binary authentication token. Download data from iCloud.
    • NEW: take the hard drive out or capture a forensic disk image. Mount it on your computer, extract authentication tokens and download data from iCloud.
  • I have the user’s Apple ID and password.
    • Enter user’s credentials into Elcomsoft Phone Breaker. Download data from iCloud.
    • NEW: if two-factor authentication is enabled, you are prompted for additional information (such as a recovery key or a single-use code sent to a trusted device). If you have access to the secondary authentication factor, enter the information into Elcomsoft Phone Breaker and download data from iCloud. The secondary authentication pass is only performed once, as Elcomsoft Phone Breaker saves a reusable binary authentication token for future sessions.
  • I have access to the user’s iCloud account.
    • Download up to three last backups. Complete or real-time selective download options available.
    • NEW: download other files stored in the user’s iCloud account. (Note: iCloud Drive is not currently supported. Support for iCloud Drive is coming in near future).
  • I have a password-protected backup made with iTunes.
    • NEW: Get almost double the speed of password recovery compared to the previous version if you’re using GPU acceleration with NVIDIA boards.
    • NEW: Get even more speed if you use one of the latest GPU acceleration units such as NVIDIA 400/500/600/700/800-series and AMD 5000/6000/7000/R7/R9-series.
  • I have a backup produced with one of the latest versions of iOS 8 or 8.1.
    • NEW: Recover backup password and extract information from the backup file with Elcomsoft Phone Breaker even if the backup is made with the latest version of iOS.
  • I saved a (decrypted) backup file.
    • NEW: You can now view and analyze iCloud and iTunes backups with ElcomSoft’s new product: Elcomsoft Phone Viewer.

Two-Factor Authentication

Apple’s response to recent security outbreaks was further expanding two-step authentication, adding two-factor authentication support for cloud backups. If the user enables two-factor authentication, traditional iCloud acquisition tools such as older versions of Elcomsoft Phone Breaker will fail even if the second authentication factor is, in fact, accessible.

In this release, we’ve made changes to our iCloud acquisition module, allowing to download data from Apple’s cloud storage even if the user enrolled in secure two-factor authentication. Granted, you’ll have to have access to the second authentication factor such as a trusted device or recovery key, but without this change you wouldn’t be able to access any iCloud data at all even if you had all that.

epb_2fa

iCloud Acquisition Without Login and Password

As you may know, we’ve recently introduced a way to bypass the login and password authentication when acquiring data from Apple iCloud. We were able to make use of binary authentication tokens obtainable from Mac or Windows PC used to connect to the cloud. The newest release brings this feature one step further, allowing to extract iCloud tokens not only from a live system but also from a stand-alone hard drive or forensic disk image.

iCloud Files

In addition to backups, the updated Elcomsoft Phone Breaker can download files stored in the user’s iCloud account. While iCloud Drive is not currently supported, we are currently working to add support for the new Apple cloud service. Note that there is no email notification sent by Apple when downloading files from iCloud.

epb_files

At this time, we haven’t yet added iCloud Drive support. As a result, you can access iCloud if at least one of the following conditions is met:

  • The device is running iOS 6 or 7 (before iCloud Drive was released)
  • The device is running iOS 8.x, but the user has not upgraded their account to iCloud Drive (the upgrade is optional as the upgraded account will be only visible to newer versions of iOS and iOS X)

Note that there are no Apple notification emails sent when downloading files from iCloud.

Stronger Brute Force

By carefully optimizing  GPU acceleration algorithms, we were able to nearly double password recovery speeds when using your existing NVIDIA hardware. Even more speed is available if you upgrade to one of the latest boards such as NVIDIA 400/500/600/700/800-series and AMD 5000/6000/7000/R7/R9-series.

Download the Latest Version

You can download the latest version of Elcomsoft Phone Breaker here.

Tags: , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

22 Responses to “Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force”

  1. Vongsavanh says:

    have a good day , i would like to unlock my iphone 5 please send me ElcomSoft Password

    Recovery Software to my email: boualavong.vongsavanh@aol.com, many thanks in advance

    Best Regards

  2. M'boungou says:

    bonjour mon grand problème est de supprimé le compte icloud qui bloque mon Iphone 6 et avoir plus des explication

  3. Vongsavanh,

    What kind of lock do you mean — passcode protection or iCloud Activation Lock?

  4. M’boungou,

    Sorry, it is not technically possible.

  5. MrSmith says:

    If the account does not have 2FA turned on, does Apple send an email to the address associated with the iCloud account when a backup is restored using EPPB? I have read it does but also read that it’s only when restoring to another Apple device.

  6. MrSmith,

    Yes, now (starting from September 2014) Apple always send a notification to the account owner — whether you restore the device from backup or download backup using EPB, and regardless whether 2FA is enabled or not.

  7. Scott says:

    Hi vladimir. Today I got a strange message. It says I have a trial version and that “license is not valid for requested operation”. I do not have a trial version. Is there some kind of maximum time you can use a license? It’s about a year old.

    Thanks

  8. Scott,

    Could you please contact our tech support team, quoting your product registration code or order ID?

  9. claudia says:

    I have iCloud password but not if the iphone is done you sync with a computer … this official way the program?

  10. Claudia,

    Sorry, not sure that I understand your question. Could you please describe your problem in details? Best of all, please create a ticket in our online support system. You can write in English, Russian or German.

  11. DarkSKY.R says:

    good day to you sr. hope that this message can get your attention . i got my iphone 5 lock and i forgot the icloud account it is pasible to bypass may phone ?? I only have is my ID. 🙂 hope that you can help me regarding this issue . GOOD DAY AGAIN AND GODBLESS

  12. Sorry, if the device uses ‘Activation lock’ but password is not know, only Apple itself can unlock it (you will have to provide proof of purchase, though).

  13. Van Thuong says:

    I have a Ip5. it is lock iloud.
    Can you help me?
    Thanks

  14. Van,

    Sorry, no. Activation records are stored on Apple servers and cannot be modified without valid password to Apple ID.

  15. Mauricio says:

    Que tal, pueden pasarme el REGISTRATION CODE PORFAVOR, se los agradeceria mucho, gracias.

  16. Mauricio,

    You can buy our software right from our web site, and so get the registration code.

  17. Jerry says:

    Hallo ,i have iphone 5 with FMI ON ,i cant turn it off becouse i cant remember the password how can i find the password from the backup ?

  18. James says:

    Hi,

    Is there any way that I can download an older version of EPPB? The version that was released in Dec 17th 2014?

  19. James,

    Yes, if you are registered user — just enter your registration code here:

    http://www.elcomsoft.com/key.html

  20. James says:

    Thank you Vladimir. Unfortunately I do not own a copy of EPPB. I am a programmer myself so I had wanted to download a trial of a previous version so that I could get an idea of how it works. Is this possible?

  21. James,

    Sorry, you can only download the latest version now. But to understand how it works, you can look into one of our presentations on iCloud, for example:

    http://www.youtube.com/watch?v=NHJZx-thHOE

Leave a Reply