Elcomsoft Wireless Security Auditor Gets Wi-Fi Sniffer

December 1st, 2016 by Oleg Afonin

We released a major update to Elcomsoft Wireless Security Auditor, a tool for corporate customers to probe wireless network security. Major addition in this release is the new Wi-Fi sniffer, which now supports the majority of general-use Wi-Fi adapters (as opposed to only allowing the use of a dedicated AirPCap adapter). The built-in Wi-Fi sniffer is a component allowing the tool to automatically intercept wireless traffic, save Wi-Fi handshake packet and perform an accelerated attack on the original WPA/WPA2-PSK password.

So what exactly has changed in the new release? Let’s have a look at the following block diagram:


As you can see, previous versions of Elcomsoft Wireless Security Auditor (EWSA) required the use of a dedicated AirPCap adapter, a dedicated device that costs around $300.


Source: http://www.riverbed.com/products/steelcentral/steelcentral-riverbed-airpcap.html

While using dedicated hardware built specifically for sniffing Wi-Fi traffic is “the right thing to do” (if you’re serious about auditing multiple networks, we still recommend buying one), many of our customers found the whole setup overly complicated. The need to purchase an additional piece of hardware, install and configure drivers was enough of a roadblock for many.

We worked hard to remove this complication. That’s why the new version of Elcomsoft Wireless Security Auditor now includes a brand new Wi-Fi sniffer. While we are keeping AirPCap support, we built a new sniffing module that works with just about any Wi-Fi adapter thanks to the use of our own custom NDIS and AirPCap drivers.


As you can see, we added a custom AirPCap driver stack as well as a custom NDIS driver. We built those for all 32-bit and 64-bit Windows systems from Windows 7 to Windows 10 (sorry folks, no XP support. Use on your own risk on Vista PCs).

With this new Wi-Fi sniffer, Elcomsoft Wireless Security Auditor becomes a true all-in-one tool for probing security of wireless networks that requires no extra hardware. Just set it up on a laptop (preferably, one equipped with NVIDIA graphics), bring it to a proximity of a Wi-Fi network and run the tool.


The Network Driver Interface Specification (NDIS) is an open-source API for network interface cards. The NDIS driver abstracts the network hardware from network drivers, acting as the interface between the MAC sublayer and the network layer.

Your network adapter already comes with a NDIS driver. Standard NDIS drivers do not support intercepting Wi-Fi packets, and, in general, do not allow for W-Fi sniffing. For this reason, we built a custom NDIS driver conforming to NDIS 6.0 specification to implement the ability to intercept individual Wi-Fi packets.


Our driver can intercept wireless traffic from all Wi-Fi networks operating on a certain Wi-Fi channel. Once you select a certain Wi-Fi network, EWSA will start monitoring its traffic waiting for a new device to connect. Once a new device connects to that wireless network, the device sends a handshake packet to the access point. The handshake packet contains hashed password. We intercept the handshake packet, extract the password hash, and run an attack on that hash in order to recover the original password.



If adding a custom NDIS driver and writing a custom AirPCap library does the trick, why is not everyone doing it? Why the extra hassle and expense of buying a ‘proper’ AirPCap adapter? The thing is AirPCap devices are designed to do one thing: Wi-Fi sniffing. On the other hand, your existing Wi-Fi adapter may or may not work depending on many things such as the make, model and age of the adapter and its driver version. In other words, not every Wi-Fi adapter will work as a sniffer, while every AirPCap adapter most certainly will. Having said that, we tested Elcomsoft Wireless Security Auditor 7.0 with a wide range of modern and reasonably recent Wi-Fi adapters and were delighted to find that the majority of recently made adapters work with no issues. After all, our goal is not full-time Wi-Fi sniffing; all we need is a handshake.

NVIDIA Pascal Support

We have also updated Elcomsoft Wireless Security Auditor with new GPU acceleration libraries supporting NVIDIA’s newest architecture, the NVIDIA Pascal. Cards based on this architecture (GTX 1070, GTS 1080 and other 1000-series boards) can break Wi-Fi passwords at least twice as fast as 900-series boards of previous generation.

Acquisition of a Locked iPhone with a Lockdown Record

November 28th, 2016 by Oleg Afonin

The previous article was about the theory. In this part we’ll go directly to practice. If you possess a turned on and locked iOS device and have no means of unlocking it with either Touch ID or passcode, you may still be able to obtain a backup via the process called logical acquisition. While logical acquisition may return somewhat less information compared to the more advanced physical acquisition, it must be noted that physical acquisition may not be available at all on a given device.

Important: Starting with iOS 8, obtaining a backup is only possible if the iOS device was unlocked with a passcode at least once after booting. For this reason, if you find an iPhone that is turned on, albeit locked, do not turn it off. Instead, isolate it from wireless networks by placing it into a Faraday bag, and do not allow it to power off or completely discharge by connecting it to a charger (a portable power pack inside a Faraday bag works great until you transfer the device to a lab). This will give you time to searching user’s computers for a lockdown record.

Read the rest of this entry »

Forensic Implications of iOS Lockdown (Pairing) Records

November 25th, 2016 by Oleg Afonin

In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

  1. Runs iOS 8.x through 10.x
  2. When seized, the device was powered on but locked with a passcode and/or Touch ID
  3. Device was never powered off or rebooted since it was seized
  4. Does not have a jailbreak installed and may not allow installing a jailbreak
  5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up. Read the rest of this entry »

“We take privacy very seriously” – Apple, we do not buy it, sorry

November 18th, 2016 by Vladimir Katalov

Good news: Apple has officially responded.

Bad news: We don’t buy it. Their response seems to address a different issue; worse, some of the reporters just quoted what Apple said without real understanding of the actual issue. So let’s try to follow the story step by step.

Apple has an option to back up phone data to iCloud. Doing that for many years now. On our side, we have a feature to download iCloud backups. The feature has been there for years, too. We are also able to download everything from iCloud Drive (including data belonging to third-party apps, something that is not available by standard means). We can download media files from iCloud Photo Library (and by the way, we discovered that they were not always deleted, see iCloud Photo Library: All Your Photos Are Belong to Us). Then we started to research how iOS devices sync data with iCloud, and discovered that Apple stores more than they officially say. All iOS versions allow users to choose which bits of data are to be synced – such as contacts, notes, calendars and other stuff. Here is a screen shot from iCloud settings captured on iPhone running iOS 10:


Read the rest of this entry »

iOS Call Syncing: How It Works

November 17th, 2016 by Vladimir Katalov

In our previous article, we figured that iPhone call logs are synced with iCloud. We performed multiple additional tests to try to understand exactly how it works, and are trying to guess why. Read the rest of this entry »

iPhone User? Your Calls Go to iCloud

November 17th, 2016 by Oleg Afonin

iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.

Why It Matters

Ever since the release of iOS 8, Apple declines government requests to extract information. According to Apple, “On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”

So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement. Read the rest of this entry »

Our First Book is Officially Out

October 10th, 2016 by Oleg Afonin

Today we are super excited: our first book on mobile forensics just got published! The book is called “Mobile Forensics – Advanced Investigative Strategies”, and is about everything you need to successfully acquire evidence from the widest range of mobile devices. Unlike most other books on this subject, we don’t just throw file names or hex dumps at your face. Instead, we discuss the issues of seizing mobile devices and preserving digital evidence before it reaches the lab; talk about acquisition options available in every case, and help you choose the correct acquisition path to extract evidence with least time and minimal risk.


We used our years of expertise in researching and building forensic tools to help our readers better understand the acquisition process. We aimed our book at specialists with beginner to intermediate knowledge of mobile forensics. We did our best to make it a perfect learning and reference tool.
This book is about strategies and tools. We do believe in tools, but we also believe that even the best tool is useless if you don’t have clear understanding on what you are doing, and why. It’s not just about ElcomSoft products: we talk about a wide range of forensic tools covering most mobile devices.

The book is officially out. You are welcome to get your copy by ordering from PACKT Publishing or Amazon.

Elcomsoft Cloud Explorer: Extracting Call Logs and Wi-Fi Passwords

October 3rd, 2016 by Oleg Afonin

Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.

While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.

Read the rest of this entry »

iOS 10: Security Weakness Discovered, Backup Passwords Much Easier to Break

September 23rd, 2016 by Oleg Afonin

We discovered a major security flaw in the iOS 10 backup protection mechanism. This security flaw allowed us developing a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) backups made by iOS 10 devices.

The impact of this security weakness is severe. An early CPU-only implementation of this attack (available in Elcomsoft Phone Breaker 6.10) gives a 40-times performance boost compared to a fully optimized GPU-assisted attack on iOS 9 backups.

What’s It All About?

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.

This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.

By exploiting the new password verification mechanism, we were able to support it in our latest update, Elcomsoft Phone Breaker 6.10. Since this is all too new, there is no GPU acceleration support for the new attack. However, even without GPU acceleration the new method works 40 times faster compared to the old method *with* GPU acceleration. Read the rest of this entry »

Breaking FileVault 2 Encryption Through iCloud

August 29th, 2016 by Oleg Afonin

FileVault 2 is a whole-disk encryption scheme used in Apple’s Mac OS X using secure XTS-AES encryption to protect the startup partition. Brute-forcing your way into a crypto container protected with a 256-bit key is a dead end.

FileVault 2 volumes can be unlocked with a password to any account with “unlock” privileges. We have tools (Elcomsoft Distributed Password Recovery) that can brute-force user passwords, which can also unlock the encrypted volume. However, this is still not easy enough and not fast enough. The result is not guaranteed either.

Today we’ll talk about decrypting FileVault 2 volumes without lengthy attacks by using FileVault 2 escrow keys extracted from the user’s iCloud account.

Read the rest of this entry »

RSS for posts
RSS for comments
ElcomSoft on Facebook
ElcomSoft on Flickr
ElcomSoft on Twitter