Elcomsoft Phone Breaker Update: Improved iCloud Acquisition, Two-Factor Authentication and Stronger Brute Force

December 17th, 2014 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «Elcomsoft News», «Software», «Tips & Tricks»

We are excited to announce an update to one of our oldest mobile forensic tools, Elcomsoft Phone Breaker. In this release we mostly targeted iCloud acquisition, although we’ve made some changes to the password recovery algorithm targeting iOS offline backups. All in all, the new tool can be used under a wider range of circumstances, squeezes more juice of your existing acceleration hardware and adds support for newest and greatest AMD and NVIDIA boards.

So what exactly has changed in this version?

First, we’ve added support for two-factor authentication and expanded your ability to download from iCloud without Apple ID and password. When it comes to old-school brute force, we managed to nearly double the speed of attacks when recovering passwords to Apple’s offline backups using of your existing NVIDIA boards. Finally, we added support for the latest AMD and NVIDIA boards, enabling you to benefit from yet higher recovery speeds with newest acceleration hardware. But before we cover the new features, let’s have a look at new usage scenarios unlocked by this build of Elcomsoft Phone Breaker.

  • I have a computer that was used to sync with iCloud.
    • Boot it up and extract the binary authentication token. Download data from iCloud.
    • NEW: take the hard drive out or capture a forensic disk image. Mount it on your computer, extract authentication tokens and download data from iCloud.
  • I have the user’s Apple ID and password.
    • Enter user’s credentials into Elcomsoft Phone Breaker. Download data from iCloud.
    • NEW: if two-factor authentication is enabled, you are prompted for additional information (such as a recovery key or a single-use code sent to a trusted device). If you have access to the secondary authentication factor, enter the information into Elcomsoft Phone Breaker and download data from iCloud. The secondary authentication pass is only performed once, as Elcomsoft Phone Breaker saves a reusable binary authentication token for future sessions.
  • I have access to the user’s iCloud account.
    • Download up to three last backups. Complete or real-time selective download options available.
    • NEW: download other files stored in the user’s iCloud account. (Note: iCloud Drive is not currently supported. Support for iCloud Drive is coming in near future).
  • I have a password-protected backup made with iTunes.
    • NEW: Get almost double the speed of password recovery compared to the previous version if you’re using GPU acceleration with NVIDIA boards.
    • NEW: Get even more speed if you use one of the latest GPU acceleration units such as NVIDIA 400/500/600/700/800-series and AMD 5000/6000/7000/R7/R9-series.
  • I have a backup produced with one of the latest versions of iOS 8 or 8.1.
    • NEW: Recover backup password and extract information from the backup file with Elcomsoft Phone Breaker even if the backup is made with the latest version of iOS.
  • I saved a (decrypted) backup file.
    • NEW: You can now view and analyze iCloud and iTunes backups with ElcomSoft’s new product: Elcomsoft Phone Viewer.

Two-Factor Authentication

Apple’s response to recent security outbreaks was further expanding two-step authentication, adding two-factor authentication support for cloud backups. If the user enables two-factor authentication, traditional iCloud acquisition tools such as older versions of Elcomsoft Phone Breaker will fail even if the second authentication factor is, in fact, accessible.

In this release, we’ve made changes to our iCloud acquisition module, allowing to download data from Apple’s cloud storage even if the user enrolled in secure two-factor authentication. Granted, you’ll have to have access to the second authentication factor such as a trusted device or recovery key, but without this change you wouldn’t be able to access any iCloud data at all even if you had all that.


iCloud Acquisition Without Login and Password

As you may know, we’ve recently introduced a way to bypass the login and password authentication when acquiring data from Apple iCloud. We were able to make use of binary authentication tokens obtainable from Mac or Windows PC used to connect to the cloud. The newest release brings this feature one step further, allowing to extract iCloud tokens not only from a live system but also from a stand-alone hard drive or forensic disk image.

iCloud Files

In addition to backups, the updated Elcomsoft Phone Breaker can download files stored in the user’s iCloud account. While iCloud Drive is not currently supported, we are currently working to add support for the new Apple cloud service. Note that there is no email notification sent by Apple when downloading files from iCloud.


At this time, we haven’t yet added iCloud Drive support. As a result, you can access iCloud if at least one of the following conditions is met:

  • The device is running iOS 6 or 7 (before iCloud Drive was released)
  • The device is running iOS 8.x, but the user has not upgraded their account to iCloud Drive (the upgrade is optional as the upgraded account will be only visible to newer versions of iOS and iOS X)

Note that there are no Apple notification emails sent when downloading files from iCloud.

Stronger Brute Force

By carefully optimizing  GPU acceleration algorithms, we were able to nearly double password recovery speeds when using your existing NVIDIA hardware. Even more speed is available if you upgrade to one of the latest boards such as NVIDIA 400/500/600/700/800-series and AMD 5000/6000/7000/R7/R9-series.

Download the Latest Version

You can download the latest version of Elcomsoft Phone Breaker here.