Supporting Apple iCloud Drive and Decrypting Keychains from iCloud

March 12th, 2015 by Vladimir Katalov

As you may already know from our official announcement, we’ve recently updated Elcomsoft Phone Breaker to support Apple accounts upgraded to iCloud Drive and decrypting keychains from iCloud. Considering that one can access files stored in iCloud Drive without any third-party tools, is the update really worth the buzz? Read along to find out!

Before getting to the updated technology, let’s have a look at what Apple iCloud Drive is, and how it’s different from “classic” iCloud.

Apple iCloud

Back in 2011, Apple introduced a cloud storage system they called iCloud. The primary purpose of the cloud-based system was allowing users to automatically back up the content of their iOS devices over a Wi-Fi connection, and to restore those backups wirelessly onto a new device should the user lose or replace their old device. iOS 5 or later was required to use iCloud.

In addition to device backups, iCloud offered a platform for Apple and third-party application developers enabling to store and sync application data. Users could store documents, bookmarks, music, camera roll, calendar events, notes, e-books and other types of data.

However, there were major differences and severe limitations compared to “real” cloud storage services such as Dropbox, Box.com, Google Drive or Microsoft OneDrive. There was no way to access device backups stored in iCloud accounts other than restoring the backup onto a newly activated (or factory-reset) iOS device. There was no universal access to application data such as documents and music, too. One could only access these files from an iOS device via the application that originally saved the data.

iCloud Drive

This was changed in 2014 with the release of iCloud Drive. With the release of iOS 8, Apple introduced the ability to store just about any type of data in the cloud. Clients for iOS 8, Windows 7 and later, and OS X Yosemite (10.10) were released, finally enabling access to cloud data from other platforms. In a way, iCloud Drive has become similar to other cloud storage providers… only it’s different.

It’s Different

With typical Apple’s attention to detail, using iCloud Drive is a joy. A client application simply adds a new drive letter that the user can simply copy all types of files to. That’s it, the sync is completely automatic.

icloud_drive

While users can store just about anything in iCloud Drive and use their Windows 7 or Mac OS X computers to access those files, some key areas still remain inaccessible via standard means. iOS backups and stored iOS app data are still stored separately, and Apple still provides no access to that data via any method other than restoring the backup to a new iOS device. There is still no direct access to iCloud files from iOS devices; only an API exists for app developers. This is a key difference between iCloud Drive and other cloud storage services that allow unconditional access to everything uploaded by the user.

As a result, a third-party tool is still needed if you want to download an iOS backup from an iCloud Drive account – just like it used to be with the classic iCloud.

Apple iCloud and iCloud Drive may look similar from the outside, but use different protocols under the hood. For this reason, upgrade to iCloud Drive is not automatic for those migrating to iOS 8. Instead, iOS users are offered to upgrade their iCloud accounts to iCloud Drive when activating a new iOS 8 device or upgrading to the latest version of iOS. Since there is no backward compatibility between iCloud Drive and iOS 7 and earlier, users with a mix of Apple hardware may wish to stay on classic iCloud until all of their iOS devices are running iOS 8.

The Solution

Finally we arrived to the point. Starting with this release, Elcomsoft Phone Breaker gains the ability to retrieve application data and user-loaded from user accounts upgraded to iCloud Drive – all that in addition to accessing iOS backups! While this is a short line of news, we spent nearly half a year reverse-engineering the new communication protocols and building code to communicate with iCloud Drive servers. We’ve finally succeeded, and it’s just in time.

Decrypting Keychain from iCloud Backups

It may sound confusing, but we are NOT decrypting iCloud Keychain. So what exactly DO we decrypt in this update? Before we go on to that, let’s have a look at these keychains first.

Keychain is a highly protected system database in iOS that keeps the most sensitive information stored in the device. Both system and third-party apps can use keychain to store protected data such as account passwords, payment information, Wi-Fi and VPN passwords, as well as various tokens and security certificates.

While stored in the device itself, the keychain is encrypted to the highest level available to the combination of hardware and software (iOS version) being used. However, once the keychain is extracted from the device and saved into a backup file, it may use a different protection level and encryption method altogether depending on the type of backup.

If the user creates a password-protected local backup with iTunes, the keychain is encrypted with a key dependent on the user-specified backup password. If you know the original backup password, you can decrypt MOST items stored in the keychain (by using the corresponding “Keychain Explorer” feature in Elcomsoft Phone Breaker).

If, however, a local backup is created without a password, the keychain will be extracted as-is (that is, encrypted with a hardware-dependent key that is unique to a particular device and does not change throughout the life of it). Now, these keychains can only be restored to the same physical device, and decrypted with the same hardware-dependent decryption key. However, if you do have that key (e.g. extracted via physical acquisition with Elcomsoft iOS Forensic Toolkit), you can decrypt ALL items from that keychain. Do note that there are numerous limitations as to which devices can or cannot be acquired via physical imaging.

Finally, if you have a cloud backup (iCloud), that backup will store the keychain protected with device password (similar to non-password-protected iTunes backups). While the encryption is mostly similar to that used in non-password-protected iTunes backups, some details are different. Therefore, decrypting the keychain extracted from an iCloud backup requires a slightly different approach.

Now when we know the theory, we can go on to the big news: Elcomsoft Phone Breaker can now decrypt all three types of keychains (provided that you have the hardware-dependent key, that is). If you want to decrypt the keychain extracted from an iCloud backup, you will need to extract the ‘securityd’ (0x835) key from the device via physical acquisition. You can just do it once, and the key can be used for decrypting all future iTunes and iCloud backups made from that device, even if the device will be factory-reset.

This is the Future

According to Apple, more than 72% of its users have already migrated to iOS 8, gaining the possibility to upgrade their iCloud service to iCloud Drive. However, there is no data available about how many users have actually switched their iCloud service to iCloud Drive. Still, since this is a one-way process (Apple provides no way of downgrading an iCloud Drive account to classic iCloud), we expect more users migrate to the new cloud storage.

Make sure to update your copy of Elcomsoft Phone Breaker to the latest release to be able to access the growing number of iCloud Drive accounts. Existing customers can download an update on its product page https://www.elcomsoft.com/epb.html .

Tags: , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

61 Comments on "Supporting Apple iCloud Drive and Decrypting Keychains from iCloud"

Notify of
avatar
Tom
Guest

Help please
I just ordered eppb pro. I downloaded the backups. And Its very difficult to view.
For example I cannot view sms folder. And there’s no program on the web to open it.
Also for photos here’s hundreds if not thousands of folders I have to try and go through just to see one photo.
Could you please help me by making this process simpler? Or how to make it simpler?
Thank you.

Van Thuong
Guest

is no way be icloud on iphone unlocking 5….
thanks

Tom
Guest

So basically for eppb to work. I would of needed to purchase two programs?

tungkick
Guest

Can find password icloud Iphone 6 8.2 right?
pls help me

ku
Guest

“” No, our software cannot help to break/recover password to Apple ID. “”
if you can , Engineer of Apple will retired forever

Selfish
Guest

After the update i keep getting an “Invalid update_account_ui response format” , why am i getting that? i cant access my backup!!

sqbily
Guest

Do I understand this correctly?…..if I have an encrypted itunes or icloud backup, I dont need physical access to the phone in order to extract the passwords from the keychain backup?

black
Guest

Hello,
I cant see /download any ios9 Icloud backup.Why?
Tnanks !

Fortunata
Guest

Hello,
Is there a target date, when a new version of EPB will be available?

Fortunata
Guest

Thanks for the quick response.

Help
Guest

Homepage says ios9 is now supported but there’s no new release available for download. Am I missing something?

Administrator
Admin

We’re sorry for incorrect description (will fix it immediately). This feature will be available in next version (in the beginning of November).

jamjame
Guest

I had the old version of eppb, and I just within the last couple weeks purchased the newest one also (thinking i needed it for ios9). will I have to buy the new version once ios9 is supported?

Vladimir Katalov
Guest
Vladimir Katalov

Jamjame,

Of course no – the license is valid for a year after purchase, so you will get iOS 9 support at no additional cost. The new version is on the way, testing the release candidate now – so hopefully we will get it on next week.

Steve Jobs
Guest

Hey Vladimir,

When I try to run the newest version of EPPB I get the error: “Could not start Elcomsoft Phone Password Breaker. There is no access to C:\Program Files (x86)\Elcomsoft Password Recovery\Elcomsoft Phone Password Breaker\EPBMain.exe”comment image

Version 3.21 works fine though. I’m running Windows 8.1.

Christina
Guest

Can you provide expected date , when new version will be available ?

Vladimir Katalov
Guest
Vladimir Katalov

Steve Jobs,

The error is about missing Visual Studio runtime. Just download and install the following package:

http://www.microsoft.com/en-us/download/details.aspx?id=5582

In next version, we will take these dependencies out 🙂

Vladimir Katalov
Guest
Vladimir Katalov

Christina,

New version is scheduled on this Thursday (Oct 29th).

black
Guest

great news!

Christina
Guest

(y)

Christina
Guest

Hey,

As you confirmed that new version will release on Oct 29th , so please update is this release or not ? As still the old version is available on your website . Waiting for your response 🙂

Thanks

Vladimir Katalov
Guest
Vladimir Katalov

Christina,

Version 5.0 with iOS 9 support has been released just about a half an hour ago 🙂

Christina
Guest

Great!!! thanks 🙂

John
Guest

Downloaded new version but it says I require icloud 4.0 or higher, which I have. Icloud can see that there are updated backups but EPPB still cannot. Is there something I am doing wrong?

Cory
Guest

When will IOS 9 for Mac be supported?

Lou
Guest

so the latest version with iOS9 support is only available for windows currently? Thats a bummer, I was looking forward to this update.

Don
Guest

John, I was getting the same message when I had control pane 4.01 installed. So I went and downloaded the newest icloud panel (5.0) , rebooted and tried again. Still getting the same message, and backups are not showing up even though I know they are there. Help us Master Vladimir!

Vladimir Katalov
Guest
Vladimir Katalov

John, Don – we will double-check that, it seems that it’s just a problem in our version verification code.

As on Mac version – sorry for the delay, it is related to serious changes in El Capitan. There is no ETA yet, but hopefully we will complete it 2-3 weeks.

Vladimir Katalov
Guest
Vladimir Katalov

Those who have problems with “iCloud for Windows” version – please contact me directly at v.katalov@elcomsoft.com with the following information:

1. You operating system version (Windows 7/8/8.1/10 or Windows Server), and whether it is 32-bit or 64-bit.

2. The version of the following file:

C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe

Browse for it in Explorer, right-click, select [Properties], switch to [Details] tab, and look for the following fields:

– File version
– Product version

Thanks beforehand, and sorry for the inconvenience!

Don
Guest

Is there any update on when the control panel 4.0 error might be fixed?

Don
Guest

Are there quite a few people still having the “icloud 4.0 or higher required” error or is it just a select few of us?

Vladimir Katalov
Guest
Vladimir Katalov

Don,

We have received 4-5 complains so far. The problem seems to be related to one of the Windows system functions that may return an incorrect path (on 64-bit systems only) to the folder where iCloud for Windows is located. An updated will be released on Monday or Tuesday, sorry for the inconvenience!

Don
Guest

Curse you 64 bit!! I figured it was not something widespread or there would have been more people talking about it. I will wait for the update. Thank you for the follow up.

John
Guest

The update didn’t fix the problem for me but hopefully did for other people.

Don
Guest

Unfortunately did not work for me as well. I will send the new log too

anthony
Guest

did not work for me either

Don
Guest

Vladamir I know the registration limits us to one PC, but for those of us still having the issue would it cause a problem to uninstall and then reinstall on a different PC that is running 32 bit?

Vladimir Katalov
Guest
Vladimir Katalov

Sorry guys — yes, the fix does not seem to be complete — many users still experiencing the same problem. Working hard to resolve this issue.

Don, there is no problem using EPB on the different (second) computer. You do not even have to uninstall it from the old one; in fact, the license allows you to use the product on as many computers as you have (assuming that you are the only user).

Don
Guest

Just if anyone else was thinking about trying to upgrade to windows 10 to correct, don’t bother. Was getting frustrated waiting for this to be fixed and updated to 10 to see if it would fix, but still gives the same error. Fortunately did a full backup so can go back to windows 7, but wanted to let everyone else know if someone else was considering trying it.

tom
Guest

Is there any update to fix this issue with 64bit windows 10? Its been almost a month and its still not working

Cory
Guest

Any idea when the update for Mac will be released?

Vladimir Katalov
Guest
Vladimir Katalov

We have finally located (and fixed) the problem, sorry again. EPB 5.10 (for both Windows and OS X) will be released later this week, sorry again for the delay!

xpert104
Guest

How do you find the “Security Key” for your iphone?

Ehsan Khan
Guest

Hi, I tried inputing my username and pass. But i get the error:

Invalid account setting urls

what should i do with this?

Shah
Guest

I am getting error “Error occured during keychain decrypting: Unable to open file” while trying to explore keychain

wpDiscuz