Elcomsoft Phone Breaker 5.20: Direct iCloud Access and iOS 9.3 Support

February 4th, 2016 by Oleg Afonin
Category: «General»

Apple is currently testing a new major iOS release, the iOS 9.3. At this time, the second beta version is available. We looked into what has changed in the new OS, and discovered that iOS 9.3 introduces some minor changes to encryption of certain data stored in cloud backups. However minor, these changes effectively prevented older versions of Elcomsoft Phone Breaker from decrypting the data, which made us release an update ASAP. In addition, we were able to discover and fix the issue with some iOS 9.2 backups not properly decrypting (which wasn’t easy since the issue was intermittent). Finally, we got rid of the requirement to have iCloud for Windows installed as Elcomsoft Phone Breaker shifts to using direct access API.

This is to say, we have now updated Elcomsoft Phone Breaker to fully support the new encryption mechanisms used in iOS 9.3 iCloud backups. In addition, we fixed the ongoing issue some of our users were experiencing when accessing iCloud backups produced by iOS 9.2.

Direct Access API: iCloud for Windows No Longer Required

Elcomsoft Phone Breaker 5.20 introduces a new, in-house standalone API to download information from iCloud and iCloud Drive. Since iOS 9, Elcomsoft Phone Breaker required users to install iCloud for Windows in order to be able to download cloud backups. Accessing files via the “Download files from iCloud” feature required using iCloud for Windows as well. This was not the case for older versions of iOS; iOS 8.x backups could be downloaded without iCloud for Windows. In Elcomsoft Phone Breaker 5.20, we were able to develop a new set of stand-alone APIs.

You no longer have to install iCloud for Windows in order to be able to download cloud backups produced by iOS 9 and newer and use the “Download files from iCloud” feature. This, in particular, allows Elcomsoft Phone Breaker to be used on computers running Microsoft Windows Server, where iCloud for Windows could not be installed.

This new design has a nice side effect. The Mac version of Elcomsoft Phone Breaker can now extract iOS 9.x backups and access files stored in iCloud Drive even if you use the tool on a very old version of Mac OS X (10.9 and older).

A Word on Authentication Tokens

After the 2014 iCloud hack affecting celebrities’ photos, Apple reacted by tightening iCloud security. In particular, the company made binary authentication tokens expire after a short while. Since then, it was no longer possible to download iCloud system backups by using an expired token. The tokens expired in a matter of hours, which limited their use severely.

In iOS 9, Apple moved the location of iOS backups from ‘classic’ iCloud into the new iCloud Drive. iCloud Drive tokens do not have such a short expiration period, which means that iOS 9 backups can be acquired with a binary authentication token days and weeks after the token was extracted. While these tokens may eventually expire, their exact lifespan is no longer measured in hours.

Note: in Windows, authentication tokens are created by iCloud for Windows if the user logs into iCloud with their Apple ID and password and does not log out or change their password by the time of acquisition. In Mac OS, iCloud Control Panel is pre-installed in OS X 10.10 and later. There is no need to connect the physical device to the computer at any stage.