iPhone User? Your Calls Go to iCloud

November 17th, 2016 by Oleg Afonin
Category: «Clouds», «Did you know that...?», «Elcomsoft News», «Legal Questions», «Security», «Tips & Tricks»

iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.

Why It Matters

Ever since the release of iOS 8, Apple declines government requests to extract information. According to Apple, “On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.”

So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement.

Automatic Cloud Sync of Call Logs a Hassle for Many iPhone Users

“The recent calls list (missed or made) made on one phone show up on the other phone. The two phone call lists are so connected that I can clear both lists by just clearing one of the phones”, says one iPhone user on Macrumors Forums. “This is a very unwanted feature.”

Indeed, why would anyone want to have their calls sync between their two iPhones?

“Its very irritating”, says another forum poster. “My wife and I both have iPhones, we are both on the same apple ID. When she gets a call my phone doesn’t ring but when she misses that call my phone shows a missed call icon on the phone app and when I go to the phone app its pretty clearly someone who wasn’t calling my phone. Any way to fix this so it stops?”

“My wife and I have shared an iCloud account since the beginning. Now that we have updated to iOS 9, our call log is shared. Anyway to fix that?”, asks yet another poster.

What does Apple reply to its customers’ complaints? “I use my phone for business and we have noticed in the last few days that all of the calls I make and receive are appearing in my wife’s iPhone recent call history? I have hunted high and low in settings on both phones but with no joy”, asks the user on Apple discussions forums. The word of wisdom? Not using the same Apple ID on different iPhones.

Apparently, Apple offers no setting anywhere in iOS to stop syncing of call logs. The only way to stop call log syncing would be disabling iCloud Drive functionality, which would also prevent apps from storing documents and data (such as WhatsApp backups) in the cloud.

A Hassle for End Users is a Blessing for Law Enforcement

What seems to be a hassle for some frustrated iPhone users is a real blessing for law enforcement. Indeed, the security model of recent iPhones is exemplary. They are extremely difficult to break in on a physical level. Even unlocking the device with Touch ID or passcode does not automatically mean the ability to extract data. In fact, Apple refuses to perform acquisition of any iOS devices running iOS 8 and newer quoting their extremely strong security.

The ability to extract call logs from the cloud instead of having to deal with the tough hardware protection of todays’ iPhones can be a blessing for forensic examiners. We are putting this irritating feature to good use, enabling forensic experts extract information about suspects’ calling activities directly from their iCloud account.

In order to extract call logs, you’ll need to use the correct Apple ID and password to sign in to the user’s iCloud with Elcomsoft Phone Breaker 6.20. Alternatively, you may use an iCloud authentication token extracted from the suspect’s PC. If you use an authentication token, you’ll be able to bypass two-factor authentication checks, if 2FA is enabled on that account.

This is what you’ll use to download synced calls:

epb_calls

Of course, if two-factor authentication is enabled on that Apple ID, you’ll have to enter the 2FA code:

epb_auth

There are multiple types of data that are synced with iCloud. At this time, Elcomsoft Phone Breaker only supports calls and contacts, but we’re working to support other types of data.

epb_categories

Click Download, and the data gets pulled in a matter of seconds:

epb_downloaded

We’ll extract synced calls as well as contacts that get synced as well. As a result, the calls will appear correctly attributed with contact names. You can use the latest version of Elcomsoft Phone Viewer (updated to support this feature) or a third-party forensic tool to access the calls.

epv_calls

Why Elcomsoft Phone Viewer? Because a lot of additional information is available about the call beyond just the phone number and date such as a unique call identifier, status note (answered, missed, rejected etc.), timestamp and duration of the call.

Recommendations

Apple is well aware of the trouble some users are taking with call sync. For those who use several iPhone devices in a family, Apple recommends not using the same Apple ID on those devices, recommending Family Sharing instead. Some users note that Family Sharing is not an ideal solution since it doesn’t allow sharing iCloud Photo Library. In our opinion, Apple’s recommendation actually makes sense as someone’s Apple ID is personal and should not be used across devices owned by different persons (even within the family).

If you are using two or more iPhones (e.g. for work and for personal use), you may still have to go with a single Apple ID. If this is the case, and you don’t want your calls synced across the two iPhones, consider disabling iCloud Drive on one device (don’t mix it up with iCloud; iCloud Drive is available elsewhere and can be disabled separately from iCloud). This way you’ll prevent call sync without affecting things such as iCloud Photo Library or iCloud backups. You will, however, lose the ability to sync data across third-party apps that may use iCloud Drive to save their data.

Signing out of FaceTime does not stop call syncing. Disabling iCloud on one of the devices does stop call sync, yet you will lose much more compared to just shutting off iCloud Drive.

Other Platforms

The ability to sync call logs is not unique to iOS. Call logs can be saved or synced with all three major mobile operating systems.

Google enabled this feature for Android-powered smartphones sometime in April this year for all devices running Android 6.0 and newer that are using and signed in to Google Play Services. We’ve updated our cloud acquisition tool, Elcomsoft Cloud Explorer, to support the extraction of synced call logs from Google Accounts.

Windows 10 Mobile also syncs call logs by default across Windows 10 devices signed in with the same Microsoft Account.


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »


Elcomsoft Phone Viewer

Elcomsoft Phone Viewer is a fast, lightweight forensic viewer for quickly accessing information extracted from mobile backups. Supporting a variety of platforms and data formats, the tool can display information extracted from local and cloud iOS backups and Microsoft Accounts. Password-protected iTunes backups can be automatically decrypted and analyzed without using third-party tools.

Elcomsoft Phone Viewer official web page & downloads »