Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.

Pre-Requisites

Your ability to extract iCloud Keychain depends on whether or not the keychain in question is stored in the cloud. Apple provides several different implementations of iCloud Keychain. In certain cases, a copy of the keychain is stored in iCloud, while in some other cases it’s stored exclusively on user’s devices, while iCloud Keychain is used as a transport for secure synchronization of said passwords.

In our tests, we discovered that there is a single combination of factors when iCloud Keychain is not stored in the cloud and cannot be extracted with Elcomsoft Phone Breaker:

• If the user’s Apple ID account has no Two-Factor Authentication and no iCloud Security Code

In the following combinations, the keychain is stored in the cloud:

• If the user’s Apple ID account has no Two-Factor Authentication but has an iCloud Security Code (iCloud Security Code and one-time code that is delivered as a text message will be required)
• If Two-Factor Authentication is enabled (in this case, one must enter device passcode or system password to any device already enrolled in iCloud Keychain)

In both cases, the original Apple ID and password are required. Obviously, a one-time security code is also required in order to pass Two-Factor Authentication, if enabled.

Notes:

• Accounts with Two-Step Authentication are currently not supported (Apple is currently on the way of phasing out 2SV).
• If you are using a Windows PC, you currently must have iCloud for Windows installed.
• If you are using a Mac, you must run macOS 10.11 or newer.
• You must use iCloud Panel (Windows/Mac) at least once by launching it and attempting sign in.

Account requirements:

•  The Apple ID must not be blocked.
• If Two-Factor Authentication is enabled, at least one device connected to iCloud Keychain must have a passcode. This is normally the case as the passcode is automatically required when enabling iCloud Keychain. If the passcode is disabled later on, the old passcode can still be used for authenticating Elcomsoft Phone Breaker.
• If Two-Factor Authentication is enabled, there must be no iCloud Keychain | Advanced menu available on the device whose passcode is used to authenticate Elcomsoft Phone Breaker. Again, this is normal behavior. If iCloud Keychain | Advanced menu is available on the device, this means that iCloud Keychain is in fact inactive on that device. If this is the case, disable and re-enable iCloud Keychain on the device. (This might be a bug with Apple iCloud).

Extracting iCloud Keychain: a Step-By-Step Guide

The guide consists of two distinctly different processes: one for accounts with Two-Factor Authentication, and one for accounts without. As such, your Step 0 would be determining whether or not an account is protected with Two-Factor Authentication.

Step 0: Determine whether the given Apple ID is protected with Two-Factor Authentication.

Accounts with Two-Factor Authentication

If Two-Factor Authentication is enabled on a given Apple ID, use the following steps.

• Launch Elcomsoft Phone Breaker 7.0 or newer
• Select the Keychain option under Tools – Apple
• Sign in using Apple ID and password
• Confirm the two-factor authentication prompt on a device registered on the same Apple ID, and use the one-time code displayed to complete sign in. The code will be delivered as a push notification to all already authorized Apple devices. Alternatively, an offline code may be used, which can be obtained from the user’s registered device (instructions on obtaining the code).

• Enter device passcode or system password of an iOS or macOS device that is already enrolled into iCloud Keychain.
  – or –
• Specify download location and click Download.
• If you correctly followed the procedure, iCloud Keychain will be downloaded. The process may take from several seconds to several minutes depending on the number of records in iCloud Keychain.

Accounts without Two-Factor Authentication

Elcomsoft Phone Breaker can only extract iCloud Keychain from accounts that have an iCloud Security Code. You must know that iCloud Security Code in order to access the keychain.

• Launch Elcomsoft Phone Breaker.
• Select the Keychain option under Tools – Apple.
• Sign in using Apple ID and password.

• When prompted, enter iCloud Security Code
• Receive and enter a one-time code delivered to the user’s registered phone number as a text message (SMS)
• Enter the SMS you received
• Click Download.
• If you correctly followed the procedure, iCloud Keychain will be downloaded. The process may take from several seconds to several minutes depending on the number of records in iCloud Keychain.

Exploring iCloud Keychain

Elcomsoft Phone Breaker comes with a built-in Keychain Explorer. The tool allows viewing downloaded keychain data, and offers convenient searching, filtering and exporting of stored passwords and authentication credentials.

You can export authentication credentials (logins, passwords, keys, tokens etc.) by using the Export data button.

You can create a filtered text file containing the list of unique passwords by using the Create Dictionary button. This text file can be used as a custom dictionary for breaking user’s other passwords with password recovery tools such as Elcomsoft Distributed Password Recovery.