Acquiring Apple’s iCloud Keychain

August 22nd, 2017 by Oleg Afonin

Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.

What is iCloud Keychain

iCloud Keychain is Apple’s best protected vault. Since iCloud Keychain keeps the user’s most sensitive information, it’s protected in every way possible. By breaking in to the user’s iCloud Keychain, an intruder could immediately take control over the user’s online and social network accounts, profiles and identities, access their chats and conversations, and even obtain copies of personal identity numbers and credit card data. All that information is securely safeguarded.

Why It Can Be Important

Forensic access to iOS keychain is difficult due to several layers of encryption. Due to encryption, direct physical access to a locally stored keychain is normally impossible; the only possible acquisition options are through a local password-protected backup or iCloud Keychain.

The only way to extract a (local) keychain from an iOS device requires making a password-protected backup with iTunes or Elcomsoft iOS Forensic Toolkit (the latter automatically sets a temporary known password if one is not configured). The password is needed because unencrypted local backups encrypted the keychain with a hardware-based key; these can also be restored exclusively onto the same device that made the backup. Forensic access to these hardware-encrypted keychains is impossible unless a specific ‘securityd’ key can be obtained from the device, which is only possible for jailbroken 32-bit devices (iPhone 5c and older).

On the other hand, local backups that are encrypted with a password are easier to acquire since keychain data is encrypted with the same password as the rest of the backup. However, if the backup is protected with a long, unknown password, brute-forcing that password may take significant time of may not be possible since Apple deliberately made the recovery extremely slow after the iOS 10.2 update (think 5 passwords per minute on a CPU, or about 100 passwords per second using a high-end GPU). If this is the case, downloading iCloud Keychain could be the only option to obtain user’s stored passwords.

While we’ll review the technical details below, it is very important to understand what is and what is not possible to do with iCloud Keychain. First and foremost: Apple does not provide any tools or APIs to access iCloud Keychain. The only thing one could with someone’s iCloud Keychain would be enrolling and syncing a new iOS device (such as an iPhone or iPad). Before EPB 7.0, there was simply no software that could directly access iCloud Keychain without restoring it onto an Apple device first.

A Confusing Implementation

So does iCloud Keychain store users’ passwords in the cloud, or does it not? In a rather confusing FAQ, Apple provides the following quote:

Can I set up iCloud Keychain so that my information isn’t backed up in iCloud?

Yes. When you set up iCloud Keychain, you can skip the step to create an iCloud Security Code. Your keychain data is then stored locally on the device, and updates across only your approved devices.

From this quote, it’s completely unclear under what circumstances iCloud Keychain does or does not keep a copy of the users’ passwords in the cloud because, well, the iCloud Security Code simply cannot be created at all if Two-Factor Authentication is enabled. We did our own research, and made the following observations (assuming that iCloud Keychain is enabled on the device).

  • No 2FA and no iCloud Security Code: the keychain is NOT stored in the cloud; direct synchronization across devices.
  • No 2FA, iCloud Security Code is present: the keychain is AVAILABLE in the cloud.
  • 2FA is enabled: there can be no iCloud Security Code; the keychain is ALWAYS stored in the cloud. However, access to the cloud copy of the keychain is only possible after successfully passing 2FA and after entering a passcode (or system password) of one of the already enrolled devices.

Does It Really Matter?

If you are an expert doing the extraction, does it matter whether passwords are stored in the cloud or synced across enrolled devices? In fact, it does. Elcomsoft Phone Breaker 7.0 can only obtain iCloud Keychain from iCloud, and not from the synced devices.

Let’s have a closer look at how the process works. In order to gain access to iCloud Keychain, you will need the user’s Apple ID and password. This stands for accounts with and without two-factor authentication. However, this is where similarities end: the rest of the process is different depending on whether or not the user has Two-Factor Authentication enabled on their Apple ID.

No Two-Factor Authentication

  • Sign in with an Apple ID and password
  • Supply iCloud Security Code, if one is configured
  • Receive and enter a one-time code delivered to the user’s registered phone number as a text message (SMS)
  • If iCloud Security Code is NOT configured, iCloud Keychain cannot be obtained

Two-Factor Authentication enabled:

  • Sign in with an Apple ID and password
  • Confirm the two-factor authentication prompt on a device registered on the same Apple ID, and use the one-time code displayed to complete sign in
  • Enter device passcode or system password of an iOS or macOS device that is already enrolled into iCloud Keychain
  • If you correctly followed the procedure, iCloud Keychain will be downloaded. The process may take from several seconds to several minutes depending on the number of records in iCloud Keychain.

iCloud Keychain Acquisition Workaround

Technically speaking, a workaround for acquiring iCloud Keychain exists even if you don’t use Elcomsoft Phone Breaker. For non-forensic purposes, one could initialize a fresh (factory-reset) iOS device, enroll it into someone’s iCloud Keychain and pass all validation and verification steps using an existing iOS device. After that, iCloud Keychain would sync onto the device, in due time (definitely much longer than just a few minutes). One can then make a local backup with iTunes, specifying a known password and then decrypting the backup with Elcomsoft Phone Breaker. Technically, this would provide access to user’s passwords.

However, the above process is decidedly non-forensic. It leaves severe footprints in the user’s Apple ID account, and may have the following consequences.

  1. Even a freshly reset iOS device maintains a number of keys and passwords in its local keychain. All of those will be synced with the user’s iCloud Keychain; it will be impossible to tell these and user’s data apart.
  2. The iOS device added to the user’s Apple ID will become an integral part of the user’s ecosystem. Devices that were once added into the circle of trust may remain there indefinitely, even after a full factory reset.
  3. iCloud Keychain download has no progress indication. Initial sync may take more than an hour to complete, whereas Elcomsoft Phone Breaker can obtain the entire iCloud Keychain in a matter of seconds.
  4. Finally, if you have little experience with Apple iCloud and Apple ecosystem, mistakes may happen that can lead to severe consequences such as duplicated or altered information in the user’s iCloud account.

Future Work

We are continuing our research of iCloud Keychain. Particularly, we aim to develop a system that would allow a much easier authentication into iCloud Keychain, ideally without using the password or any security codes at all (similar to what we already have for iCloud backups). Stay tuned for future development.

Conclusion: Are Your Passwords Safe in iCloud Keychain?

iCloud Keychain is a double-edged sword. While it can be a highly convenient secure transport for synchronizing passwords across multiple iOS and macOS devices, it also doubles as a cloud-based storage of said passwords. If your passwords are stored in the cloud, even encrypted, there can be always the possibility of someone (be it NSA, FBI or Apple themselves) brute-forcing the passcode or iCloud Secure Code and gaining access to encrypted passwords. The keychain is securely protected against online attacks. Apple does not allow attackers brute-forcing the passcode or iCloud Security Code, permanently erasing encryption keys after a certain number of failed attempts. However, brute-force may still be possible with direct access to protected data; whether or not the abovementioned organizations have such access is debatable.

Notably, iCloud Keychain is a well-designed (even if highly confusing) and very well implemented system that does not have any weak points. What we did in Elcomsoft Phone Breaker 7.0 is not a hack or exploit. We still need all of the same information requested by Apple when enrolling a new device into the circle of trust, and we still cannot bypass security measures or brute-force our way in. However, building a standalone, software-based solution for accessing data stored in iCloud Keychain is a major achievement for our company and a major convenience for mobile forensic specialists.

Tags: , , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

4 Comments on "Acquiring Apple’s iCloud Keychain"

Notify of

Do you think there will ever be an update with a workaround 2fa? I don’t expect much but was hoping this big news had something to do with it.

Vladimir Katalov
Vladimir Katalov

Yes. But that can be done only with ‘special’ token (not the one we are already able to extract) from Mac enrolled into the iCloud Keychain trusted circle.


Correct me if I’m wrong, but that would mean you would already need to have downloaded that token (with a future epb version) _before_ 2fa was enabled on the account?

Vladimir Katalov
Vladimir Katalov

No. Once you enable 2FA, the old token is invalidated; so you need to get the new one.
Anyway, research is still in progress. All Apple code related to this stuff is hardly obfuscated and so not really easy to analyse — we need more time.