iCloud Authentication Tokens Inside Out

November 30th, 2017 by Oleg Afonin
Category: «Clouds», «Did you know that...?», «Security», «Software», «Tips & Tricks»

iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. Let’s try to put things together. Read Part 1 of the series.

What Authentication Tokens Are and What They Aren’t

And authentication token is a piece of data that allows the client (iCloud for Windows, Elcomsoft Phone Breaker etc.) to connect to iCloud servers without providing a login and password for every request. This piece of data is stored in a small file, and that file can be used to spare the user from entering their login and password during the current and subsequent sessions.

On the other hand, authentication tokens do not contain a password. They don’t contain a hashed password either. In other words, a token cannot be used to attack the password.

What They Are Good For and How to Use

Authentication tokens may be used instead of the login and password (and secondary authentication factor) to access information stored in the user’s iCloud account. This information includes:

  • iCloud backups (however, tokens expire quickly)
  • iCloud Photo Library, including access to deleted photos
  • Call logs
  • Notes, calendars, contacts, and a lot of other information

Using iCloud authentication tokens is probably the most interesting part. You can use an authentication token in Elcomsoft Phone Breaker Forensic to sign in to Apple iCloud and use iCloud services (download cloud backups, photos, synchronized data etc.) without knowing the user’s Apple ID password and without having to deal with Two-Factor Authentication.

Authentication tokens can be used for:

  • Signing in to iCloud services
  • Without Apple ID password
  • Without having to pass Two-Factor Authentication

The Death of Authentication Tokens

iCloud authentication tokens don’t live forever. In a while, they tend to expire. However, unlike other types of tokens, expired iCloud tokens may still be partly usable. The very same authentication token may have expired for the purpose of downloading backups, but may still be usable for the purpose of accessing synchronized data and iCloud Photo Library. Weird? We warned you it’s going to be complicated.

It is important to understand that token expiration rules are server-side, and can be adjusted by Apple at any time without warning. At this time, authentication tokens don’t seem to carry a defined expiration date as long as synced data (and iCloud Photos) are all you’re after. For downloading iCloud backups, it’s a different story. We’ve seen authentication tokens (for iCloud backups) never expire; expire after 12 hours; expire after 5 minutes; expire after 6 hours, seemingly without a system. However, at this time the following expiration rules apply.

To sum it up:

  • Authentication tokens don’t seem to expire if you’re downloading synced data or photos
  • Downloading iCloud backups is only possible within a very short time after the last password-based sign in (our estimate currently ranges from 5 minutes to 6 hours)

Anisette Data Anyone?

While you may have heard about authentication tokens, I’m sure you’ve never heard of Anisette data. What is it all about, how is it different from authentication tokens, and what is the use of it?

In a word, Anisette data is something that allows you, as an expert, to skip the second authentication step when accessing accounts protected with Two-Factor Authentication.

Anisette data are, like tokens, just bits of random data stored on the user’s computer. These bits are created by iCloud for Windows (or iCloud on a Mac) once the user logs in to their account.

What exactly are these bits of data good for, and how are they different from using the authentication token you could’ve extracted with earlier versions of EPB? For one, using Anisette data, you’ll still need the login and password. The point is, if you’re running EPB 8.1 on a trusted computer, that piece of data ensures that you won’t have to pass two-factor authentication again when accessing the user’s synced data (this time including iCloud Keychain, which is not extractable with a token).

Once Elcomsoft Phone Breaker 8.1 detects Anisette data (it must run on the trusted computer in order to do that; disk images won’t cut it, at least for now), EPB 8.1 will use that to work around Two-Factor Authentication. This means you will not prompted for the second authentication factor, and will be able to skip the secondary authentication step when you’re attempting to download iCloud backups or access synchronized data. Of course, you would still need the login and password to access those backups, but at least you won’t have to jump through the hoops of two-factor authentication.

Is Anisette data of any use if you don’t have access to an already trusted computer? In fact, Elcomsoft Phone Breaker 8.1 (and newer) can use Anisette data on expert’s computer – just to spare the expert from re-doing two-factor authentication every time they log in to a previously authenticated account. Using Anisette data, the first login must be completed as usual with login, password, and second authentication factor; all subsequent logins will only require a login and a password. For this to work, the expert must have iCloud for Windows (or Mac) installed, and they must initialize the app by attempting to sign to any Apple account at least one.

Here is the brief summary for Anisette data:

  • Elcomsoft Phone Breaker 8.1 (or newer) required
  • EPB must be launched on the user’s live system (no offline disk images, at least for now)
  • User must have iCloud for Windows (or Mac) installed and authenticated (signed in at least once with login/password)
  • You sill need login and password to sign in to the user’s iCloud account
  • You don’t need a secondary authentication factor (Two-Factor Authentication bypassed) when running on a trusted computer

At least for now, we cannot extract Anisette data and reuse it on a different computer. We are still working on it.

Conclusion

Authentication tokens are easier than you may have thought. We described the benefits and limitations of authentication tokens. Out next publication describes practical steps required to extract authentication tokens from a variety of sources.

Part 3: Extracting and Using iCloud Authentication Tokens