The Life and Death of iCloud Authentication Tokens: Historical Perspective

November 30th, 2017 by Vladimir Katalov
Category: «Clouds», «Did you know that...?», «Security», «Tips & Tricks»

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

In addition to that, you will also need the same model or similar device with same or newer version of iOS. Next, you will have to boot the restored device (and that operation will obviously modify the data; not even discussing the situation when the iOS version on the device is not the same as the version of iOS the backup was obtained from). Do not forget that the apps will be restored directly from the App Store (and they can be different versions, too). And finally, you’ll still have to create a local iTunes backup of the newly restored device.

Sounds like a long and difficult endeavor? It is even more difficult than it seems, as sometimes something just goes wrong, and you end up with a half-restored device (particularly, if the cloud backup being restored is very old, was obtained from an older device or a device running an older version of iOS).

We eliminated intermediate steps, removed the requirement to have physical Apple hardware with a matching version of iOS, and made sure that you get the data exactly as they are stored in iCloud. The downloading process is significantly faster than the actual restore (if you need it even faster, you can obtain the most critical data such as messages, call log and web browsing history in a matter of minutes). See the difference?

Anyway, the password still remains crucial for successful acquisition. You still cannot do anything without it, even with our software. Or can you?

The thing is, iCloud can be used not just on iOS devices, but also on desktops (Windows and Mac). iCloud on your computer can sync some data (on macOS, this includes passwords), access iCloud Drive and iCloud Photo Library, and more.

When signing in to iCloud from your desktop, you have to authenticate (with Apple ID and password) first, and pass the 2FA if enabled. Then, further syncing is performed transparently, without the need to enter the iCloud password every time when you log on to your computer. There is no need to pass 2FA again either.

How does that work, technically? After authentication, the system saves an authentication token, which is just a small block of binary data that is used for authentication of the ongoing and subsequent sessions. The token is generated by Apple servers after passing authentication. It works as a password replacement, and allows to do almost the same as the password, with a single exception. That makes the system not only more convenient (no need to re-authenticate) but also more secure (password not saved anywhere).

Long story short: we researched where iCloud tokens are stored on Mac and PC computers and how they are encrypted. We’ve also added the ability to use them to authenticate into iCloud in Elcomsoft Phone Breaker.

The Benefits of Using Tokens

Why would you use a token instead of a password? For obvious reasons: you may not know the password in the first place. Of course, you need another type of user’s credentials – the token itself. However, the token is much easier to obtain. You can extract it from a Windows or macOS desktop (where the same iCloud account is used), or from an iOS device (we’ll show you how).

Next, there is no need for the second authentication factor, even if the account uses 2FA. There is no public statistics about how many accounts do, but Apple is very active on pushing 2FA; besides, some iOS/macOS/iCloud features are only available with 2FA enabled.

Finally, the account owner will not receive a push notification once we access their account. For accounts with 2FA enabled, there is almost (well, almost always) a push notification that appears immediately on all trusted devices once you try to sign in. Even if there is no two-factor authentication on an account, the user may still receive yet another notification by email. At this time, Apple does not send these email notifications, but they may re-start sending them at any time. This never happens on iCloud access with tokens though.

Enough history! Let’s go technical. What are these tokens exactly, what can and what cannot they help you extract, and how do you actually use them?

Part 2: Cloud Authentication Tokens Inside Out