Every other day, Apple makes the work of forensic specialists harder. Speaking of iCloud, we partially covered this topic in Apple vs. Law Enforcement: Cloud Forensics and Apple vs Law Enforcement: Cloudy Times, but there is more to it today. The recent iOS (13.4) and macOS (10.15.4) releases brought some nasty surprises. Let’s talk about them.
iOS 13
It is difficult to say when it actually happened, but iOS stopped syncing call logs, and does not sync them for the time being. We covered call log sync some three years ago:
We even tried to bring the matter to Apple, but the only response was we take privacy very seriously (I am not surprised). Anyway; call logs are no longer synchronized (com’on, Apple, did you forget about Continuity? 😊)
But there is more. Do you use Apple Maps? Its data, surprisingly, has been moved to an encrypted container, similar to other protected data such as the iCloud keychain, iCloud Messages, Health and Screen Time data. It’s a strange move, as Maps data is not all that sensitive compared to other bits stored in secured containers. While we can still obtain that data from the cloud, the procedure now relies on the process for extracting other end-to-end encrypted data, which means you have to use the password/passcode of one of the user’s devices.
Just in case: if you are curious about Screen Time, we are currently able to extract only part of the data from iCloud. This includes the passcode, family information, restrictions etc. The most interesting data such as app usage statistics seems to sync directly across devices, but it is not stored in the way that would allow us to extract it from the cloud. If you have more than one device and use the Share across devices option, just compare the statistics you see on the device it’s been collected from and how it appears on other devices on the account. The results are different. Moreover, some stats are not available at all, while there is some mysterious data from devices that have been disconnected from the account a long time ago. A lot of iPhone users reported similar problems:
This can mean that such ‘direct’ syncing simply does not work correctly. It is difficult to say whether it is an iOS 12/13 or iCloud bug, but we decided not to waste our time trying to obtain this data from iCloud. And btw, in iOS 13 the data related to Screen Time is also protected better than most of other data — it is not enough just to have root privileges to access it.
Oh by the way, iOS 13.4.5 beta (what a strange version number after 13.4) is out yesterday, we are going to have a look at it soon.
macOS
Lockdown (pairing) records had always allowed to access passcode-protected devices. However, with the latest update, lockdown records are no longer accessible.
Starting with maCOS 10.12, you had to to run the following command:
sudo chmod 755 /private/var/db/lockdown
With macOS 10.15.4, it does not work anymore:Is there a workaround? Yes. Just disable SIP (System Integrity Protection) by booting into Recovery mode (⌘+R on system startup), then start Terminal and run the following command:
csrutil disable
Then reboot, and access lockdown folder as you did before, e.g. to perform advanced logical acquisition of a locked iPhone using iOS Forensic Toolkit.
iCloud
iCloud authentication has changed again. Looks like Apple have a dedicated team of software engineers that do nothing but make meaningless changes to authentication protocols just to block our software. This does not really improve the security and privacy but makes Apple’s top management happy.
I am not going to describe all the changes in details, but give you some tips on how this affects the usage of authentication tokens in Elcomsoft Phone Breaker. You can start reading from Accessing iCloud With and Without a Password in 2019; and here is how it works now.
On Windows systems, tokens extracted from iCloud for Windows version 7.0 and later work only for accounts without two-factor authentication. With these tokens, you won’t be able to access the entire set of iCloud data. The following categories are still accessible: iCloud Photos and certain synced categories (including contacts, calendars, notes, Safari browsing history etc. except end-to-end encrypted data such as the Keychain, iCloud Messages or Health data). As for iCloud backups, you can only retrieve ones created by iOS versions older than iOS 11.2.
On macOS, the situation is slightly better. On macOS from 10.13 to 10.15, we can get the token for non-2FA accounts only; and for ones that have 2FA enabled, the token is, well, ‘tethered’ to the device it is obtained from, so you can authenticate with this token in Elcomsoft Phone Breaker only on the same Mac. The scope of the data that can be downlooaded from the iCloud (regardless the account and token type) is the same as above: limited number of categories of synced data (without end-to-end encryption), and iCloud backups of devices with iOS up to 11.2. Fully ‘untethered’ tokens for 2FA accounts are only available in macOS 10.12 and older. In fact we recently used a kind of vulnerability in iCloud protocol that allowed us to get such tokens even for 2FA accounts, but not anymore, sorry.
Sounds confusing? I know. Here it is once again:
One more thing: some changes have been made even for accounts without 2FA. Due to these changes, Apple can now lock accounts after a single incorrect password attempt.
Conclusion
To obtain all the data from the user’s iCloud account, you will need the Apple ID, the password, the second authentication factor, and the device passcode. If you have all of those, you can obtain virtually everything, including some of the data that is not available on the device itself. Do not underestimate this method, and remember that Elcomsoft Phone Breaker is the only product on the market that extracts all the data from iCloud including end-to-end encrypted categories.