Have an iPhone backup but cannot get around the password protection? I have a story to share. I was recently contacted by an old partner from the other side of the world who asked for assistance in an urgent case. He had an iTunes-style backup of a device full of critical evidence, but the password locked him out of the data.
If was a new device model a recent version of iOS. No known exploits, no jailbreaks, and no known workarounds. They did have the screen lock passcode, so it wasn’t a matter of life and death, but resetting the backup password is always the last resort with lots of negative consequences.
They decided to start with a kind of social engineering first. Once you know the passcode, you can view the passwords stored in the device keychain (well, most of them). You still cannot view all of them at once, nor can you export them, so this is time-consuming manual work. Long story short, they soon realized that most passwords were built using exactly the same simple pattern:
aXXXXXXXXXn
Here, ‘a’ is a small letter, followed by a fixed 9-character part that is always the same (a mix of small and capital letters and digits), sometimes followed by a single digit.
There were just a few passwords totally different from those ones, though also predictable.
That was a good start. We have an iTunes backup brute-forcing solution (Elcomsoft Distributed Password Recovery), which is very flexible on pattern-based password search. Even though iTunes backups use strong protection and password cracking is extremely slow on any hardware (less than 200 p/s on a last-gen NVIDIA board), we don’t have that many password to try in this case, and a solid part of the password is known if the backup password uses a similar pattern.
After a few minutes, we’re done with the check. The result is negative even after expanding the mask search to include two digits at the end of the password.
I then made masks matching other passwords from the keychain; that was a bit more difficult, and I had to use a small GPU cluster to complete the task in reasonable time. Still negative.
Anything else to try? Sometimes users select the same password for their Apple ID and the backup; I did not know the Apple ID password, and our partner didn’t know it either.
So let’s go the usual way. A small but effective wordlist, several common patterns like all small letters, then all caps, then a mix of small and caps (but shorter length) etc. I decided to start with digits only, from one to six.
Here is where the story ends: the password was found in seconds, and it was ‘1234’. Later we realized that it was set by one of the previously used forensic extraction tools (the device did not have a backup password set during the first extraction, but it was set during the acquisition stage in order to obtain more data from the backup). For some reason, the product failed to reset the password after the acquisition; moreover, a different product from the same company intended for backup parsing and analysis failed to apply this default password.
To learn more about default backup passwords, read iPhone Backups: Top 5 Default Passwords. Our own iOS acquisition product (Elcomsoft iOS Forensic Toolkit) also sets the ‘default’ password (just ‘123’).
Many thanks to Paolo Bileci from Payam Data Recovery for sharing this story and allowing to make a write-up on it!
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »