iCloud Extractions Without Passwords and Tokens: When a Trusted Device is Enough

October 26th, 2021 by Vladimir Katalov
Category: «Clouds», «Mobile», «Tips & Tricks»

A lot of folks (and even some law enforcement experts) are looking for a one-click solution for mobile extractions and data decryption. Unfortunately, in today’s day and age there are no ‘silver bullet’ solutions. In the days of high-tech mobile devices and end-to-end encryption one must clearly understand the available options, and plan their actions accordingly. The time of ‘snake oil’ exploits is long gone. The modern world of mobile forensics is complex, and your actions will depend on a lot of factors. Today, we’re going to make your life a notch more complex by introducing a new iCloud authentication option you’ve never heard of before.

The complex world of cloud forensics

Being a mobile forensic specialist, you probably know of some manufacturers offering “magic solutions” that work straight out of the box, supporting unadvertised range of devices running a secret range of OS versions. In real life, those solutions only work in very specific conditions, on very specific devices, running very specific versions of the software. In order to use these and other tools efficiently, one must learn the theory, and one must constantly improve one’s level of knowledge from day to day. This is a factor of your success. I want to draw your attention at how important it is to understand the things happening under the hood, especially when performing cloud extractions where someone else has physical control over the data you’re attempting to access.

Today, I will introduce a very different methods for authenticating into iCloud when doing cloud extractions. But before I do this, let me briefly remind you of our achievements in iCloud extractions.

The iCloud extraction timeline

It’s been almost 10 years since we learned how to download iCloud backups; a lot of improvements has been made since then:

The benefits of iCloud firensics

I think there is no need to tell why iCloud acquisition is important in general. Even if you have an unlocked device compatible with low-level file system and keychain acquisition (and so Elcomsoft iOS Forensic Toolkit could do the job for you), you may not get the all the data theoretically available; more on that below. We have a good feeling that future iPhones will not have a Lightning port (latest Apple Watch already has diagnostics port removed, so even limited logical acquisition is not available anymore), while iCloud acquisition method should remain forever.

Why we developed trusted device authentication

Before I start talking about the new authentication method, let me tell you about why we felt the pressure to develop it. Several major iOS releases ago, the following things have happened:

  • The iCloud password is no longer stored in the keychain. Previously, you could only discover it in the keychain occasionally; it was always a matter of luck. Today, it just never happens; there is simply no way to extract the iCloud password from the keychain unless the user signed in to an Apple Web service through Safari, and saved their Apple ID password in the browser. This rarely occurs in real life.
  • iCloud tokens are now device-dependent in both macOS and iOS. Some time ago, we learned how to use macOS tokens for iCloud extractions; you can only do it if you run EPB on the same physical computer on which the token was created. For iOS, however, the situation is much tougher. Previously, we would extract the iCloud token from the keychain (or the backup) and access the data stored in iCloud. Today, the token can be only used on the same physical device it was created on.
  • The token is not only short-lived, but it is no longer sufficient to download the data. Even if we can spoof the cloud and pretend to be the device that was used to create the token, the cloud will periodically request some dynamic data generated on that physical device. The data is only accessible if you have root access.

iCloud may contain significantly more information than the device itself because of the following reasons:

  • The device has less storage than the cloud (especially for 8GB and 16GB models).
  • The device was never set up to pull data from iCloud (e.g. an older model iPhone is used for calling and texting only, with no iCloud Photos on the phone; the photos might be stored in iCloud and uploaded from other devices; or, for example, messages are synced between the iPhone and iCloud, while the iPad has its sync disabled as it’s used for reading or drawing).
  • The photos are synced with Optimize iPhone storage option enabled, so that the phone has smaller (compressed) versions of the photos while iCloud stores the originals.
  • Some data categories such as Documents and Desktop (iCloud Drive) are not synchronized with the phone at all. This is also true for app data for the apps installed on other devices but not present on the device being investigated.

The value of a trusted device

A “trusted” device is not just a device that contains valuable information (probably including critical evidence); it has more value than you can imagine.

First, let me remind you our old article: iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About. While this was about iOS 11, the issue has been fixed a couple of major iOS releases ago. Today (since version iOS 14 at least) the passcode is always requested when you try changing the iCloud password. Still, a trusted device allows you to change the password (without entering the old password); all you need is the device passcode.

You may think that there is noting really new about the feature we have just added. After all, the device is trusted, so it should allow you to do everything your want with your iCloud account, that’s what it is for. And honestly, Apple did its best about iCloud protection: as you can see, modern devices (based on the A12 or later SoC) running the latest version of iOS cannot be used as a key to full iCloud access. But thanks to the checkm8 exploit and several kernel-level vulnerabilities, quite a lot of devices (older ones, as well as those without the latest iOS update) expose the risk of not only reading your data stored locally, but also of exposing all your iCloud account data, including the data contributed by other devices on your account (such as your Mac protected with FileVault2, as the recovery key is also stored in the cloud). Do you still have some old device connected to the account and trusted? Think twice. You have been warned.

Stay safe!


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud, Windows Phone and BlackBerry 10 devices! Download device backups from Apple iCloud, Microsoft OneDrive and BlackBerry 10 servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »