iCloud Extraction Turns Twelve

May 15th, 2024 by Oleg Afonin
Category: «Clouds», «General», «Mobile», «Tips & Tricks»

Twelve years ago, we introduced an innovative way of accessing iPhone user data, retrieving iPhone backups straight from Apple iCloud. As our iCloud extraction technology celebrates its twelfth anniversary, it’s a fitting moment to reflect on the reactions it has provoked within the IT community. Let us commemorate the birth of the cloud extraction technology, recap the initial reactions from the forensic community, and talk about where this technology stands today.

Initial concerns

Back in 2012, our release of iCloud extraction technology led to heated discussions within the IT community. Two predominant sentiments have emerged, each with its own distinct perspective.

The ignorant: Some regarded iCloud Extraction with indifference, arguing that if one possesses the login credentials, accessing iCloud data becomes a trivial matter. This viewpoint sees little novelty in the extraction process, viewing it merely as a pathway to complete data accessibility.

The alarmists: Conversely, there are those who sounded the alarm bells, highlighting the potential risks introduced by iCloud extraction. To them, it represented a new avenue for hackers to exploit and a new way for oppressive regimes to spy on their citizens, exacerbating the already daunting challenges of cybersecurity.

While both viewpoints hold elements of truth, they also oversimplify the complexities at play. While having the authentication credentials does indeed grant access to the cloud vault, downloading an iCloud backup, even possessing the original login and password, is only technically possible by setting up a genuine Apple device, which in turn must run a compatible version of iOS and such. And then, one would still need to extract that data from the Apple device, which in itself is a challenge.

The alarmists’ viewpoint has its ground, proven by the infamous 2014’s Celebgate hack. Yet a tool is just a tool. It can be used for both noble and nefarious purposes. The extraction of iCloud data, like any technology, is inherently neutral. It’s the intentions and actions of those who use it that determine its impact.

Moving beyond the polarizing debate, it’s essential to look deeper into the technical and legal nuances of iCloud extraction and the technology’s implications for data security and privacy. While concerns about potential misuse are valid, dismissing the technology outright overlooks its legitimate uses, such as aiding law enforcement in criminal investigations or assisting individuals in recovering lost data. Moreover, it is important to recognize the evolving nature of cybersecurity threats and the need for continuous adaptation and improvement in defense mechanisms. The Celebgate incident served as a wake-up call for both Apple and users alike, prompting improvements in security protocols and user awareness. And Apple did react.

Sword vs. shield

While Apple did not immediately respond to the new threat, the availability of third-party cloud extraction technology made the company rush the release of new security measures already in the development pipeline. In March 2013, Apple released an optional two-step verification protection as a stopgap measure before introducing proper two-factor authentication in 2015. The half-baked two-step verification did not protect either photos or backups, as noted in Apple iCloud security exploit is a concern, experts say – BBC News and  Apple’s iCloud cracked: Lack of two-factor authentication allows remote data download | ZDNET.

Today, more than 95% of Apple accounts are protected with two-factor authentication that protects everything except Find My services (for a good reason). We added support for two-factor authentication soon after it was introduced, enabling access to data stored in accounts protected with the second authentication factor.

In addition to enhancing authentication protocols, Apple implemented various other measures to fortify iCloud security. These included strengthening encryption standards with end-to-end encryption, which additionally protects sensitive data (on top of the regular iCloud encryption) with a key that is re-encrypted with the user’s device passcode (or multiple passcodes if there are several devices with different passcodes registered on the same Apple ID). Since Apple does not know the user’s device passcode, it does not have access to the user’s sensitive information such as account passwords or messages in iCloud. In 2017, we added the ability to extract iCloud keychain, which is a major part of the end-to-end encrypted data set. As Apple continued moving more and more data under the end-to-end encrypted umbrella, we learned how to extract those other types of data.

Apple is increasingly synchronizing more and more data, which is crucial to note, particularly since these data is not necessarily included into cloud backups. Many users stumble upon this reality without grasping its implications. It’s worth noting that such synchronization does not always work exactly as described in Apple’s documentation. For instance, we have noticed various inconsistencies, whether accidental or deliberate, and we still lack a comprehensive documentation of what else is being synchronized to the cloud and the extent of its storage. In this light, I’d like to reference a couple of older articles from years back: Deleted Browser History From Safari Gets Saved To iCloud and iPhones Secretly Send Call History to Apple, Security Firm Says. While these particular issues have long been resolved, we don’t know what other issues might be plaguing iCloud sync today.

iOS 17 partially broke third-party access to iCloud. We are still struggling with iCloud backups produced by some iOS 17 devices. The extraction may or may not work, and we are yet to determine the root cause of the problem. At least, synchronized data can still be extracted, including iCloud Photo Library and end-to-end encrypted categories. Or, rather, it could.

Until today.

In the end of 2022, Apple introduced an optional new feature called Advanced Data Protection for iCloud. This opt-in feature enables users to protect nearly all of their information with strong end-to-end encryption. Implementation of the new encryption mechanism differs from the standard end-to-end encryption. The old trick of providing a screen lock passcode and having the vault open no longer works. More than a year after this update, we still cannot access information stored in accounts with  Advanced Data Protection for iCloud. For the time being, the shield wins the battle.

The legal pathway

To obtain iCloud data legally, forensic experts can request the data from Apple directly. This process involves specific steps and documentation, which can vary depending on the jurisdiction and legal requirements. Additionally, they may need to obtain proper consent or court orders, depending on the circumstances.

Requesting information from Apple must follow a certain pathway. For U.S. law enforcement, Apple has published a number of guidelines for US and non-US law enforcement officials.

The printable request form is available here:

The following general resources are available:

While the legal pathway ensures that the data is obtained with proper authorization, reinforcing the credibility of the evidence in any legal proceedings, the process may be lengthy and highly complicated. Moreover, Apple does not return any data that falls under the end-to-end encryption umbrella, which means absolutely no access to iCloud keychain (with the user’s logins and passwords), no messages, Safari history, and many other types of data that might become essential evidence. All of that data is downloadable with Elcomsoft Phone Breaker, but only if one has a screen lock passcode or system password to one of the user’s Apple devices registered in the same Apple ID account.

Legal considerations

In digital forensics, accessing and examining cloud-stored data comes with technical and legal challenges. Law enforcement often relies on such data for investigations, but accessing it requires following legal procedures like obtaining search warrants. The rise of cloud storage adds complexity, including jurisdictional issues and privacy concerns, complicating lawful data collection.

Efforts to regulate law enforcement access to cloud data aim to balance public safety and privacy rights. Policies shape the legal landscape in different sovereign states, while the U.S. CLOUD Act sets up legal framework for cross-border data access. Compliance requires adherence to due process, and mutual legal assistance treaties aid lawful data access. Understanding these legal frameworks helps IT specialists collect and examine iCloud data lawfully, ensuring compliance and respecting privacy rights.


REFERENCES:

Elcomsoft Phone Breaker

Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.

Elcomsoft Phone Breaker official web page & downloads »