We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.
Update 19/05/2017: what we predicted has just happened. Apple has implemented additional checks just two days ago. This time, the extra checks do not occur during the authentication stage. Instead, the company started blocking pull requests for backup data originating from what appears to Apple as a desktop device (as opposed to being an actual iPhone or iPad). Once again we had to rush a hotfix to our customers, releasing an update just today. Whether or not our solution stands the test of time is hard to tell at this time. It seems this time it’s no longer a game but a war.
This whole Apple blocking third-party clients issue creates numerous problems to our customers who are either legitimate Apple users or law enforcement officials who must have access to critical evidence now as opposed to maybe getting it from Apple in one or two weeks. This time it’s not about security or privacy of Apple customers. After all, accounts protected with two-factor authentication are and have been safe. We’ve had similar experience with Adobe several years ago, and surprisingly, it turned out Adobe had reasons beyond privacy or security of its customers.
We’ll begin from the most recent issue. Two weeks ago, Apple made changes to iCloud authentication protocol, rendering iCloud backups completely inaccessible with Elcomsoft Phone Breaker. If you attempted to use Elcomsoft Phone Breaker to access synced data, you would get the “Invalid Credentials” error. While you could still access iCloud backups created by devices running iOS 8.x (and earlier), newer backups (iOS 9.x and 10.x) would not be listed.
In broad terms, this error was the result of the changes Apple made to the authentication mechanism. The new authentication scheme implemented additional security checks, now prompting for the correct device ID.
For the purpose of extracting iCloud backups, Elcomsoft Phone Breaker presents itself as an iOS device being restored (as opposed to being just a Web browser). The new authentication requirement broke compatibility, making it impossible for Elcomsoft Phone Breaker to authenticate. This alone was enough to effectively break iCloud for all third-party tools including our competitors’.
We fixed the issue on May 4, 2017, releasing a hotfix update in just days after this happened. The fix re-enable access to iCloud backups for Elcomsoft Phone Breaker. For now, we’re good to go. Update for Elcomsoft eXplorer for WhatsApp is on the way.
The broad picture does not look bright though. With Apple constantly working on improving security, it seems it’s only a matter of time while they lock it down completely. Proper encryption of cloud backups or verifying the device ID against a pre-set list of devices could effectively block third-party tools from accessing or decrypting iCloud backups. For now, we fixed iCloud access. What Apple does next to break it again?
Here at ElcomSoft, we can see what direction Apple is moving. We are convinced that one day all iCloud accounts with no exceptions will be protected with secure two-factor authentication. We also believe that sooner or later all iCloud backups will be securely encrypted (as opposed to being “encrypted” right now), maybe with an additional user-defined password that could be used in the same manner as for local iTunes backups; or maybe with a passcode similar to one protecting iCloud Keychain. But all this does not mean we’re giving up. On the contrary, we’ll keep our research and development, delivering the best possible solution given the circumstances.
As we started testing the hotfix release, we discovered that Apple locks some iCloud accounts after downloading iCloud backup, requiring a change of password to continue using Apple ID-related services. Some customers reported that any account they use with Elcomsoft Phone Breaker is automatically locked within 48 hours regardless of the IP address changes in between accounts.
This account lock is a server-side security measure; there is nothing we can do to fix it. There is no known workaround either. At this time, the account lock is temporary; a change of password via regular means restores account access. Still, this is yet another demonstration of the fact that Apple has learned to detect if a third-party tool is used for signing in and accessing iCloud backups.
It’s a game of cat-and-mouse. Apple is continuously altering its encryption, communication protocols and data formats. As an example, iOS 10.3 introduced changes to the iCloud backup format (well, to the file system on the device as well, though it did not affect the iCloud backups), making these backups incompatible not only with the current version of Elcomsoft Phone Breaker, but with earlier versions of iOS, too. We added iOS 10.3.x support to Elcomsoft Phone Breaker, but users who tried to downgrade from a beta version of iOS 10.3 back to the then-stable build could not get their data restored.
Monitoring the changes, researching the details and implementing fixes in a timely manner is exactly the kind of work covered by the cost we charge for the yearly license updates. While you can keep using your last-updated version indefinitely (and it will continue to work with all then-current data formats), any future changes to communication protocols, encryption and data formats will need additional work to accommodate. This is what you pay for when renewing your license. That’s what it costs us to release one years’ worth of updates, and this is the price for the whole year including dozens of fixes and many new features.
Finally, there are conspiracy rumors floating around accusing manufacturers in intentionally breaking functionality of their products for the purpose of charging for updates. While we cannot vouch for every business around (after all, even HP distributes a keylogger in their audio driver), rest assured ElcomSoft is not into that sort of stuff. Cheating valued customers including guys from the military, intelligence and law enforcement is not our cup of tea.
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.