Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.
iCloud Keychain is Apple’s best protected vault. Since iCloud Keychain keeps the user’s most sensitive information, it’s protected in every way possible. By breaking in to the user’s iCloud Keychain, an intruder could immediately take control over the user’s online and social network accounts, profiles and identities, access their chats and conversations, and even obtain copies of personal identity numbers and credit card data. All that information is securely safeguarded.
Forensic access to iOS keychain is difficult due to several layers of encryption. Due to encryption, direct physical access to a locally stored keychain is normally impossible; the only possible acquisition options are through a local password-protected backup or iCloud Keychain.
The only way to extract a (local) keychain from an iOS device requires making a password-protected backup with iTunes or Elcomsoft iOS Forensic Toolkit (the latter automatically sets a temporary known password if one is not configured). The password is needed because unencrypted local backups encrypted the keychain with a hardware-based key; these can also be restored exclusively onto the same device that made the backup. Forensic access to these hardware-encrypted keychains is impossible unless a specific ‘securityd’ key can be obtained from the device, which is only possible for jailbroken 32-bit devices (iPhone 5c and older).
On the other hand, local backups that are encrypted with a password are easier to acquire since keychain data is encrypted with the same password as the rest of the backup. However, if the backup is protected with a long, unknown password, brute-forcing that password may take significant time of may not be possible since Apple deliberately made the recovery extremely slow after the iOS 10.2 update (think 5 passwords per minute on a CPU, or about 100 passwords per second using a high-end GPU). If this is the case, downloading iCloud Keychain could be the only option to obtain user’s stored passwords.
While we’ll review the technical details below, it is very important to understand what is and what is not possible to do with iCloud Keychain. First and foremost: Apple does not provide any tools or APIs to access iCloud Keychain. The only thing one could with someone’s iCloud Keychain would be enrolling and syncing a new iOS device (such as an iPhone or iPad). Before EPB 7.0, there was simply no software that could directly access iCloud Keychain without restoring it onto an Apple device first.
So does iCloud Keychain store users’ passwords in the cloud, or does it not? In a rather confusing FAQ, Apple provides the following quote:
Can I set up iCloud Keychain so that my information isn’t backed up in iCloud?
Yes. When you set up iCloud Keychain, you can skip the step to create an iCloud Security Code. Your keychain data is then stored locally on the device, and updates across only your approved devices.
From this quote, it’s completely unclear under what circumstances iCloud Keychain does or does not keep a copy of the users’ passwords in the cloud because, well, the iCloud Security Code simply cannot be created at all if Two-Factor Authentication is enabled. We did our own research, and made the following observations (assuming that iCloud Keychain is enabled on the device).
If you are an expert doing the extraction, does it matter whether passwords are stored in the cloud or synced across enrolled devices? In fact, it does. Elcomsoft Phone Breaker 7.0 can only obtain iCloud Keychain from iCloud, and not from the synced devices.
Let’s have a closer look at how the process works. In order to gain access to iCloud Keychain, you will need the user’s Apple ID and password. This stands for accounts with and without two-factor authentication. However, this is where similarities end: the rest of the process is different depending on whether or not the user has Two-Factor Authentication enabled on their Apple ID.
No Two-Factor Authentication
Two-Factor Authentication enabled:
Technically speaking, a workaround for acquiring iCloud Keychain exists even if you don’t use Elcomsoft Phone Breaker. For non-forensic purposes, one could initialize a fresh (factory-reset) iOS device, enroll it into someone’s iCloud Keychain and pass all validation and verification steps using an existing iOS device. After that, iCloud Keychain would sync onto the device, in due time (definitely much longer than just a few minutes). One can then make a local backup with iTunes, specifying a known password and then decrypting the backup with Elcomsoft Phone Breaker. Technically, this would provide access to user’s passwords.
However, the above process is decidedly non-forensic. It leaves severe footprints in the user’s Apple ID account, and may have the following consequences.
We are continuing our research of iCloud Keychain. Particularly, we aim to develop a system that would allow a much easier authentication into iCloud Keychain, ideally without using the password or any security codes at all (similar to what we already have for iCloud backups). Stay tuned for future development.
iCloud Keychain is a double-edged sword. While it can be a highly convenient secure transport for synchronizing passwords across multiple iOS and macOS devices, it also doubles as a cloud-based storage of said passwords. If your passwords are stored in the cloud, even encrypted, there can be always the possibility of someone (be it NSA, FBI or Apple themselves) brute-forcing the passcode or iCloud Secure Code and gaining access to encrypted passwords. The keychain is securely protected against online attacks. Apple does not allow attackers brute-forcing the passcode or iCloud Security Code, permanently erasing encryption keys after a certain number of failed attempts. However, brute-force may still be possible with direct access to protected data; whether or not the abovementioned organizations have such access is debatable.
Notably, iCloud Keychain is a well-designed (even if highly confusing) and very well implemented system that does not have any weak points. What we did in Elcomsoft Phone Breaker 7.0 is not a hack or exploit. We still need all of the same information requested by Apple when enrolling a new device into the circle of trust, and we still cannot bypass security measures or brute-force our way in. However, building a standalone, software-based solution for accessing data stored in iCloud Keychain is a major achievement for our company and a major convenience for mobile forensic specialists.
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.