Author Archive

The Life and Death of iCloud Authentication Tokens: Historical Perspective

Thursday, November 30th, 2017

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

(more…)

Breaking Apple iCloud: Reset Password and Bypass Two-Factor Authentication

Tuesday, November 28th, 2017

Who am I to tell you to use two-factor authentication on all accounts that support it? This recommendation coming from someone whose business is supplying law enforcement with tools helping them do their job might be taken with a grain of salt by an average consumer. Yet we still strongly believe that, however good a password you have to encrypt your local documents or NAS drives, any remotely popular online service absolutely requires an additional authentication factor.

We covered the risks related to passwords more than once. There is no lack of horror stories floating on the Internet, ranging from leaking private photos to suddenly losing access to all data and devices registered on a certain account. Today, smartphones store excessive amounts of information. If any of that data is synced with a cloud, the data will be shared with something other than just your device.

So what is that “other” thing that you need to secure access to your account? It might be something you have in addition to something you know. Something that cannot be easily stolen or accessed remotely. This is exactly what two-factor authentication is for.

All three major mobile companies, Apple, Google and Microsoft, offer very different implementations of two-factor authentication. Speaking Google, you have several convenient options: SMS (which is not really secure, and Google knows it), the recently added Google Prompt, the classic Google Authenticator app, printable backup codes, FIDO keys and a few more. (Spoiler: if you are on a different side and need to extract the data as opposed to protecting it, we have an app for that).

What about Apple? There are a few things you should definitely know about Apple’s implementation. The problem with Apple is that Apple accounts protected with two-factor authentication can be actually less secure at some points. Surprised? Keep reading.

(more…)

What can be extracted from locked iPhones with new iOS Forensic Toolkit

Thursday, November 9th, 2017

Tired of reading on lockdown/pairing records? Sorry, we can’t stop. Pairing records are the key to access the content of a locked iPhone. We have recently made a number of findings allowing us to extract even more information from locked devices through the use of lockdown records. It’s not a breakthrough discovery and will never make front page news, but having more possibilities is always great.

Physical acquisition rules if it can be done. Physical works like a charm for ancient devices (up to and including the iPhone 4). For old models such as the iPhone 4s, 5 and 5c, full physical acquisition can still be performed, but  only if the device is already unlocked and a jailbreak can be installed. All reasonably recent models (starting with the iPhone 5s and all the way up to the iPhone 7 – but no 8, 8 Plus or the X) can be acquired as well, but for those devices all you’re getting is a copy of the file system with no partition imaging and no keychain. At this time, no company in the world can perform the full physical acquisition (which would include decrypting the disk image and the keychain) for iPhone 5s and newer.

The only way to unlock the iPhone (5s and newer) is hardware-driven. For iOS 7 and earlier, as well as for some early 8.x releases, the process was relatively easy. With iOS 9 through 11, however, it is a headache. There is still a possibility to enter the device into the special mode when the number of passcode attempts is not limited and one can brute-force the passcode, albeit at a very low rate of up to several minutes per passcode.

The worst about this method is its very low reliability. You can use a cheap Chinese device for trying passcodes at your own risk, or pay a lot of money to somebody else who will do about the same for you. Those guys do have more experience, and the risk is lower, but there still is no warranty of any kind, and you won’t get your money back if they fail.

There are other possibilities as well. We strongly recommend you to try the alternative method described below before taking the risk of “bricking” the device or paying big money for nothing.

(more…)

The art of iOS and iCloud forensics

Thursday, November 2nd, 2017
  • The rise and fall of physical acquisition
  • Jailbreak to the rescue
  • In the shade of iCloud
  • iCloud Keychain acquisition hits the scene

iOS 11 has arrived, now running on every second Apple device. There could not be a better time to reminiscent how iOS forensics has started just a few short years ago. Let’s have a look at what was possible back then, what is possible now, and what can be expected of iOS forensics in the future.

(more…)

Can You Unlock That iPhone?

Monday, October 30th, 2017

“Can you unlock that iPhone?” is one of the most common questions we hear on various events and from our customers. There is no simple answer, but more often than not some options are available.

Just a few years back, the most common question was “can you crack that password?” We are still being asked that every other day, but locked iPhones are now more abundant than unknown passwords. There is a simple explanation for that: the iPhone is an ultimate source of evidence. That, before we even mention the many urgent cases when the phone needs to be unlocked.

Cover all possible scenarios in one short article would not be possible; for (much) more details you are welcome to read our Smartphone forensics book that explores the topic in depth. Keep reading to see what can be done in some cases.

(more…)

How To Obtain Real-Time Data from iCloud and Forget About 2FA with Just an Old iTunes Backup. No Passwords Needed

Monday, October 23rd, 2017

iOS forensics is always a lot of fun. Say, you’ve got an iPhone of a recent generation. It’s locked, you are blank about the passcode, and the worst part is it’s more than just the four proverbial digits (the last iOS defaults to six). And you don’t have their computer, and there is not an iCloud account either. A horror story where no one, even us, can do anything about it.

However, the reality has far more than 50 shades of (insert you favorite color). Almost every case is unique. Over 1.2 billion iPhones are sold to date, and they tend to show up in every other investigation. The iPhone is the ultimate source of evidence, no doubt.

(more…)

iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?

Thursday, September 14th, 2017

iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.

Should we expect a jailbreak? Is there still hope for physical acquisition? If not, is logical acquisition affected? Are there any notable changes in iCloud? What would be easier to do: logical or iCloud acquisition, and what are the prerequisites for either method? What do you begin with? How to make sure the suspect does not alter their iCloud storage or wipe their device in the process? Can we actually get more information from the cloud than from the device itself, even with physical, and why?

Spoiler: the short answer to the last question is “yes”. The long answer is a bit complicated. Keep reading.

(more…)

iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About

Monday, September 11th, 2017

In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.

All one needs to do is enable the Find My Phone option in iCloud settings. In fact, this option is enabled by default once you set up your new iPhone. After that, even if you lose your iPhone and someone else attempts to reset it to factory defaults, the device will be still locked to your iCloud account. Unlocking the device (removing iCloud lock) requires access to your Apple ID, password, and secondary authentication factor if you have Two-Factor Authentication enabled. Sounds pretty secure so far?

(more…)

The Past and Future of iCloud Acquisition

Monday, August 21st, 2017

In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.

The Timeline of iCloud and iOS Forensics

Our first iOS forensic product was released in February 2010. In 2010, we released what is known today as Elcomsoft Phone Breaker (we then called it “Elcomsoft Phone Password Breaker”). Back then, we were able to brute-force the password protecting encrypted iTunes-made iOS backups. At the time, this was it: you’ve got the password, and off you go. The tool did not actually decrypt the backup or displayed its content; it just recovered the password.

(more…)

Attacking the 1Password Master Password Follow-Up

Friday, August 18th, 2017

We received some great feedback on the original article about attacking master passwords of several popular password managers. In one discussion, our benchmark numbers for 1Password were questioned. We had no choice but to re-run the benchmarks and publish an updated chart along with some technical details and explanations. We bring our apologies to AgileBits, the developers of 1Password, for letting the wrong number creep in to our benchmark. Can we still break into 1Password by attacking the master password? Please bear with us for up-to-date information and detailed technical discussion.

We must make one thing extremely clear: this time we did not “hack” anything. We are using good old brute force, enhanced with GPU acceleration, to attack the user’s plain-text master password protecting password managers’ encrypted databases. The four password managers were and still remain secure providing that the user opts for a strong master password. If a truly secure master password is used, it would not be possible to break it within reasonable timeframe.

(more…)