Archive for the ‘Did you know that…?’ Category

Elcomsoft Phone Breaker 8, New Apple Devices and iOS 11

Thursday, September 14th, 2017

With all attention now being on new iPhone devices, it is easy to forget about the new version of iOS. While new iPhone models were mostly secret until announcement, everyone could test iOS 11 for months before the official release.

Out previous article touches the issue of iOS 11 forensic implications. In this article we’ll cover what you can and what you cannot do with an iOS 11 device as a forensic expert. We’ll talk about which acquisition methods still works and which don’t, what you can and cannot extract compared to iOS 10, and what you need to know in order to make the job don’t.

(more…)

iOS 11: jailbreaking, backups, keychain, iCloud – what’s the deal?

Thursday, September 14th, 2017

iOS 11 is finally here. We already covered some of the issues related to iOS 11 forensics, but that was only part of the story.

Should we expect a jailbreak? Is there still hope for physical acquisition? If not, is logical acquisition affected? Are there any notable changes in iCloud? What would be easier to do: logical or iCloud acquisition, and what are the prerequisites for either method? What do you begin with? How to make sure the suspect does not alter their iCloud storage or wipe their device in the process? Can we actually get more information from the cloud than from the device itself, even with physical, and why?

Spoiler: the short answer to the last question is “yes”. The long answer is a bit complicated. Keep reading.

(more…)

iOS 11 Does Not Fix iCloud and 2FA Security Problems You’ve Probably Never Heard About

Monday, September 11th, 2017

In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.

All one needs to do is enable the Find My Phone option in iCloud settings. In fact, this option is enabled by default once you set up your new iPhone. After that, even if you lose your iPhone and someone else attempts to reset it to factory defaults, the device will be still locked to your iCloud account. Unlocking the device (removing iCloud lock) requires access to your Apple ID, password, and secondary authentication factor if you have Two-Factor Authentication enabled. Sounds pretty secure so far?

(more…)

iOS 9.3.5 Physical Acquisition Made Possible with Phoenix Jailbreak

Thursday, August 24th, 2017

If you watch industry news, you are probably aware of the new Phoenix jailbreak… or not. During the last several years, getting news about iOS jailbreaks from reliable sources became increasingly difficult. The sheer number of fake Web sites mimicking the look of well-known resources such as Pangu and TaiG made us extra careful when trying newly published exploits.

Back to Phoenix. This thing is for real. Phoenix claims support for iPhone 4s, 5/5c, iPad 2/3/4, iPad mini, and iPod 5g running the last version of iOS 9.3.5. We were able to verify these claims by successfully jailbreaking several test devices and using Elcomsoft iOS Forensic Toolkit to perform full physical acquisition (as in imaging and decrypting the physical data partition).

With Phoenix jailbreak, iOS Forensic Toolkit can perform physical acquisition of Apple’s 32-bit devices running iOS 9.3.5, which happens to be the last version of iOS 9. Users of iOS Forensic Toolkit can perform physical-level imaging and decryption of the data partition, decryption and examination of keychain items, and enjoy full unrestricted access to sandboxed app data. This level of access is simply not possible with any other acquisition methods. As an example, physical acquisition of jailbroken devices enables forensic access to saved email messages, passwords, and full conversation logs saved by some of the most secure messengers such as WhatsApp, Telegram, Signal, Skype and Facebook Messenger. Compared to iOS backup analysis, this method adds access to browser cache and temporary files, email messages, extended location history, and data that belongs to apps that explicitly disable backups.

(more…)

How to Extract iCloud Keychain with Elcomsoft Phone Breaker

Tuesday, August 22nd, 2017

Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.

Pre-Requisites

Your ability to extract iCloud Keychain depends on whether or not the keychain in question is stored in the cloud. Apple provides several different implementations of iCloud Keychain. In certain cases, a copy of the keychain is stored in iCloud, while in some other cases it’s stored exclusively on user’s devices, while iCloud Keychain is used as a transport for secure synchronization of said passwords.

In our tests, we discovered that there is a single combination of factors when iCloud Keychain is not stored in the cloud and cannot be extracted with Elcomsoft Phone Breaker:

  • If the user’s Apple ID account has no Two-Factor Authentication and no iCloud Security Code

In the following combinations, the keychain is stored in the cloud:

  • If the user’s Apple ID account has no Two-Factor Authentication but has an iCloud Security Code (iCloud Security Code and one-time code that is delivered as a text message will be required)
  • If Two-Factor Authentication is enabled (in this case, one must enter device passcode or system password to any device already enrolled in iCloud Keychain)

In both cases, the original Apple ID and password are required. Obviously, a one-time security code is also required in order to pass Two-Factor Authentication, if enabled. (more…)

Acquiring Apple’s iCloud Keychain

Tuesday, August 22nd, 2017

Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.

What is iCloud Keychain

iCloud Keychain is Apple’s best protected vault. Since iCloud Keychain keeps the user’s most sensitive information, it’s protected in every way possible. By breaking in to the user’s iCloud Keychain, an intruder could immediately take control over the user’s online and social network accounts, profiles and identities, access their chats and conversations, and even obtain copies of personal identity numbers and credit card data. All that information is securely safeguarded.

Why It Can Be Important

Forensic access to iOS keychain is difficult due to several layers of encryption. Due to encryption, direct physical access to a locally stored keychain is normally impossible; the only possible acquisition options are through a local password-protected backup or iCloud Keychain. (more…)

The Past and Future of iCloud Acquisition

Monday, August 21st, 2017

In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.

The Timeline of iCloud and iOS Forensics

Our first iOS forensic product was released in February 2010. In 2010, we released what is known today as Elcomsoft Phone Breaker (we then called it “Elcomsoft Phone Password Breaker”). Back then, we were able to brute-force the password protecting encrypted iTunes-made iOS backups. At the time, this was it: you’ve got the password, and off you go. The tool did not actually decrypt the backup or displayed its content; it just recovered the password.

(more…)

Attacking the 1Password Master Password Follow-Up

Friday, August 18th, 2017

We received some great feedback on the original article about attacking master passwords of several popular password managers. In one discussion, our benchmark numbers for 1Password were questioned. We had no choice but to re-run the benchmarks and publish an updated chart along with some technical details and explanations. We bring our apologies to AgileBits, the developers of 1Password, for letting the wrong number creep in to our benchmark. Can we still break into 1Password by attacking the master password? Please bear with us for up-to-date information and detailed technical discussion.

We must make one thing extremely clear: this time we did not “hack” anything. We are using good old brute force, enhanced with GPU acceleration, to attack the user’s plain-text master password protecting password managers’ encrypted databases. The four password managers were and still remain secure providing that the user opts for a strong master password. If a truly secure master password is used, it would not be possible to break it within reasonable timeframe.

(more…)

Extract and Decrypt WhatsApp Backups from iCloud

Thursday, July 20th, 2017

Facebook-owned WhatsApp is the most popular instant messaging tool worldwide. Due to its point-to-point encryption, WhatsApp is an extremely tough target to extract.

As we already wrote in yesterday’s article, WhatsApp decryption is essential for the law enforcement since due to its popularity and extremely tough security it is a common choice among the criminals. However, the need for WhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own communications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device we no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp’ own stand-alone cloud backup system is the more reliable choice compared to pretty much everything else.

Elcomsoft Explorer for WhatsApp can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive. If you have access to the user’s SIM card with a verified phone number, you can now use Elcomsoft Explorer for WhatsApp to circumvent the encryption and gain access to iCloud-stored encrypted messages. In this article, we’ll tell you how it works, and provide a step-by-step guide to extracting and decrypting WhatsApp backups from iCloud Drive.

(more…)