ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»

Archive for the ‘Tips & Tricks’ Category

Messages in iCloud: How to Extract Full Content Including Media Files, Locations and Documents

Thursday, November 15th, 2018

In today’s usage scenarios, messaging are not entirely about the text. Users exchange pictures and short videos, voice recordings and their current locations. These types of data are an important part of conversation histories; they can be just as valuable evidence as the text content of the chat.

Apple ecosystem offers a built-in messenger, allowing users to exchange iMessages between Apple devices. This built-in messenger is extremely popular among Apple users. Back in 2016, Apple’s Senior VP announced that more than 200,000 iMessages are sent every second.

All current versions of iOS are offering seamless iCloud synchronization for many categories of data. Starting with iOS 11.4, Apple devices can synchronize messages via iCloud. iMessages and text messages can be now stored in the user’s iCloud account and synchronized across all of the user’s devices sharing the same Apple ID. This synchronization works in a similar manner to call logs, iCloud Photo Library or iCloud contacts sync (albeit with somewhat longer delays). However, Apple will not provide neither the messages themselves nor their attachments when fulfilling LE requests or GDPR pullouts. Why is this happening, how to extract messages from iCloud accounts and what kind of evidence we can find in attachments? Read along to find out.

(more…)

iMessage Security, Encryption and Attachments

Thursday, November 15th, 2018

iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.

But what about iMessage security? Is it safe to use if you’re concerned about your privacy? Is there a reason why countries such as China, Iran or Russia block other messengers but keep iMessage going? Is it safe from hackers? What about Law Enforcement? And what about Apple itself? It must have access to your messages to target the ads, right? Is it OK to send those private snapshots or share your location via iMessage?

There is no simple answer, but we’ll do our best to shed some light on that.

(more…)

iPhone Xs PWM Demystified: How to Reduce Eyestrain by Disabling iPhone Xs and Xs Max Display Flicker

Tuesday, October 30th, 2018

The iPhone Xs employs a revised version of the OLED panel we’ve seen in last year’s iPhone X. The iPhone Xs Max uses a larger, higher-resolution version of the panel. Both panels feature higher peak brightness compared to the OLED panel Apple used in the iPhone X. While OLED displays are thinner and more power-efficient compared to their IPS counterparts, most OLED displays (including those installed in the iPhone Xs and Xs max) will flicker at lower brightness levels. The screen flickering is particularly visible in low ambient brightness conditions, and may cause eyestrain with sensitive users. The OLED flickering issue is still mostly unheard of by most consumers. In this article we will demystify OLED display flickering and provide a step by step instruction on how to conveniently disable (and re-enable) PWM flickering on iPhone Xs and Xs Max displays to reduce eyestrain. (more…)

Everything You Wanted to Know about Activation Lock and iCloud Lock

Thursday, October 4th, 2018

Working in a mobile forensic company developing tools for iCloud forensics, logical and physical extraction of iPhone devices, we don’t live another day without being asked if (or “how”) we can help remove iCloud lock from a given iPhone. Without throwing a definite “yes” or “no” (or “just buy this tool”), we’ve decided to gather everything we know about bypassing, resetting and disabling iCloud activation lock on recent Apple devices.

What Is Activation Lock (iCloud Lock)?

Activation Lock, or iCloud Lock, is a feature of Find My iPhone, Apple’s proprietary implementation of a much wider protection system generally referred as Factory Reset Protection (FRP). Factory Reset Protection, or “kill switch”, is regulated in the US via the Smartphone Theft Prevention Act of 2015. The Act requires device manufacturers to feature a so-called “kill switch” allowing legitimate users to remotely wipe and lock devices. The purpose of the kill switch was to discourage smartphone theft by dramatically reducing resale value of stolen devices.

According to Apple, “Activation Lock is a feature that’s designed to prevent anyone else from using your iPhone, iPad, iPod touch, or Apple Watch if it’s ever lost or stolen. Activation Lock is enabled automatically when you turn on Find My iPhone. … Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission. All you need to do is keep Find My iPhone turned on, and remember your Apple ID and password.” (more…)

Cloud Forensics: Why, What and How to Extract Evidence

Thursday, September 6th, 2018

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

Accessing cloud evidence requires proper authentication credentials, be it the login and password or credentials cached in the form of a binary authentication token. Without authentication credentials, one cannot access the data. However, contrary to popular belief, even if proper authentication credentials are available, access to evidence stored in the cloud is not a given. In this article we’ll tell you how to access information stored in Apple iCloud with and without using forensic tools. (more…)

USB Restricted Mode Inside Out

Thursday, July 12th, 2018

It’s been a lot of hype around the new Apple security measure (USB restricted mode) introduced in iOS 11.4.1. Today we’ll talk about how we tested the new mode, what are the implications, and what we like and dislike about it. If you are new to the topic, consider reading our blog articles first (in chronological order):

To make a long story short: apparently, Apple was unable to identify and patch vulnerabilities allowing to break passcodes. Instead, they got this idea to block USB data connection after a period of time, so no data transfer can even occur after a certain “inactivity” period (keep reading about the definition of “inactivity”). It is somehow similar to how Touch ID/Face ID expire from time to time, so you can only use the passcode if you did not unlock the device for a period of time. Same for USB now.

(more…)

Apple Warns Users against Jailbreaking iOS Devices: True or False?

Monday, July 2nd, 2018

Apple has an article on their official Web site, warning users against jailbreaking iOS devices. The article “Unauthorized modification of iOS can cause security vulnerabilities, instability, shortened battery life, and other issues” is available at https://support.apple.com/en-us/HT201954. How much truth is in that article, and is jailbreaking as dangerous as Apple claims? We’ll comment the article based on our extensive experience in jailbreaking more than a hundred devices running every version of iOS imaginable.

Security Vulnerabilities

Apple introduces the concept of jailbreaking by stating the following: “iOS is designed to be reliable and secure from the moment you turn on your device. Built-in security features protect against malware and viruses and help to secure access to personal information and corporate data. Unauthorized modifications to iOS (also known as “jailbreaking”) bypass security features and can cause numerous issues to the hacked iPhone, iPad, or iPod touch” (HT201954). According to Apple, jailbreaking introduces security vulnerabilities by “…eliminating security layers designed to protect your personal information and your iOS device.

True. Jailbreaking is a process that is specifically designed to circumvent security layers designed to protect information on iOS devices. In fact, this is exactly why we need a jailbreak for tools such as Elcomsoft iOS Forensic Toolkit to operate. Without a jailbreak, we would not be able to access the file system, extract sandboxed app data or decrypt the keychain (including items secured with the highest protection class). Installing a jailbreak, on the other hand, allows us doing all of that – and more. (more…)

Breaking Deeper Into iPhone Secrets

Wednesday, June 20th, 2018

iPhone protection becomes tougher with each iteration. The passcode is extremely hard to break, and it’s just the first layer of defense. Even if the device is unlocked or if you know the passcode, it is not that easy and sometimes impossible to access all the data stored on the device. This includes, for example, conversations in Signal, one of the most secure messengers. Apple did a very good job as a privacy and security advocate.

This is why we brought our attention to cloud acquisition. We pioneered iCloud backup extraction several years ago, and we are working hard to acquire more data from the cloud: from the standard categories available at www.icloud.com (such as contacts, notes, calendars, photos and more) to hidden records as call logs, Apple Maps places and routes, third-party application data stored on iCloud drive (not accessible by any other means), iCloud keychain (the real gem!), and recently Messages (with iOS 11.4, they can be synced too).

Cloud acquisition is not as easy as it sounds. First, you need the user’s credentials – Apple ID and password at very least, and often the second authentication factor. Additionally, for some categories (such as the keychain and messages), you’ll also need the passcode of one of the ‘trusted’ devices. But even having all of those, you will still face the undocumented iCloud protocols, encryption (usually based on well-known standard algorithms, but sometimes with custom modifications), different data storage formats, code obfuscation and hundreds of other issues. We learned how to fool Two-Factor Authentication and extract and the authentication tokens from desktops. We are playing “cat and mouse” with Apple while they are trying to lock iCloud accounts when detecting that our software is being used to access the data. We have to monitor Apple’s changes and updates almost 24/7, installing every single beta version of iOS.

iCloud acquisition gives fantastic results. In most cases, you do not need the device itself (it may be lost or forgotten, or thousands miles away). You can obtain deleted data that is not stored on any physical device anymore. You can obtain tons of valuable evidence from all the devices connected to the account.

But as always, there are some “buts”. Sorry for the long intro, and let’s proceed to what we have done about iPhone physical acquisition.

(more…)

iCloud and iMessage Security Concerns

Thursday, June 14th, 2018

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

(more…)

Apple Strikes Back: the iPhone Cracking Challenge

Friday, May 11th, 2018

We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).

Today, we’ll discuss the main challenges of iOS forensics, look at some of the most interesting solutions available to law enforcement, and share our experience gaining access to some of the most securely protected evidence stored in Apple iOS devices. (more…)