Starting with version 7.0, Elcomsoft Phone Breaker has the ability to access, decrypt and display passwords stored in the user’s iCloud Keychain. The requirements and steps differ across Apple accounts, and depend on factors such as whether or not the user has Two-Factor Authentication, and if not, whether or not the user configured an iCloud Security Code. Let’s review the steps one needs to take in order to successfully acquire iCloud Keychain.
Pre-Requisites
Your ability to extract iCloud Keychain depends on whether or not the keychain in question is stored in the cloud. Apple provides several different implementations of iCloud Keychain. In certain cases, a copy of the keychain is stored in iCloud, while in some other cases it’s stored exclusively on user’s devices, while iCloud Keychain is used as a transport for secure synchronization of said passwords.
In our tests, we discovered that there is a single combination of factors when iCloud Keychain is not stored in the cloud and cannot be extracted with Elcomsoft Phone Breaker:
- If the user’s Apple ID account has no Two-Factor Authentication and no iCloud Security Code
In the following combinations, the keychain is stored in the cloud:
- If the user’s Apple ID account has no Two-Factor Authentication but has an iCloud Security Code (iCloud Security Code and one-time code that is delivered as a text message will be required)
- If Two-Factor Authentication is enabled (in this case, one must enter device passcode or system password to any device already enrolled in iCloud Keychain)
In both cases, the original Apple ID and password are required. Obviously, a one-time security code is also required in order to pass Two-Factor Authentication, if enabled. (more…)