Posts Tagged ‘iCloud’

In today’s usage scenarios, messaging are not entirely about the text. Users exchange pictures and short videos, voice recordings and their current locations. These types of data are an important part of conversation histories; they can be just as valuable evidence as the text content of the chat.

Apple ecosystem offers a built-in messenger, allowing users to exchange iMessages between Apple devices. This built-in messenger is extremely popular among Apple users. Back in 2016, Apple’s Senior VP announced that more than 200,000 iMessages are sent every second.

All current versions of iOS are offering seamless iCloud synchronization for many categories of data. Starting with iOS 11.4, Apple devices can synchronize messages via iCloud. iMessages and text messages can be now stored in the user’s iCloud account and synchronized across all of the user’s devices sharing the same Apple ID. This synchronization works in a similar manner to call logs, iCloud Photo Library or iCloud contacts sync (albeit with somewhat longer delays). However, Apple will not provide neither the messages themselves nor their attachments when fulfilling LE requests or GDPR pullouts. Why is this happening, how to extract messages from iCloud accounts and what kind of evidence we can find in attachments? Read along to find out.

(more…)

iMessage is undoubtedly one of the most popular instant messaging platforms for an obvious reason: it’s built in to iOS and ships with every iPhone by default. iMessage does not require complex setup, so the number of iMessage users is closely matching the number of iPhone users. Apple sells about 200 million iPhones every year, and the total number of iPhones sold is more than a billion. Unless you absolutely must chat with someone outside of Apple’s ecosystem (like those poor Android folks), you won’t need Skype, WhatsApp or Telegram. It’s also comforting to know that iMessage works everywhere around the world while most other messengers are oppressed in one or more countries.

But what about iMessage security? Is it safe to use if you’re concerned about your privacy? Is there a reason why countries such as China, Iran or Russia block other messengers but keep iMessage going? Is it safe from hackers? What about Law Enforcement? And what about Apple itself? It must have access to your messages to target the ads, right? Is it OK to send those private snapshots or share your location via iMessage?

There is no simple answer, but we’ll do our best to shed some light on that.

(more…)

Cloud analysis is arguably the future of mobile forensics. Whether or not the device is working or physically accessible, cloud extraction often allows accessing amounts of information far exceeding those available in the device itself.

Accessing cloud evidence requires proper authentication credentials, be it the login and password or credentials cached in the form of a binary authentication token. Without authentication credentials, one cannot access the data. However, contrary to popular belief, even if proper authentication credentials are available, access to evidence stored in the cloud is not a given. In this article we’ll tell you how to access information stored in Apple iCloud with and without using forensic tools. (more…)

iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta, but was stripped from the final release. It re-appeared and disappeared several times during the iOS 11 development cycle, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.

iMessages in iCloud

Even before iOS 11 Apple had Continuity (https://support.apple.com/en-us/HT204681), a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.

However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this, and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.

iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts. (more…)

We also trust these companies in ways that we do not understand yet. How many of you trust Apple? No voting… Just me 🙂 Damn! OK. May I ask you a very good question. Trusting to do what? Trusting when they say: “iMessages are end-to-end encrypted”? I mean, with all of that massive security engineering, to make sure it’s as good as it can be, so they genuinely believe they’ve done that. I do, generally, they’re great people. But… people believe themselves they can defend themselves against the Russians. If the Russians specifically targeted Apple, it’s only they can defend themselves.Ian Levy, director at the GCHQ on anniversary of the foundation of the FIPR event that was held on 29/04/2018).

This is probably just a co-incident, but “the Russians” are concerned about iCloud security, too.

(more…)

On February 28, 2018, Apple has officially moved its Chinese iCloud operations and encryption keys to China. The reaction to this move from the media was overwhelmingly negative. The Verge, The Guardian, Reuters, Wired, and CNN among other Western media outlets expressed their concerns about the Chinese government potentially violating the human rights of its citizens. Politics aside, we will review Apple policies governing the Chinese accounts, and look into the technical implementation of Chinese iCloud operations. Let us see if the fears are substantiated.

The Fear of China

Even if the change only affects iCloud accounts registered in mainland China, there is no lack of publications bashing apple for complying with Chinese laws. Below are just a few stories from the top of the news feed.

Journalists express their concerns regarding the potential violation of Chinese users human rights. “In the past, if Chinese authorities wanted to access [Chinese] Apple’s user data, they had to go through an international legal process and comply with U.S. laws on user rights, according to Ronald Deibert, director of the University of Toronto’s Citizen Lab, which studies the intersection of digital policy and human rights. “They will no longer have to do so if iCloud and cryptographic keys are located in China’s jurisdiction,” he told CNNMoney.” [CNN]

(more…)

Apple has a wonderfully integrated ecosystem. Apple computers, tablets and phones conveniently synchronize information such as passwords, Web browsing history, contacts and call logs across all of the user’s devices. This synchronization mechanism uses iCloud to sync and store information. The syncing mechanism works independently from iOS system backups that are also stored in iCloud (or iCloud Drive). As opposed to daily iCloud backups, synchronized data is updated and propagated across devices in almost real time. Extracting this information can be invaluable for investigations as it provides access to the most up to date information about the user, their activities and whereabouts.

What exactly is synced through iCloud? The screen shot above lists all options available in iOS 11. As you can see, the following types of data are (or can be) synced across Apple devices:

  • Photos (iCloud Photo Library)
  • Mail (iCloud mail only)
  • Contacts, Calendars and Reminders
  • Safari (browsing history, bookmarks and tabs open on other devices)
  • Game Center (profiles, achievements and game progress)
  • Siri (requests, settings)
  • Keychain (iCloud Keychain stores passwords and forms from Safari, iOS system, Apple and some third-party apps, but not Google Chrome)
  • iCloud backups (up to last 3 copies per device, created daily while charging)
  • iBooks, Pages, Numbers and Keynote (e-books, PDF files, documents)
  • Maps (user’s search history, routes and places)
  • Wallet
  • Wi-Fi

(more…)

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

–  Reset password to local backups (passcode required), which makes logical acquisition trivial

–  For 2FA accounts, reset Apple ID password and change trusted phone number with just device passcode (possible for both iOS 11 and iOS 10)

–  Health data sync with iCloud (users can disable)

+  Passcode required to establish trust relationship with a PC (Touch ID/Face ID can no longer be used to pair)

+  Quickly and discretely disable Touch ID/Face ID via S.O.S. mode

+  Automatically call emergency number (push side button 5 times in rapid succession)

+  iOS 11 strongly suggests enabling Two-Factor Authentication in multiple places

+  Two-Step Verification (2SV) is no longer available

Additionally, in macOS High Sierra, Desktop and Documents folders now sync with iCloud (user can disable).

In our previous blog post, we wrote everything we know about authentication tokens and Anisette data, which might allow you to bypass the “login, password and two-factor authentication” sequence. Let us have a look at how you can actually extract those tokens from a trusted computer and use them on a different computer to access a user’s iCloud account. Read Part 1 and Part 2 of the series.

Extracting Authentication Tokens from a Live System (Windows)

Extracting authentication token from a live system is as easy as running a small, stand-alone executable file you get as part of the Elcomsoft Phone Breaker package. The tool is called ATEX (atex.exe on Windows), and stands for Authentication Token Extractor.

Using the tools is extremely simple. Make sure you are logged on under the user you’re about to extract the token from, and launch ATEX with no arguments. The file named “icloud_token_<timestamp>.txt” will be created in the same folder where you launch the tool from (or C:\Users\<user_name>\AppData\Local\Temp if there are not enough permissions).

(more…)

iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. Let’s try to put things together. Read Part 1 of the series.

What Authentication Tokens Are and What They Aren’t

And authentication token is a piece of data that allows the client (iCloud for Windows, Elcomsoft Phone Breaker etc.) to connect to iCloud servers without providing a login and password for every request. This piece of data is stored in a small file, and that file can be used to spare the user from entering their login and password during the current and subsequent sessions.

On the other hand, authentication tokens do not contain a password. They don’t contain a hashed password either. In other words, a token cannot be used to attack the password.

What They Are Good For and How to Use

Authentication tokens may be used instead of the login and password (and secondary authentication factor) to access information stored in the user’s iCloud account. This information includes:

  • iCloud backups (however, tokens expire quickly)
  • iCloud Photo Library, including access to deleted photos
  • Call logs
  • Notes, calendars, contacts, and a lot of other information

Using iCloud authentication tokens is probably the most interesting part. You can use an authentication token in Elcomsoft Phone Breaker Forensic to sign in to Apple iCloud and use iCloud services (download cloud backups, photos, synchronized data etc.) without knowing the user’s Apple ID password and without having to deal with Two-Factor Authentication.

Authentication tokens can be used for:

  • Signing in to iCloud services
  • Without Apple ID password
  • Without having to pass Two-Factor Authentication

(more…)