Posts Tagged ‘iCloud’

iCloud authentication tokens in particular are difficult to grasp. What are they, what tools are they created with, where they are stored, and how and when they can be used are questions that we’re being asked a lot. Let’s try to put things together. Read Part 1 of the series.

What Authentication Tokens Are and What They Aren’t

And authentication token is a piece of data that allows the client (iCloud for Windows, Elcomsoft Phone Breaker etc.) to connect to iCloud servers without providing a login and password for every request. This piece of data is stored in a small file, and that file can be used to spare the user from entering their login and password during the current and subsequent sessions.

On the other hand, authentication tokens do not contain a password. They don’t contain a hashed password either. In other words, a token cannot be used to attack the password.

What They Are Good For and How to Use

Authentication tokens may be used instead of the login and password (and secondary authentication factor) to access information stored in the user’s iCloud account. This information includes:

  • iCloud backups (however, tokens expire quickly)
  • iCloud Photo Library, including access to deleted photos
  • Call logs
  • Notes, calendars, contacts, and a lot of other information

Using iCloud authentication tokens is probably the most interesting part. You can use an authentication token in Elcomsoft Phone Breaker Forensic to sign in to Apple iCloud and use iCloud services (download cloud backups, photos, synchronized data etc.) without knowing the user’s Apple ID password and without having to deal with Two-Factor Authentication.

Authentication tokens can be used for:

  • Signing in to iCloud services
  • Without Apple ID password
  • Without having to pass Two-Factor Authentication

(more…)

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

(more…)

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user’s life easier (as in “more convenience”), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.

The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

(more…)

  • The rise and fall of physical acquisition
  • Jailbreak to the rescue
  • In the shade of iCloud
  • iCloud Keychain acquisition hits the scene

iOS 11 has arrived, now running on every second Apple device. There could not be a better time to reminiscent how iOS forensics has started just a few short years ago. Let’s have a look at what was possible back then, what is possible now, and what can be expected of iOS forensics in the future.

(more…)

Who needs access to iCloud Keychain, and why? The newly released Elcomsoft Phone Breaker 7.0 adds a single major feature that allows experts extracting, decrypting and viewing information stored in Apple’s protected storage. There are so many ifs and buts such as needing the user’s Apple ID and password, accessing their i-device or knowing a secret security code that one may legitimately wonder: what is it all about? Let’s find out about iCloud Keychain, why it’s so difficult to crack, and why it can be important for the expert.

What is iCloud Keychain

iCloud Keychain is Apple’s best protected vault. Since iCloud Keychain keeps the user’s most sensitive information, it’s protected in every way possible. By breaking in to the user’s iCloud Keychain, an intruder could immediately take control over the user’s online and social network accounts, profiles and identities, access their chats and conversations, and even obtain copies of personal identity numbers and credit card data. All that information is securely safeguarded.

Why It Can Be Important

Forensic access to iOS keychain is difficult due to several layers of encryption. Due to encryption, direct physical access to a locally stored keychain is normally impossible; the only possible acquisition options are through a local password-protected backup or iCloud Keychain. (more…)

WhatsApp is one of the most secure messengers with full end-to-end encryption. Messages exchanged between WhatsApp users are using an encrypted point-to-point communication protocol rendering man-in-the-middle attacks useless. WhatsApp communications are never stored or backed up on WhatsApp servers. All this makes government snooping on WhatsApp users increasingly difficult.

WhatsApp has more than a billion users. WhatsApp makes use of the Open Whisper Signal communication protocol to secure communications with end-to-end encryption. WhatsApp users rely on that security to freely exchange messages, discuss sensitive things and, with limited success, avoid religious and political oppression in certain countries. Today, some governments attempt to criminalize WhatsApp protection measures, ban end-to-end encryption and do everything in their power to undermining trust in secure communication tools. What is it all about, and how to find the right balance between public safety and security is the topic of this article.

(more…)

In early July, 2017, Apple has once again revised security measures safeguarding iCloud backups. This time around, the company has altered the lifespan of iCloud authentication tokens, making them just as short-lived as they used to be immediately after celebgate attacks. How this affects your ability to access iCloud data, which rules apply to iCloud tokens, for how long you can still use the tokens and how this affected regular users will be the topic of this article.

(more…)

There are three major mobile operating systems, and three major cloud services. Most Android users are deep into the Google’s ecosystem. iCloud is an essential part of iOS, while cloud services provided by Microsoft under the OneDrive umbrella are used not only by the few Windows Phone and Windows 10 Mobile customers but by users of other mobile and desktop platforms.

In this article, we’ll try to figure out what types of data are available for extraction and forensic analysis in the three major cloud platforms: Apple iCloud, Google Account and Microsoft Account.

Acquisition Tools

For the purpose of this article, we will use ElcomSoft-developed cloud extraction tools.

(more…)

As we already know, Apple syncs many types of data across devices that share the same Apple ID. Calls logs, contacts, Safari tabs and browsing history, favorites and notes can be synced. The syncing mechanism supposedly synchronizes newly created, edited and deleted items. These synchronizations work near instantly with little or no delay.

Apple is also known for keeping some items that users want to be deleted. As a reminder, this is a brief history of our findings:

What’s It All About?

Apple has a great note taking app that comes pre-installed on phones, tablets and computers. The Notes app offers the ability to take notes and sync them with the cloud to other devices using the same Apple ID. We discovered that Apple apparently retains in the cloud copies of the users’ notes that were deleted by the user. Granted, deleted notes can be accessed on iCloud.com for some 30 days through the “Recently Deleted” folder; this is not it. We discovered that deleted notes are actually left in the cloud way past the 30-day period, even if they no longer appear in the “Recently Deleted” folder.

For accessing those notes, we updated Elcomsoft Phone Breaker to version 6.50. (more…)

We’ve got a few forensic tools for getting data off the cloud, with Apple iCloud and Google Account being the biggest two. Every once in a while, the cloud owners (Google and Apple) make changes to their protocols or authentication mechanisms, or employ additional security measures to prevent third-party access to user accounts. Every time this happens, we try to push a hotfix as soon as possible, sometimes in just a day or two. In this article, we’ll try to address our customers’ major concerns, give detailed explanations on what’s going on with cloud access, and provide our predictions on what could happen in the future.

Update 19/05/2017: what we predicted has just happened. Apple has implemented additional checks just two days ago. This time, the extra checks do not occur during the authentication stage. Instead, the company started blocking pull requests for backup data originating from what appears to Apple as a desktop device (as opposed to being an actual iPhone or iPad). Once again we had to rush a hotfix to our customers, releasing an update just today. Whether or not our solution stands the test of time is hard to tell at this time. It seems this time it’s no longer a game but a war.

This whole Apple blocking third-party clients issue creates numerous problems to our customers who are either legitimate Apple users or law enforcement officials who must have access to critical evidence now as opposed to maybe getting it from Apple in one or two weeks. This time it’s not about security or privacy of Apple customers. After all, accounts protected with two-factor authentication are and have been safe. We’ve had similar experience with Adobe several years ago, and surprisingly, it turned out Adobe had reasons beyond privacy or security of its customers.

(more…)