In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.
The Timeline of iCloud and iOS Forensics
Our first iOS forensic product was released in February 2010. In 2010, we released what is known today as Elcomsoft Phone Breaker (we then called it “Elcomsoft Phone Password Breaker”). Back then, we were able to brute-force the password protecting encrypted iTunes-made iOS backups. At the time, this was it: you’ve got the password, and off you go. The tool did not actually decrypt the backup or displayed its content; it just recovered the password.
Later that year we added support for encrypted keychain items. Providing that the backup was password-protected and you knew or could break the password, you could then decrypt the keychain stored in iOS backups.
Almost 10 months after the first release, EPB added the ability to actually decrypt local backups.
In May 2011, we released a new product. Elcomsoft iOS Forensic Toolkit was the first tool on the market to break iPhone 4 and iOS 4. With EIFT, you could unconditionally break into the content of said iPhone whether or not the phone was protected with a passcode. Those were the days…
October 2011: Apple introduces iCloud, but offers no end-user tools whatsoever to access its content. The only use for iCloud is storing iOS system backups, but you can’t download them. If you want your data back, you must buy a new iOS device, and you must restore a backup onto it. Maybe a bit too restrictive? We thought so, too. 7 months later, ElcomSoft updates Elcomsoft Password Breaker with the ability to download backups from iCloud. The game of cat and mouse begins.
October 2013: Apple introduces iCloud Keychain, offering users a chain of trust implementation of an Apple-centric, cloud-based password manager. This was a major milestone. For almost four years, iCloud Keychain has remained impenetrable.
In June 2014, EPB was updated to allow access to iCloud backups without a password. You could now use a token extracted from the user’s computer to download cloud backups. Not only does this relieve forensic experts from having to obtain the original Apple ID password, but token-based access also bypasses the secondary verification step of the (not yet released but coming very soon) two-factor authentication process.
August 2014: Celebgate. A collection of almost 500 private pictures of various celebrities, mostly women, and with many containing nudity, were posted on the imageboard. The images were obtained from iCloud. It is believed that a stolen copy of EPB was used to download the pictures from the cloud.
Two weeks after, Apple rushes a half-baked implementation of two-factor authentication and severely cuts lifespan of authentication tokens. Dubbed Two-Step Verification, this implementation was inherently flawed, but it did what Apple wanted it to do: protected online backups from hackers and phishers knowing the victim’s passwords. Not for EPB users though: once you’ve got a non-expired token, you could easily bypass the authentication process and go straight to downloading backups.
September 2014: iOS 8 is released with iCloud Drive, a new cloud storage option open to third-party developers. Just two months later, iOS 8.1 added iCloud Photo Library, a major overhaul of the then-current system. Once the user activated iCloud Photo Library on their iPhone, the photos would no longer stored in iCloud system backups. Instead, they would sync (yes, sync) with a dedicated photo storage system. Two years later we discovered Apple to hold on to uploaded pictures even if the user deleted them from the cloud, and updated EPB accordingly. In less than a month, Apple seemingly patched the issue.
End of 2014: EPB is updated with Two-Step verification support. The tool can now download files from iCloud.
It was March 2015 when EPB could pull the first file from the new iCloud Drive storage. At the same time, the tool could decrypt the keychain from non-password protected iTunes backups and iCloud backups using the ‘securityd’ key pulled from a jailbroken device. In April, ElcomSoft releases Elcomsoft Phone Breaker for Mac.
In September 2015, a year after Celebgate and 2SV, Apple finally rolled out a proper implementation of two-factor authentication. They creatively named the scheme a Two-Factor Authentication. With the release of iOS 9, iOS backups are moved from iCloud to iCloud Drive, which is not subject to the strict token expiration rules of legacy iCloud backups.
In 2015, EPB continued evolution at its own pace. In November 2015, it adds iOS 9 backup support.
Almost a year after Apple’s Two-Factor Authentication, in August 2016, EPB was updated with proper 2FA support.
Also in August, ElcomSoft has discovered an issue with iCloud Photo Library. It turned out that any photos that users deleted from the cloud were never gone. For some reason, Apple would hold on to the pictures indefinitely, way past the advertised 30-day retention period. EPB was updated.
In September 2016, Apple patched iCloud Photo Library. Weeks after, EPB was updated to support iOS 10, discovering a major security weakness in the new system’s backups. This weakness allowed bypassing numerous security checks when brute-forcing the password, allowing a several orders of magnitude boost of brute-force speeds compared to breaking iOS 9 backups. Apple fixed it in iOS 10.1 at the end of October, and placed a nice credit to ElcomSoft in iOS 10.1 Release Notes for discovering the issue. We were touched.
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker with access to an encrypted iTunes backup may be able to determine the backup password
Description: A password hashing weakness existed in the handling of encrypted iTunes backups. This issue was addressed by removing the weak hash.
Entry added November 14, 2016
November 2016: we discovered that call logs are also synced with iCloud without most users even knowing, and without a clear path to switch the thing off. EPB was updated with the ability to pull synced call logs and contacts from iCloud. Apple claimed it’s business as usual. We never believed them.
December 2016: EPB can download synced Safari data, notes, calendars.
February 2017: oops, they did it again: Safari browsing history is synced with the cloud, and users can’t clean any records. EPB can access years’ worth of ‘deleted’ browsing histories from iCloud. Apple patched this after a scandal.
March 2017: EPB updated with the ability to extract undismissed notificationsfrom iOS backups. It turned out such notifications can go several years back. There’s no way for the user to view, access or clear any of these notifications, or to even know they exist. This one could be an easy fix, but as we speak there’s been no patch from Apple.
May 2017: and again. Ever used that little Notes app preinstalled on every iPhone and iPad? If you allowed your notes to sync with iCloud (a big convenience, actually), you committed to every note being held there indefinitely. Even if you thought you deleted it. EPB update, Apple patch, business as usual.
July 2017: iCloud Drive tokens now carry an expiry date. While you can still use the token to access files, access to system backups is restricted in several hours.
August 2017: ?
We love Apple iCloud, and believe it’s a highly convenient and reasonably secure system that serves users within the walled garden of the Apple ecosystem really well. The problem arises once one attempts to escape the walled garden. Aside of the very limited iCloud for Windows, Apple offers no tools or APIs allowing to access anything but some very limited types of data. iOS system backups? Synced call logs? iCloud Keychain? You’ve got to use one of the counted few third-party solutions to access any of those, and Apple actively resists attempts to gain access to the data with non-Apple tools.