I Just Got into iCloud Keychain on my iPad Air With Phone Breaker

6 minute read
| Deep Dive

Using a tool called Elcomsoft Phone Breaker, I was able to view data stored in iCloud Keychain—data that’s not supposed to be accessible.. This data includes Apple IDs, Wi-Fi accounts, Mail accounts, browser passwords, credit cards, DSIDs & tokens, even metadata like creation date and modification date. I did this on my own iPad Air, first generation, running iOS 11 public beta 6.

The Phone Breaker

A couple of days ago, I got an email from Elcomsoft about a big update to Phone Breaker. This is a forensic tool that lets you extract data from iPhones, Blackberry phones, and Microsoft accounts. I don’t know much about these tools but the Phone Breaker seems fairly standard, and mirrors other products of its kind.

But the recent update—version 7.0—does something previously thought to be impossible, or at least extremely hard to do. It is the first, and right now only, tool that can directly access and decrypt passwords, app authentication credentials, payment information and other sensitive data stored in iCloud Keychain. According to a blog post by the company, iCloud Keychain has remained impenetrable for almost four years.

Logo of iCloud Keychain, which the Phone Breaker can crack.

iCloud Keychain

Apple’s iCloud security page gives details about iCloud Keychain. It uses 256-bit AES encryption to store and transmit passwords and credit card information. It also uses elliptic curve asymmetric cryptography and key wrapping.

  • iCloud Keychain encryption keys are created on your devices, and Apple can’t access those keys. Only encrypted keychain data passes through Apple’s servers, and Apple can’t access any of the key materials that could be used to decrypt that data.
  • Apple can’t see or access the contents of your iCloud Keychain.
  • Only trusted devices that you approve can access your iCloud Keychain.
  • Advanced settings allow you to choose an iCloud Security Code longer than four digits or have your device generate one for you.
  • You can choose to disable keychain recovery, which means that iCloud Keychain is kept up to date across your approved devices, but the encrypted data is not stored with Apple and cannot be recovered if all of your devices are lost.

Next: Questions about Phone Breaker and Where Is Your Keychain

2 Comments Add a comment

  1. Doug Petrosky

    Nothing has been breached any more than what the KeyChain Access app has been able to do or what Apple gave us access to on iOS devices in iOS 11 under Accounts & Passwords. They give you the ability to do what you have the ability to do if you have account ID’s Passwords and trusted devices. They just gave it a UI.

    If I hand you my locked iPhone, or iPad, this gives you no way to access my data.

    If you know my AppleID, this gives you no way to get into my iCloud account to access my Keychain.

    Only you who has your passwords can get access to your passwords. This would be like saying OnePass was hacked because if you have someones onePass password you can access their passwords. Well duh!




    0
  2. pnielan

    Andrew,

    The first paragraph of your article indicates your broke into your iPad. But doesn’t say how you used the software, how long it took, how good your password was, etc. You didn’t say what you knew and what you didn’t know when you started to break in. And so on.

    The whole rest of the story, the remaining 95%, looks like press release stuff for the software.

    Can you provide some details about YOUR experience?

    Thanks.




    0
Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account