I Just Got into iCloud Keychain on my iPad Air With Phone Breaker


| Deep Dive

Page 2 – Questions about Phone Breaker and Where Is Your Keychain

Questions

First, keep in mind that this is a forensic tool that lets you extract all of the data from an iOS device in bulk. You can’t use it without knowing the Apple ID and password in advance. So you won’t be using the Phone Breaker to crack into some random person’s device. Tools like this are used by law enforcement on devices they collected from suspects.

I know what you’re thinking, because I had the same thought: “If you already have the login credentials, what’s the point of this software when you can already browse through the device?” I posed this question to Vladimir Katalov, Elcomsoft’s CEO. He responded:

Apple devices seem to sync more with the iCloud than the documentation says. That may include not just passwords but also tokens, encryption keys etc. That is even more risky than passwords, because tokens may allow [you to log in] even if two-factor authentication is enabled, no questions asked.

Keychain is a bit more than just user-password pairs. There are also [metadata] and that could be extremely important evidence. And many other records have some additional fields of interest (we have not explored all of them in detail, that requires additional work – but of course, we download everything we can).

In summary, there is important data and metadata that users can’t normally access on their devices. Phone Breaker can extract things like access tokens, encryption keys, Wi-Fi passwords, etc. Normally, forensic access to this is very limited because of several layers of encryption that Apple uses. Direct, physical access to a locally stored Keychain is usually impossible.

Generic image of unlocking an iPhone.

iPhone Unlock

Where Your Keychain Is Stored

After iOS 10.2, Apple slowed down the recovery procedure for passwords. Software can now guess about 5 passwords per minute using a CPU or 100 passwords per second using a GPU. Out of billions of possible password combinations, this can take a long time. In that case, the only way to extract the passwords is to download iCloud Keychain, which the Phone Breaker can now do (it wasn’t possible before).

It’s confusing because Apple isn’t entirely clear on whether iCloud Keychain stores passwords in the cloud, or local storage only. In an FAQ, Apple gives a question and answer:

Q: Can I set up iCloud Keychain so that my information isn’t backed up in iCloud?

A: Yes. When you set up iCloud Keychain, you can skip the step to create an iCloud Security Code. Your keychain data is then stored locally on the device, and updates across only your approved devices.

But it seems like even when this is the case, certain factors come into play when it comes to storing it in the cloud, even if you choose not to. Elcomsoft found that the ability to extract data in iCloud Keychain depends on whether it’s stored in the cloud or not. In testing, they discovered a combination of factors where the Keychain wasn’t stored in the cloud, and so couldn’t be extracted. Apple implements the Keychain in a couple of different ways.

Cloud vs. Local

Your Keychain IS NOT stored in the cloud if: 

  • The user’s Apple ID account has no Two-Factor Authentication and no iCloud Security Code.

Your Keychain IS stored in the cloud if: 

  • The user’s Apple ID account has no Two-Factor Authentication but has an iCloud Security Code (iCloud Security Code and one-time code that is delivered as a text message will be required)
  • Two-Factor Authentication is enabled (in this case, one must enter device passcode or system password to any device already enrolled in iCloud Keychain)

If the Keychain is not stored in the cloud, that means the Phone Breaker can break into it. In this instance, if you don’t have the login credentials, the tool will create a binary authentication token by having you attempt to log in once using iCloud Control Panel.

Next: Breaking My iPad, Final Thoughts on Phone Breaker, and Pricing

3
Leave a Reply

Please Login to comment
3 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
jimmyjellpnielanDoug Petrosky Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
jimmyjell
Member
jimmyjell
pnielan
Member
pnielan

Andrew,

The first paragraph of your article indicates your broke into your iPad. But doesn’t say how you used the software, how long it took, how good your password was, etc. You didn’t say what you knew and what you didn’t know when you started to break in. And so on.

The whole rest of the story, the remaining 95%, looks like press release stuff for the software.

Can you provide some details about YOUR experience?

Thanks.

Doug Petrosky
Member
Doug Petrosky

Nothing has been breached any more than what the KeyChain Access app has been able to do or what Apple gave us access to on iOS devices in iOS 11 under Accounts & Passwords. They give you the ability to do what you have the ability to do if you have account ID’s Passwords and trusted devices. They just gave it a UI. If I hand you my locked iPhone, or iPad, this gives you no way to access my data. If you know my AppleID, this gives you no way to get into my iCloud account to access my… Read more »