Page 2 – Questions about Phone Breaker and Where Is Your Keychain
First, keep in mind that this is a forensic tool that lets you extract all of the data from an iOS device in bulk. You can’t use it without knowing the Apple ID and password in advance. So you won’t be using the Phone Breaker to crack into some random person’s device. Tools like this are used by law enforcement on devices they collected from suspects.
I know what you’re thinking, because I had the same thought: “If you already have the login credentials, what’s the point of this software when you can already browse through the device?” I posed this question to Vladimir Katalov, Elcomsoft’s CEO. He responded:
Apple devices seem to sync more with the iCloud than the documentation says. That may include not just passwords but also tokens, encryption keys etc. That is even more risky than passwords, because tokens may allow [you to log in] even if two-factor authentication is enabled, no questions asked.
Keychain is a bit more than just user-password pairs. There are also [metadata] and that could be extremely important evidence. And many other records have some additional fields of interest (we have not explored all of them in detail, that requires additional work – but of course, we download everything we can).
In summary, there is important data and metadata that users can’t normally access on their devices. Phone Breaker can extract things like access tokens, encryption keys, Wi-Fi passwords, etc. Normally, forensic access to this is very limited because of several layers of encryption that Apple uses. Direct, physical access to a locally stored Keychain is usually impossible.
Where Your Keychain Is Stored
After iOS 10.2, Apple slowed down the recovery procedure for passwords. Software can now guess about 5 passwords per minute using a CPU or 100 passwords per second using a GPU. Out of billions of possible password combinations, this can take a long time. In that case, the only way to extract the passwords is to download iCloud Keychain, which the Phone Breaker can now do (it wasn’t possible before).
It’s confusing because Apple isn’t entirely clear on whether iCloud Keychain stores passwords in the cloud, or local storage only. In an FAQ, Apple gives a question and answer:
Q: Can I set up iCloud Keychain so that my information isn’t backed up in iCloud?
A: Yes. When you set up iCloud Keychain, you can skip the step to create an iCloud Security Code. Your keychain data is then stored locally on the device, and updates across only your approved devices.
But it seems like even when this is the case, certain factors come into play when it comes to storing it in the cloud, even if you choose not to. Elcomsoft found that the ability to extract data in iCloud Keychain depends on whether it’s stored in the cloud or not. In testing, they discovered a combination of factors where the Keychain wasn’t stored in the cloud, and so couldn’t be extracted. Apple implements the Keychain in a couple of different ways.
Cloud vs. Local
Your Keychain IS NOT stored in the cloud if:
- The user’s Apple ID account has no Two-Factor Authentication and no iCloud Security Code.
Your Keychain IS stored in the cloud if:
- The user’s Apple ID account has no Two-Factor Authentication but has an iCloud Security Code (iCloud Security Code and one-time code that is delivered as a text message will be required)
- Two-Factor Authentication is enabled (in this case, one must enter device passcode or system password to any device already enrolled in iCloud Keychain)
If the Keychain is not stored in the cloud, that means the Phone Breaker can break into it. In this instance, if you don’t have the login credentials, the tool will create a binary authentication token by having you attempt to log in once using iCloud Control Panel.
Next: Breaking My iPad, Final Thoughts on Phone Breaker, and Pricing