Forensic Tool Grabs iPhone, iPad Data Remotely

Commercial forensic software from ElcomSoft lets investigators download someone's iPhone or iPad data without physically accessing the device; technique works via iOS device backups on iCloud.

Mathew Schwartz

May 17, 2012

4 Min Read
Network Computing logo

Digital forensic investigators have a new technique for recovering the data stored on an iPhone or iPad: ElcomSoft has updated its Phone Password Breaker cracking tool to automatically retrieve iOS device backups from the Apple iCloud.

"Phone Password Breaker becomes an alternative way to get access to iOS devices' content," said Vladimir Katalov, CEO of Moscow-based ElcomSoft, in a statement. "With a valid Apple ID and a password, investigators can not only retrieve backups to seized devices, but access that information in real time while the phone is still in the hands of a suspect."

Information from iPhone backups is in high demand by forensic customers, according to ElcomSoft. No wonder, since an estimated 125 million Apple users store some type of data in iCloud, which offers 5GB of storage for free, and which is easily enabled via a checkbox in the iOS device settings. By accessing data stored in an iCloud backup, investigators could keep tabs on a suspect without the suspect having any idea that their cloud-based data was being accessed.

[ Changes are in the works for Apple's iCloud service. Read more at Apple iCloud Refresh Eyes Social Weak Spot. ]

What's in an iPhone backup? "iCloud backups hold essentially the same information as stored in offline backups, which includes accounts and passwords, call logs and text messages, calendars, appointments, contacts, and organizer information," said ElcomSoft marketing director Olga Koksharova in blog post. "Pictures and Web browsing history, including URLs of recently visited sites, are also included."

Since last year, ElcomSoft's password-cracking tool has been able to break the new hardware-based encryption used by Apple as of the iPhone 4, and then extract data. But investigators needed physical access to either the iOS device or to a PC that had been synchronized with the device and stored an offline backup via iTunes.

ElcomSoft said its software can access iOS device backups thanks to its having cracked the communication protocols used by Apple. "ElcomSoft researchers analyzed the communication protocol connecting iPhone users with Apple iCloud and were able to emulate the correct commands in order to retrieve the content of iOS users' iCloud storage," said Koksharova. "It's important to note that, unlike offline backups that may come encrypted and must be broken into--a time-consuming operation--data retrieved from iCloud is received in plain, unencrypted form. The 5GB of storage space can be retrieved in reasonable time, while receiving incremental updates is even faster."

But while the tool can automatically access the backup, investigators must first obtain valid credentials. "There's no magic," said Koksharova. "If [the] Apple ID and password are not known or no longer valid [for example, if the user changed the password], Phone Password Breaker will be unable to retrieve information from iCloud." One option for gleaning the password is for investigators to access an offline iPhone backup--handled by iTunes--that's stored on a PC, since Password Breaker had be used to crack the encryption key that protects the backup.

Of course, there are other ways to discover a person's iCloud password. Notably, a federal indictment first handed down in March 2012 against alleged LulzSec and Anonymous ringleaders traced the interception of an FBI conference call with U.K. law enforcement personnel to unauthorized access to an iCloud account.

According to court documents, Irish defendant Donncha O'Cearrbhail (aka palladium, among other handles) sent this boast to LulzSec leader Sabu via chat: "I just got into the iCloud for the head of a national police cybercrime unit. I have all his contacts and can track his location 24/7." O'Cearrbhail was allegedly able to access the work emails because the cyber cop had forwarded his email to his Gmail account, which he then checked with his iPhone.

It's unlikely that O'Cearrbhail would have had physical access to the cop's iPhone or a PC that connected to the device and obtained the relevant password that way. Accordingly, he may have made an educated guess as to the cop's password. Another potential way of learning the iCloud password would have been through password reuse--for example, if the same password was used for another service and had been disclosed in a data breach.

High-profile breaches against cloud-based services have forced tougher security and closer scrutiny of what to put in the cloud. In our Dark Side Of The Cloud report, we explain the risks. (Free registration required.)

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights