Security firm recovers iCloud Notes beyond Apple's 30-day deletion window

AppleInsider

Despite an Apple policy of permanently wiping deleted iCloud Notes older than 30 days, it appears to be possible to recover notes that are far older, a security firm said on Friday.

Using a new version of its Phone Breaker tool, Russia's Elcomsoft said it was able to retrieve notes dating weeks, months, or years beyond Apple's 30-day window. In extreme cases, notes were retrieved from as far back as 2015.

One iPhone produced 334 notes, despite it only having 288 listed -- including those in the "Recently Deleted" folder. The ability to extract old notes isn't rock-solid, however, as some test iCloud accounts generated older results than others.

Aside from Phone Breaker, the Elcomsoft hack requires only an Apple ID login or binary authentication token, along with the company's Phone Viewer software.

"There is no doubt Apple will fix the current issue," the firm said, noting that Apple has solved past retention issues it discovered, namely ones with iCloud Photo Library and Safari data.

In the latter case, iCloud was found to be retaining Safari histories and Google search terms for over a year. Apple was quick to respond to the bad publicity by scrubbing the older data.

rayz2016

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

mknelson

Rayz2016 said:

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

gatorguy

mknelson said:

Rayz2016 said:

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

This report indicates they were able to retrieve readable notes. I don't see tho where it says whether the phone's contents had supposedly been deleted along with the original encryption key.  That's a kinda important detail to know. I'm assuming it was not an erased phone. 

soli

Rayz2016 said:

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

I can't directly answer your question regarding the NAND storage and how Apple removes files/partitions after you wipe it, but this specifically with iCloud storing old data.

soli

mknelson said:

Rayz2016 said:

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.

But they don't have a secure erase option so couldn't the key be created to retrieve data? Even if it's infinitesimal, it's still technically possible, right?

gatorguy

The not-so-clearly linked source report for the AI article has a bit more information.
https://blog.elcomsoft.com/2017/05/we-did-it-again-deleted-notes-extracted-from-icloud/

carnegie

Rayz2016 said:

Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?

This isn't about deleted notes still being stored on the iPhone. It's about them being stored in iCloud for longer than 30 days after they're deleted.

It's also not about others (i.e. those without iCloud access for your account) being able to access such deleted notes. It's about someone who otherwise has access to your iCloud account (perhaps nefariously, but more commonly properly) being able to retrieve such deleted notes - i.e., they have your account password and, if you're using two-factor authentication, have a trusted device.

My question is: If you go into your iCloud account and empty the trash for your recently deleted notes (which are supposed to be retrievable for 30 days), might this still be the case? By design you have 30 days to (easily) retrieve deleted notes, but you can foreclose that possibility by deleting what's in the recently deleted folder. 

edited May 2017

ericthehalfbee

This sounds like a case where the note was deleted on the iPhone, but for some reason the deletion didn't sync to iCloud. Perhaps their iCloud storage was full, so the iCloud backup couldn't begin. Or something similar. Doesn't sound like a huge security issue since you need a valid Apple ID/password (and two factor if it's turned on) to even be able to check this.

soli

ericthehalfbee said:

This sounds like a case where the note was deleted on the iPhone, but for some reason the deletion didn't sync to iCloud. Perhaps their iCloud storage was full, so the iCloud backup couldn't begin. Or something similar. Doesn't sound like a huge security issue since you need a valid Apple ID/password (and two factor if it's turned on) to even be able to check this.

I'm thinking the notes are also deleted on the server, at least from the UI's perspective, but not purged from the account  so still retrievable.  I've seen that many times.

the monk

I didn't need the Phone Breaker software to get my older notes. I just tell Siri, "Notes," and she gives me deleted material "dating weeks, months, years beyond Apple's 30-day window."

kolvas

the monk said:

I didn't need the Phone Breaker software to get my older notes. I just tell Siri, "Notes," and she gives me deleted material "dating weeks, months, years beyond Apple's 30-day window."

I just tried this..and it's true Siri did find old stuff. I must point out though that, foir me at least, the notes were duplicates, or at least older versions of current notes. I did not find any notes that i had actually deleted show up.

tokyojimu

Sounds like a feature, not a bug, to me.