Security firm recovers iCloud Notes beyond Apple's 30-day deletion window

AppleInsiderAppleInsider
Posted:
in iCloud
Despite an Apple policy of permanently wiping deleted iCloud Notes older than 30 days, it appears to be possible to recover notes that are far older, a security firm said on Friday.




Using a new version of its Phone Breaker tool, Russia's Elcomsoft said it was able to retrieve notes dating weeks, months, or years beyond Apple's 30-day window. In extreme cases, notes were retrieved from as far back as 2015.

One iPhone produced 334 notes, despite it only having 288 listed -- including those in the "Recently Deleted" folder. The ability to extract old notes isn't rock-solid, however, as some test iCloud accounts generated older results than others.

Aside from Phone Breaker, the Elcomsoft hack requires only an Apple ID login or binary authentication token, along with the company's Phone Viewer software.

"There is no doubt Apple will fix the current issue," the firm said, noting that Apple has solved past retention issues it discovered, namely ones with iCloud Photo Library and Safari data.

In the latter case, iCloud was found to be retaining Safari histories and Google search terms for over a year. Apple was quick to respond to the bad publicity by scrubbing the older data.

Comments

  • Reply 1 of 12
    Rayz2016Rayz2016 Posts: 6,957member
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
  • Reply 2 of 12
    mknelsonmknelson Posts: 1,125member
    Rayz2016 said:
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
    It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.
  • Reply 3 of 12
    gatorguygatorguy Posts: 24,213member
    mknelson said:
    Rayz2016 said:
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
    It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.
    This report indicates they were able to retrieve readable notes. I don't see tho where it says whether the phone's contents had supposedly been deleted along with the original encryption key.  That's a kinda important detail to know. I'm assuming it was not an erased phone. 
  • Reply 4 of 12
    SoliSoli Posts: 10,035member
    Rayz2016 said:
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
    I can't directly answer your question regarding the NAND storage and how Apple removes files/partitions after you wipe it, but this specifically with iCloud storing old data.
    pscooter63
  • Reply 5 of 12
    SoliSoli Posts: 10,035member
    mknelson said:
    Rayz2016 said:
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
    It shouldn't matter - all the phone data is encrypted and part of the "erase all contents and settings" function is to delete the encryption key.
    But they don't have a secure erase option so couldn't the key be created to retrieve data? Even if it's infinitesimal, it's still technically possible, right?
  • Reply 6 of 12
    gatorguygatorguy Posts: 24,213member
    The not-so-clearly linked source report for the AI article has a bit more information.
    https://blog.elcomsoft.com/2017/05/we-did-it-again-deleted-notes-extracted-from-icloud/
    Solidysamoria
  • Reply 7 of 12
    carnegiecarnegie Posts: 1,078member
    Rayz2016 said:
    Is this a problem? Does this mean the data is still on the phone after you scrub it for sale?
    This isn't about deleted notes still being stored on the iPhone. It's about them being stored in iCloud for longer than 30 days after they're deleted.

    It's also not about others (i.e. those without iCloud access for your account) being able to access such deleted notes. It's about someone who otherwise has access to your iCloud account (perhaps nefariously, but more commonly properly) being able to retrieve such deleted notes - i.e., they have your account password and, if you're using two-factor authentication, have a trusted device.

    My question is: If you go into your iCloud account and empty the trash for your recently deleted notes (which are supposed to be retrievable for 30 days), might this still be the case? By design you have 30 days to (easily) retrieve deleted notes, but you can foreclose that possibility by deleting what's in the recently deleted folder. 
    edited May 2017 longpathrandominternetperson
  • Reply 8 of 12
    ericthehalfbeeericthehalfbee Posts: 4,486member
    This sounds like a case where the note was deleted on the iPhone, but for some reason the deletion didn't sync to iCloud. Perhaps their iCloud storage was full, so the iCloud backup couldn't begin. Or something similar. Doesn't sound like a huge security issue since you need a valid Apple ID/password (and two factor if it's turned on) to even be able to check this.
  • Reply 9 of 12
    SoliSoli Posts: 10,035member
    ericthehalfbee said:
    This sounds like a case where the note was deleted on the iPhone, but for some reason the deletion didn't sync to iCloud. Perhaps their iCloud storage was full, so the iCloud backup couldn't begin. Or something similar. Doesn't sound like a huge security issue since you need a valid Apple ID/password (and two factor if it's turned on) to even be able to check this.
    I'm thinking the notes are also deleted on the server, at least from the UI's perspective, but not purged from the account  so still retrievable.  I've seen that many times.
  • Reply 10 of 12
    the monkthe monk Posts: 93member
    I didn't need the Phone Breaker software to get my older notes. I just tell Siri, "Notes," and she gives me deleted material "dating weeks, months, years beyond Apple's 30-day window."
    kolvas
  • Reply 11 of 12
    kolvaskolvas Posts: 22member
    the monk said:
    I didn't need the Phone Breaker software to get my older notes. I just tell Siri, "Notes," and she gives me deleted material "dating weeks, months, years beyond Apple's 30-day window."
    I just tried this..and it's true Siri did find old stuff. I must point out though that, foir me at least, the notes were duplicates, or at least older versions of current notes. I did not find any notes that i had actually deleted show up.
  • Reply 12 of 12
    tokyojimutokyojimu Posts: 529member
    Sounds like a feature, not a bug, to me. 
Sign In or Register to comment.