Elcomsoft tool can seize partial keychain from locked iPhones on iOS 13.3

Posted:
in iOS edited December 2019
Forensic software developer Elcomsoft has updated its toolset for iOS to enable the extraction of Keychain elements from iPhones running iOS 12 to iOS 13.3, with the ability to acquire partial Keychain data from disabled and locked iPhones that have yet to be unlocked after being turned on.




The update to Elcomsoft's iOS Forensics Kit brings the software up to version 5.21, and chiefly enables the partial extraction of data from the iOS Keychain, which is used to store credentials for apps and online services. Under the update, the security firm claims it can be accomplished on iOS devices ranging from iOS 12 to iOS 13.3.

The list of affected devices includes iPhones from the iPhone 5s to the iPhone X, and all iPad models from the iPad mini 2 to the 2018 iPad, the iPad 10.2, first-generation iPad Pro 12.9, and the iPad Pro 10.5. Specifically, it functions for models that use Apple's self-designed SoC, from the A7 through to the A11.

The main point of the update is to acquire data from a device that has not been successfully unlocked since being powered on, in a so-called "Before First Unlock" (BFU) state. After being turned on, an iPhone is kept fully encrypted until a screen lock passcode is entered, something that is required by the Secure Enclave before the file system is decrypted.

According to Elcomsoft, "almost everything" remains encrypted until the user unlocks the iPhone with the passcode after booting, and it is the remainder that the firm is targeting with the toolkit. It found some Keychain items containing authentication credentials for email accounts and some authentication tokens are available to access while in the BFU state, to allow the iPhone to start up correctly before the code is entered.

To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom. The jailbreak itself is installed via a device firmware upgrade (DFU) mode and can be used regardless of the BFU status of the device and its lock state.

Elcomsoft's iOS Forensic Toolkit interface
Elcomsoft's iOS Forensic Toolkit interface


Elcomsoft's iOS Forensic Toolkit is intended for use by law enforcement, in a similar manner to services provided by Cellebrite and others, though they are also available to businesses and even individuals. The company sells the pack starting from $1,495 in both Windows and macOS variants.

The existence of a tool to access data in this manner may be concerning to some, but at the same time it is relatively limited in terms of how it can affect normal users. For example, the toolkit requires physical access to the target device, so it cannot be used remotely or as part of a widespread attack by a bad actor, while the cost of the software is a disincentive for individuals wanting to use it for malicious purposes.

Elcomsoft's tools have been used for illegal acts in the past, including most famously the "Celebgate" hack, where it was used to acquire iCloud accounts that were then searched for compromising photographs.

Aside from accessing data from a locked state, the toolkit also provides other services, including access to all protected information including SMS and email, call history, contacts, web browsing history, voicemail, account credentials, geolocation history, instant message conversations, application-specific data, and the original plain-text Apple ID password.
«1

Comments

  • Reply 1 of 22
    So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 
    watto_cobra
  • Reply 2 of 22
    dewmedewme Posts: 5,335member
    I’m curious why Apple would keep some unencrypted data around when the phone is in the BFU state. Does this have anything to do with apps that provide UI in the lock screen state? If so, would disabling all lock screen UI apps (other than log-in UI) close this gap? 

    agilealtitudewatto_cobra
  • Reply 3 of 22
    robjnrobjn Posts: 280member
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    razorpitwatto_cobra
  • Reply 4 of 22
    Interesting that the iPhone 11 isn’t affected. 
    watto_cobra
  • Reply 5 of 22
    hexclockhexclock Posts: 1,243member
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    edited December 2019 watto_cobra
  • Reply 6 of 22
    gatorguygatorguy Posts: 24,176member
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?

    hexclock said:
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    https://blog.elcomsoft.com/2019/11/ios-device-acquisition-with-checkra1n-jailbreak/

    "There is an alternative way to install it, and may I say it’s the better way. Even with some (minor) risks involved, we recommend that alternative method instead of the method described above for two reasons:

    • No need to enter into Recovery mode first.
    • It can be done even for locked devices with unknown passcode.

    No GUI time. Just switch the to DFU mode, open the Terminal and run the following commands (note the trailing dash as a parameter in the second command):

    cd /checkra1n.app/Contents/MacOS/
    ./checkra1n_gui -

    That’s it, the device is now jailbroken.

    "seanismorris said:

    So......... don’t jailbreak your iPhone/iPad.

    Problem solved.

    /not many people jailbreak their devices anymore anyways
    It wouldn't matter whether the user did the jailbreak. Read the linked explanation above. Still, the data that can be extracted is limited. 
    edited December 2019 muthuk_vanalingam
  • Reply 7 of 22
    MplsPMplsP Posts: 3,911member
    hexclock said:
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    That’s what I was wondering, too. The article makes it sound like a jailbreak needs to be installed first. Unless that can be installed without unlocking the phone it would seem the hack is pretty useless. 

    bulk001 said:
    So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 
    If the vulnerability is in the boot rom the fix may not be so easy. 
    watto_cobra
  • Reply 8 of 22
    So......... don’t jailbreak your iPhone/iPad.

    Problem solved.

    /not many people jailbreak their devices anymore anyways
    watto_cobra
  • Reply 9 of 22
    gatorguygatorguy Posts: 24,176member
    MplsP said:
    hexclock said:
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    That’s what I was wondering, too. The article makes it sound like a jailbreak needs to be installed first. Unless that can be installed without unlocking the phone it would seem the hack is pretty useless. 

    bulk001 said:
    So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 
    If the vulnerability is in the boot rom the fix may not be so easy. 
    It is in the boot rom and reportedly it cannot be fixed. 
  • Reply 10 of 22
    There goes MY idea of my ‘safe’ iPhone 8+ ....
  • Reply 11 of 22
    gatorguygatorguy Posts: 24,176member
    There goes MY idea of my ‘safe’ iPhone 8+ ....
    It IS safe. What's been described in this article is generally law enforcement stuff. Unless you're in the category of potentially high-value criminal this doesn't affect you. 
    coolfactorDontmentionthewarCarnagemuthuk_vanalingam
  • Reply 12 of 22
    gatorguy said:
    MplsP said:
    hexclock said:
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    That’s what I was wondering, too. The article makes it sound like a jailbreak needs to be installed first. Unless that can be installed without unlocking the phone it would seem the hack is pretty useless. 

    bulk001 said:
    So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 
    If the vulnerability is in the boot rom the fix may not be so easy. 
    It is in the boot rom and reportedly it cannot be fixed. 
    Then why is the iPhone 11 not affected?
    watto_cobra
  • Reply 13 of 22
    gatorguygatorguy Posts: 24,176member
    wonkothesane said:
    gatorguy said:
    MplsP said:
    hexclock said:
    robjn said:
    “ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

    I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

    Does the new vulnerability described in this article effect all phones or just those that have been jail broken?
    If it requires a jail broken phone, then the headline is somewhat misleading. 
    The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine. 
    That’s what I was wondering, too. The article makes it sound like a jailbreak needs to be installed first. Unless that can be installed without unlocking the phone it would seem the hack is pretty useless. 

    bulk001 said:
    So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 
    If the vulnerability is in the boot rom the fix may not be so easy. 
    It is in the boot rom and reportedly it cannot be fixed. 
    Then why is the iPhone 11 not affected?
    Pretty sure AppleInsider had an article explaining why a few weeks ago, but not certain. Perhaps a discussion of it was in a related thread, but obviously there was a change in hardware in the latest iPhone models. You should do a search to see as off the top of my head I can't answer you. I do know it works because of a hardware exploit and thus not patch-able with a software update. 

    EDIT: Look up CheckM8 which was an early version of this latest jailbreak code from the same developer.  That's probably the AI article I was remembering. 
    edited December 2019 wonkothesane
  • Reply 14 of 22
    ivanhivanh Posts: 597member
    It’s a perfect tool for totalitarian nations and police states.  Elcomsoft is a Russian company, isn't it?



    edited December 2019
  • Reply 15 of 22
    cgWerkscgWerks Posts: 2,952member
    So... don't use Apple's Keychain for anything you don't have to. Use 1Password or such for everything possible.

  • Reply 16 of 22
    I like how they say “partial keychain extraction” and don’t go into details. That leaves things wide open from not getting any useful data at all to gaining access to sensitive data. I bet it’s the former, hence the careful wording.
    watto_cobra
  • Reply 17 of 22
    gatorguygatorguy Posts: 24,176member
    I like how they say “partial keychain extraction” and don’t go into details. That leaves things wide open from not getting any useful data at all to gaining access to sensitive data. I bet it’s the former, hence the careful wording.
    @ericthehalfbee ;
    Rather than just guessing you could read their blog:
    https://blog.elcomsoft.com/2019/11/ios-device-acquisition-with-checkra1n-jailbreak/
    https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of-locked-and-disabled-iphones/

    Appears to be far more than "not any useful data at all" and far less than "gaining access to all sensitive data"
    edited December 2019 cgWerksMplsP
  • Reply 18 of 22
    Not familiar with the boot ROM chip or the boot process on an iPhone, but if something similar to an erasable programmable read-only memory chip (EPROM) is used, it could be rewritten with new code that would be resistant to the attack.  My impression that cell phones are infrequently reset/rebooted/restarted, but usually put in a sleep state between uses.  
    watto_cobra
  • Reply 19 of 22
    gatorguygatorguy Posts: 24,176member
    Not familiar with the boot ROM chip or the boot process on an iPhone, but if something similar to an erasable programmable read-only memory chip (EPROM) is used, it could be rewritten with new code that would be resistant to the attack.  My impression that cell phones are infrequently reset/rebooted/restarted, but usually put in a sleep state between uses.  
    This cannot be fixed with a software update on existing phones. Period. It's a hardware issue for a specific series of iPhones. The 11 series hardware component was changed so it is not effected by this specific exploit. 
    muthuk_vanalingambadmonkcgWerks
  • Reply 20 of 22
    badmonkbadmonk Posts: 1,285member
    gatorguy said:
    There goes MY idea of my ‘safe’ iPhone 8+ ....
    It IS safe. What's been described in this article is generally law enforcement stuff. Unless you're in the category of potentially high-value criminal this doesn't affect you. 
    I am not sure I agree Gator, since we are in the midst of a worldwide tendency towards authoritarian movements.
    cgWerks
Sign In or Register to comment.