Russian cybersecurity firm Elcomsoft, which provides forensic data extraction tools for security and law enforcement agencies is making headlines today (December 21) with a claim that one of its updated tools can now “extract select keychain records” from iPhones in their most secure state. “We have a few other changes and some tips,” the company said in a blogpost, “on extracting locked and disabled devices.”
The extract, it’s claimed, works on any iOS versions from 12.0 onwards, including the latest 13.3 update, exploiting the checkm8 vulnerability that enabled the Checkra1n jailbreak, which in itself generated headlines in November. From a hardware perspective, all devices up to and including the iPhone X are vulnerable. The issue for Apple with these latest claims, is that the Russian team has extracted some password data from iPhones in their “Before First Unlock” or “BFU” state, essentially the lock screen that appears following a restart when the device is encrypted and protected.
“Almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up,” Elcomsoft explains. “It is the ‘almost’ part of the ‘everything’ that we target in this update—certain bits and pieces are available in iOS devices even before the first unlock.” Arguably, it’s the nature of those “bits and pieces” that’s the issue here, given that it includes “some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock.”
The company assures that it will not help users unlock iOS devices, albeit there is inevitable controversy around the availability of the $1495 tool behind the claims. The company has been criticised before over its cloud extraction tools, and claims to be support forensic extraction of “valuable data and evidence” from Apple, Google and Microsoft cloud accounts.
“While this is only a partial keychain extraction,” the company acknowledges, “this is much better than nothing – and coming from a locked device!” The process requires a jailbreak of the target device, but that can also be actioned regardless of the BFU state, using the Device Firmware Upgrade (DFU) mode. Elcomsoft also says it is “working on integrating the low-level checkm8 exploit into our software,” promising to “straighten up the process, making it faster, simpler, safer and forensically sound.”
The iOS Forensic Toolkit claims to be able to deliver “physical and logical acquisition” of iOS devices, extracting passwords and encryption keys, and decrypting the file system image itself. Such toolkits have been generating increasing headlines this year, which is a challenge to the device manufacturers that ply security and data integrity as USPs. Apple was approached for comments on this story before publication.
The encryption of user data has become the cause of increasing controversy as governments, led by the U.S. and U.K. have attacked the industry for preventing lawful access to data on target devices. This covers both the core hardware as well as the software platforms operating “over the top,” such as WhatsApp and iMessage.
The industry argues that opening access to anyone presents the risk that such inbuilt weaknesses will be exploitable by everyone. And this has led to this forensic grey area, where toolkits provide the best way into data. That said, it’s usually fairly haphazard as to what’s available and such tools do not deliver the full picture to law enforcement in real world applications. In this instance, physical access to the device is also required, this is not remotely executable, which should provide users some comfort.