12 years of IT forensics vs. IT security

Extract data from the iCloud

Source: nikkimeel / Shutterstock.com

Twelve years have passed since ElcomSoft was first able to download iCloud backups directly from Apple and read out the data.

While some said that it was no great feat to load data from an online backup with the right password, others felt confirmed in their view that cloud storage was an incalculable security risk. But both views were oversimplified back then and are simply wrong today.

Ad

Extracting data from an iCloud backup is not trivial

According to Apple’s logic, an iPhone backup in the iCloud is intended to restore this iPhone with all its data on new hardware. Even with the correct access data, Apple offers no way to access pictures, passwords, documents, browser history or other files in the iCloud backup. If you want to access the data stored in the iCloud archive, you would have to import the entire backup onto a new iPhone and then access the data regularly via iOS. And Apple is not exactly known for making it easy for users to have unhindered and unfiltered access to files that were not explicitly created by the user.

It was therefore a small sensation at the time and a real added value that ElcomSoft was able to decrypt all the data in the iCloud backup directly from the backup. If you could legitimize yourself to the iCloud, you could access all data directly via ElcomSoft solutions. But that was in 2012. Apple has not been idle since then.

In four steps – Apple improves

Step 1, two-factor authentication:

Ad

A kind of two-step verification was implemented in 2013 in a rather hasty and, by Apple standards, rather half-baked manner. Proper two-factor authentication was not introduced until 2015. The 2014 leak known as Celebgate, in which large amounts of private data of celebrities were published that were found in backups of cell phones, is also likely to have been a key driver. Around 95% of Apple accounts are now protected with 2FA. Not a major obstacle when you consider that companies and authorities usually also have access to the corresponding SIM cards.


Step 2, the end-to-end encryption:

Although the data in the iCloud is encrypted, only genuine E2E encryption provides the certainty that Apple itself cannot view the data. Initially, the iPhone passcode also served as a key to encrypt the data on the Apple servers. However, the passcode does not exactly offer maximum security against brute force attacks and, what’s more, only some of the data was encrypted with the E2E passcode. As of 2020, for example, SMS, voice messages and Apple Maps data were encrypted, but emails, Wi-Fi passwords and Apple Wallet data were not.


Step 3, Advanced Data Protection:

The real breakthrough only came at the end of 2022 with the new Advanced Data Protection for iCloud feature. Here, Apple retrofitted real, strong and secure E2E encryption. Even two years later, there is still no known exploit. In this respect, it is also difficult at this point in time to assess what exactly Advanced Data Protection does differently to classic E2E encryption.


Step 4, Third-party apps and iOS 17:

The last step was taken with the introduction of iOS 17, where Apple implemented additional hurdles to make it more difficult for third-party software to access the iCloud. In practice, there are indeed some cases in which the extraction of iOS 17 backups fails, but at least access to synchronized data continues to work without any problems even with iOS 17.

Apple stores more than expected

Another problem for security-conscious users is that more data is regularly stored in an iCloud backup than the user is aware of and even more than Apple has officially admitted. In 2016, it became known that Apple was backing up call histories unnoticed, then in 2017 that Apple was backing up browser histories even if they had been deleted locally. There is a general trend for Apple to back up more and more data in the cloud. Of course, it is critical to note that the trend began long before strong E2E encryption. And even when E2E encryption was introduced, only some of the data was encrypted at all. As a result, a lot of data was stored online for a very long time, sometimes against the user’s will, with only moderate protection.

Forensic access is more productive than legal access

Of course, Apple also offers authorities legal ways to gain access to the data. The request for this is still a Word document for download from the Apple website: gle-inforequest.docx. The only disadvantage is that Apple only grants access to data that is not E2E-encrypted. So even if law enforcement authorities can produce a court order, they will not receive encrypted data from Apple, even if this encryption is not an insurmountable obstacle, as in the case of the passcode. The bottom line is that IT forensic solutions are proving to be more effective than cooperating with Apple, even for official agencies.

Direct access to the file system with Elcomsoft iOS Forensic Toolkit

Even though ElcomSoft is still struggling with Advanced Data Protection, there are still ways to access the data. The classic approach is the iOS Forensic Toolkit. With this, ElcomSoft offers various ways to gain direct access to a physical iOS device via sideloading. This includes low-level access to the file system and even returns decrypted keychains.

(pd/ElcomSoft)

Ad

Weitere Artikel