Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an in-depth discussion on how to access the security of iCloud. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

In iOS forensics, when physical collection cannot be carried out, cloud extraction will be a feasible alternative. Additional security measures have been added to the upcoming release of iOS 13, which will undoubtedly make physical access more difficult. Although we can download iCloud backups, the need to provide the user's login name and password as well as two-factor authentication is always an obstacle for us.

Tokens can no longer be used to access iCloud backups. Tokens cannot be used for access passwords (icloud keychain), screen time, health, and messages. Sometime last year, Apple pinned authentication tokens to a specific computer so that they could only be used from the PC or Mac that created them. To this end, it took us more than a year to find a solution to allow authentication tokens to be transferred from the user's computer. Today, this method works only if the user has a macOS computer. With these restrictions, are authentication tokens still available? Using an authentication token, what can you get from a user's iCloud account? What can I access using my login name and password? The impact of two-factor authentication on iCloud accounts, and why is it helpful to know the lock screen password (or Mac system password)? You will find answers to these questions below.

ICloud security

Apple does not have a server (or rather a service) to store its user data. ICloud backups, photos, messages and even passwords are stored on Amazon, Microsoft, Google, AT&T and other third-party servers. However, this does not mean that Amazon, Google and others can access any of these data at any time. Let's take a look at how Apple protects iCloud data from physical threats. Let's take iCloud backup as an example.

The user's iCloud backup is divided into multiple blocks, and each individual block is uploaded to one or more servers (in seemingly random order). Each block is encrypted with a unique separate encryption key. Without these keys, blocks will still be encrypted binary data blocks even if they are assembled in the correct order.

The key is always stored on Apple's own server in the Cupertino data center. They will never be passed on to Apple's partners, contractors or the Chinese government (unless legally required).

From this protection scheme, we can know:

1. Apple has full access to encrypted information because it has both data and encryption keys.

two。 Apple can decrypt the data and transmit it to law enforcement.

3. People with appropriate authentication credentials can access data and encryption keys to retrieve and decrypt backups.

ICloud backup security

When it comes to iCloud backups, it is important to understand that while most backups can be decrypted with credentials, some of the contents of iCloud backups will be encrypted with a highly secure hardware-based encryption key. Encryption occurs inside the iOS device (in iPhone or iPad itself); none of this data is detached from the device or has been saved in any unencrypted form. Therefore, you can only restore such content to the same hardware device that backed up the content. In iOS 12 and iOS 13 (beta), this includes:

Keychain . Users' Safari and third-party application passwords are still protected in iCloud backups (remember, we only talk about keychain storage in iCloud backups; it's more about cloud keychain protection and subsequent extraction). Keychain can only be decrypted on the device that generated the backup. Without the original device, neither Apple nor law enforcement can access this part of the iCloud backup.

The following data will never be included in the iCloud backup:

Health data

Home data

In addition, if the user enables iCloud synchronization for this data category, certain items are explicitly excluded from the iCloud backup. These projects include:

ICloud Photos

Messages (SMS and iMessages)

IOS 13 also excludes the following two data categories (latest):

Call logs

Safari history

ICloud backup and token

In our article "getting into Cloud: no password" published in 2014, we discussed using authentication tokens to access iCloud backups. Now, that's impossible.

ICloud authentication tokens cannot be used to access iCloud backups.

Synchronous data

Since the emergence of iCloud backups in 2011, Apple has been gradually moving some data content out of backups. The launch of iCloud Photo Library enables photos to be synchronized between devices through dedicated services in iCloud. Once the user has enabled their iCloud Photo Library, the picture will no longer be saved to the iCloud backup. Similarly, once the user has enabled iCloud Messages (requires iOS 11.4 and later), the message will no longer be saved in the iCloud backup, but will be synchronized through the user's iCloud account. IOS 13 will stop including Call Logs and Safari history in iCloud backups; these two categories will be available only as synchronous data.

Authentication tokens are suitable for extracting synchronization data (except for protected categories). The following summarizes the protection of synchronization information in iCloud:

To access synchronized iCloud data, all you need is the user's Apple ID, password and 2FA code.

You can also use authentication tokens to access synchronized data.

Apple has the technical ability to access synchronous data in iCloud.

Synchronized data will be provided when requested by the government.

Synchronization data will be provided when a GDPR request occurs.

Finally, third-party applications, such as ElcomSoft Phone Breaker, can extract synchronized iCloud data.

Some iCloud data is encrypted with passwords

Some data categories are treated differently.

If you know the lock screen password (or Mac system password) of a device registered with the same Apple ID, you can only decrypt the following data types:

ICloud Keychain . Keychain contains user synchronization logins and passwords from Safari browsers and third-party applications, as well as some authentication tokens. Most importantly, iCloud Keychain also stores encryption keys that protect other encrypted data types (for example, messages cannot be decrypted without decrypting icloud keychain first).

Messages in iCloud. Including SMS and iMessages.

Since iOS 12, Health data. Compared with iOS 11, the protection of synchronous health data in iOS 12 has changed.

To access these protected data categories, you will need to meet the following conditions:

User's Apple ID and password

One-time 2FA code (no iCloud synchronization in any category without 2FA)

The password or system password of the device has been registered in iCloud Keychain

Access restrictions are as follows:

Authentication tokens cannot be used to access any of these types of data.

The average user will not encounter any problems when using iCloud to synchronize Keychain,Health or Messages. When initializing a new iPhone to receive synchronized data, they only need to provide their lock screen password to their old iPhone (or any iCloud Keychain-enabled device, including Mac computers).

Apple does not have access to synchronized passwords, messages, or health data. Even if the data is stored on an Apple server, Apple cannot decrypt it.

When requested by the government or GDPR, Apple does not provide any data that falls into the protected category (with one exception).

If you know the device password / system password (Elcomsoft Phone Breaker), the use of third-party application extraction is still limited.

Exception: protecting and extracting health data in iOS 11 and iOS 12

Starting with iOS 11, Apple has implemented health data synchronization with iCloud. In iOS 11, all types of data except CDA records will be synchronized with iCloud in exactly the same way as other types of synchronization data, such as pictures or contacts. There is no additional protection for activity, sleep, nutrition, mindfulness and similar types of data.

Protecting healthy data in iCloud: iOS 1

To access synchronized health data, all you need is the user's Apple ID, password and 2FA code.

Apple has the technical ability to access health data in iCloud.

Provide health data when requested by the government.

Provide health data when requested by GDPR.

Finally, third-party applications, such as Elcomsoft Phone Breaker, can extract health data.

Protecting health data in iCloud: iOS 12 and 13

IOS 12 implements another way to protect healthy data in iCloud, that is, secure encryption using a key stored in iCloud Keychain. Compared to iOS 11, the actual data is now stored in different (encrypted) containers. Interestingly, after the user updates the last device to iOS 12, the old (unencrypted) container can remain available for some time.

The encryption key is protected with the user password (lock screen password or system password) of the device that has participated in health synchronization. This ensures that Apple does not have access to health data stored in the cloud (or iCloud Keychain, if this is important). We believe that this protection mechanism can provide sufficient security.

To access health data synchronized with iCloud through devices running iOS 12 and later, the following conditions need to be met:

User's Apple ID and password

One-time 2FA code (no iCloud synchronization in any category without 2FA)

Registered the password of the device or system password in Health iCloud synchronization

Access restrictions are as follows:

When initializing a new iPhone, the user needs to provide the lock screen password of the old iPhone (or any iCloud Keychain-enabled device, including the Mac computer) to receive synchronized health data.

Apple does not have access to synchronized health data. Even if the data is stored on an Apple server, Apple cannot decrypt it.

Apple also does not provide health data when requested by the government or GDPR.

The use of third-party applications for extraction remains restricted (Elcomsoft Phone Breaker).

Two-factor authentication: benefit

If users enable two-factor authentication on their account, they get a range of features that cannot be used in accounts that do not have 2FA. They only need to use the password to immediately reset their Apple ID password from iPhone. They can disable the find my iPhone feature without knowing the iCloud password. In addition, forensic experts have found some other very useful features. Only accounts with two-factor authentication can do the following:

Synchronize passwords through iCloud (iCloud Keychain)

Synchronization messages (SMS and iMessages)

Synchronize health data

Synchronize screen time data (including screen time data for subordinate accounts)

To some extent, two-factor authentication is a blessing for law enforcement because accounts with 2FA synchronize more information through iCloud than unprotected accounts.

You can skip the 2FA prompt completely using an authentication token. This is where we are restricted.

Tokens and two-factor authentication: restrictions

When we first looked at iCloud authentication tokens, we could use them to get almost everything from the cloud, including backups. Today, Apple restricts the use of authentication tokens. You can no longer use an authentication token to access iCloud backups that use a two-factor authentication account. Although you can still use tokens to download iCloud backups from non-2FA accounts, the lifetime of these tokens is limited to one hour after the token is created.

Regardless of the two-factor authentication status, you can still use authentication tokens (with no obvious time limit) to access the following categories of synchronous data:

Multiple categories of synchronized data, including contacts, calendars, and memos

Safari browsing history and open tabs

wallet

Communication record

ICloud photos

Files from iCloud Drive, including many third-party application containers (1Password, WhatsApp, Viber, etc.)

Recovery token driven by FileVailt2 encryption

Cloud mail

Enable two-factor authentication:

Unable to access iCloud backup with token

Two-factor authentication is not enabled:

ICloud backups can be accessed using tokens, but only within 1 hour after the token is created

The following categories are not accessible to authentication tokens:

Password (iCloud Keychain)

Health

Screen time

Messages (SMS and iMessage), if messages in iCloud are enabled *

* if messages in iCloud are not enabled, messages are stored in iCloud backups.

Windows vs. MacOS

Although Apple provides appropriate versions of iCloud software for Windows and Mac users, the authentication tokens created on these platforms are different.

On Windows computers, tokens are buried deep in the file system. It also uses user credentials encryption, so you must be able to log in to the user's account (or at least know their login and password) to decrypt the token. ElcomSoft Phone Breaker can do this automatically; just start the tool, press a few buttons, and the token is saved to a text (XML) file and ready to use with EPB.

Is it so simple? Although you can extract tokens from your Windows computer and decrypt them for use with EPB to access selected data categories in iCloud (see the "restrictions" section for more information), you can only perform all of these operations on the same computer on which the token was created. You can't even use it from a virtual machine created by the user's disk image; it must be the physical computer that created the token.

If the user has Mac, you can extract a complete, unrestricted token in addition to restricted tokens. In its controlled ecosystem, Apple is able to implement stronger protection (fixed with tokens for 2FA accounts). We can bypass this protection in Elcomsoft Phone Breaker, allowing you to extract, transmit, and use these complete authentication tokens. The full token can be used on any computer, Windows or Mac; you only need to install the latest version of Elcomsoft Phone Breaker.

Extract and use authentication tokens

There are several supported schemes for extracting authentication tokens.

Windows computer to extract a restricted token from the currently logged in account

Windows computer to extract restricted tokens from other accounts

MacOS computer to extract restricted and unrestricted tokens from the current user (requires keychain password)

MacOS computer to extract restricted and unrestricted tokens from the keychain database (requires keychain password)

IOS device that obtains keychain from a password-protected backup or physically.

Windows, current user

You need: Elcomsoft Phone Breaker (Forensic Edition). You must log in as the user whose token you want to extract.

Start atex.exe from the command line. The tool automatically extracts the authentication token. You have just extracted the restricted token fixed on the current computer (saved to a text file). Note that you can only use the extracted token on the computer from which it was extracted.

Windows, other users

You need: Elcomsoft Phone Breaker (Forensic Edition). You must log in as the user whose token you want to extract.

You will use the primary GUI to extract tokens from other users' accounts. For more information, refer to the user's manual

MacOS, current user

You need: Elcomsoft Phone Breaker (Forensic Edition). You must log in as the user whose token you want to extract. You must know the keychain password (usually but not always the same as the account password). Note: extract both full and restricted tokens.

Alternatively, use the macOS Keychain utility to extract tokens.

MacOS, other users

You need: Elcomsoft Phone Breaker (Forensic Edition). Extract the keychain database from the user you are about to get the token. You have to know keychain password.

IOS equipment

You need: Elcomsoft Phone Breaker (Forensic Edition). Decrypted keychain database (physical collection) or password-protected backup (password must be known).

Use Elcomsoft Phone Breaker to manually check the keychain.

Using authentication tokens

You need: Elcomsoft Phone Breaker (Forensic Edition).

MacOS: if you extract the full (unrestricted) token from macOS, you can copy the file and use it on any computer, Windows, or Mac.

Windows: restricted tokens can only be used to authenticate from the same computer that extracted them.

Restricted token:

Discover authentication credentials

Because authentication tokens are restrictive, extracting data from 2FA is more likely to succeed when using logins and passwords (as well as secondary authentication for accounts with iCloud). You can try the following methods to obtain the user's authentication credentials:

Windows: use Elcomsoft Internet Password Breaker to extract the stored password from the user's Web browser. These can usually be found in the records of "apple.com", "icloud.com" or "appleid.apple.com".

MacOS: use Elcomsoft Password Digger to extract and analyze macOS keychain. The login name and password can be stored in a record that contains the keywords "apple" or "icloud".

IOS: if you can extract keychain from an iOS device (by using Elcomsoft iOS Forensic Toolkit for logical or physical acquisition), you can use Elcomsoft Phone Breaker to analyze keychain. Note: the user's Apple TV may also contain these passwords, so analyzing it may be a good choice.

Note that you still have to go through two-factor authentication to access 2FA-protected accounts.

ICloud authentication tokens are no longer as easy to use as they were a year ago. The combination of token encryption and protection with access restrictions makes authentication tokens useful for accessing selected types of synchronous data. The most interesting types of evidence, such as iCloud backups, saved passwords, health, and messages, will not be accessible using tokens.

The above is the Xiaobian for you to share how to achieve access to iCloud security issues in-depth discussion, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.