Forensic software developer Elcomsoft has updated its toolset for iOS to enable the extraction of Keychain elements from iPhones running iOS 12 to iOS 13.3, with the ability to acquire partial Keychain data from disabled and locked iPhones that have yet to be unlocked after being turned on.
The update to Elcomsoft’s iOS Forensics Kit brings the software up to version 5.21, and chiefly enables the partial extraction of data from the iOS Keychain, which is used to store credentials for apps and online services. Under the update, the security firm claims it can be accomplished on iOS devices ranging from iOS 12 to iOS 13.3.
The list of affected devices includes iPhones from the iPhone 5s to the iPhone X, and all iPad models from the iPad mini 2 to the 2018 iPad, the iPad 10.2, first-generation iPad Pro 12.9, and the iPad Pro 10.5. Specifically, it functions for models that use Apple’s self-designed SoC, from the A7 through to the A11.
The main point of the update is to acquire data from a device that has not been successfully unlocked since being powered on, in a so-called “Before First Unlock” (BFU) state. After being turned on, an iPhone is kept fully encrypted until a screen lock passcode is entered, something that is required by the Secure Enclave before the file system is decrypted.
According to Elcomsoft, “almost everything” remains encrypted until the user unlocks the iPhone with the passcode after booting, and it is the remainder that the firm is targeting with the toolkit. It found some Keychain items containing authentication credentials for email accounts and some authentication tokens are available to access while in the BFU state, to allow the iPhone to start up correctly before the code is entered.
To accomplish this, the toolkit requires the installation of a jailbreak known as “checkra1n,” which uses vulnerabilities in the Apple bootrom. The jailbreak itself is installed via a device firmware upgrade (DFU) mode and can be used regardless of the BFU status of the device and its lock state.
Elcomsoft’s iOS Forensic Toolkit interface
Elcomsoft’s iOS Forensic Toolkit is intended for use by law enforcement, in a similar manner to services provided by Cellebrite and others, though they are also available to businesses and even individuals. The company sells the pack starting from $1,495 in both Windows and macOS variants.
The existence of a tool to access data in this manner may be concerning to some, but at the same time it is relatively limited in terms of how it can affect normal users. For example, the toolkit requires physical access to the target device, so it cannot be used remotely or as part of a widespread attack by a bad actor, while the cost of the software is a disincentive for individuals wanting to use it for malicious purposes.
Elcomsoft’s tools have been used for illegal acts in the past, including most famously the “Celebgate” hack“Celebgate” hack, where it was used to acquire iCloud accounts that were then searched for compromising photographs.
Aside from accessing data from a locked state, the toolkit also provides other services, including access to all protected information including SMS and email, call history, contacts, web browsing history, voicemail, account credentials, geolocation history, instant message conversations, application-specific data, and the original plain-text Apple ID password.