Hacking elcomsoft phone breaker 6.40 i. Hacking iPhone and iPad backups with Elcomsoft
Genre: Password recoveryDeveloper: Elcomsoft Co. Ltd.
Developer site: http://www.elcomsoft.com
Interface language: English
Platform: Windows 98, XP, XP x64, 2003, Vista, Vista x64, 2008, 7, 7 x64
System requirements:
About 6 MB of free space on hard disk
Modern CPU with SSE2 instruction set support
manifest.plist file from iPhone/iPod/iPad backup d by iTunes (or complete backup to read keychain data)
One or more of supported NVIDIA or ATI cards, or Tableau TACC1441 (recommended for hardware acceleration)
Description: Elcomsoft Phone Password Breaker - allows law enforcement experts to access password-protected backups for smartphones and portable devices based on the RIM BlackBerry platform and Apple iOS. The utility supports all Blackberry smartphones and all portable devices on the Apple iOS platform, including iPhone, iPad and iPod Touch all generations and versions, including iPhone 4 and iOS 4.1.
Access password-protected backups on Apple and BlackBerry devices
The utility allows you to recover passwords for backup copies of Apple and BlackBerry devices. Backups may contain address books, call logs, SMS archives, calendars, to-do lists, photos, voicemail and account settings Email, third party applications, a log of visited web pages and the content of these pages stored in the cache.
Click to close spoiler: Accessing password-protected backups on Apple and BlackBerry devices
Acceleration with graphics cards
To greatly increase the speed of brute force for passwords for backups stored on Apple devices, the utility uses the technology developed by the company to accelerate using graphics cards. Elcomsoft Phone Password Breaker is the first software of its kind on the market to access secure iPhone/iPod backups and the only utility capable of reading and decrypting the contents of the system storage (keychain) containing encryption keys, passwords for email accounts, websites and third-party applications. These operations are possible if the password is known or recovered.
Click to close spoiler: Acceleration with graphics cards
Hardware acceleration
Elcomsoft Phone Password Breaker uses ATI and NVIDIA graphics cards to speed up password brute force. Using a dictionary attack allows you to recover a password much faster than with a normal brute force attack. With password cracking technology on graphic cards, you get the computing power of a supercomputer for the price of a "home" graphic card.
Elcomsoft Phone Password Breaker is the first software on the market that uses the processing power of graphics adapters to recover passwords for iPhone, iPad and iPod backups! When installing regular "home" ATI and NVIDIA graphics cards, you will receive computing power supercomputer: the speed of enumeration of passwords increases tenfold compared to enumeration on the central processor. Up to 8 ATI and NVIDIA graphics adapters are currently supported, including NVIDIA GeForce 8, 9, 100, 200, 400 and GTX 580 series and ATI RADEON 4800, 5000 and HD 6970 series.
Click to close spoiler: Hardware acceleration
Powerful attacks
Elcomsoft Phone Password Breaker supports powerful attacks by dictionary using various dictionary mutations and combinations. According to many studies, most users create meaningful passwords from commonly used words that are easier for them to remember. Elcomsoft Phone Password Breaker can quickly recover such passwords and their variations in any language. Elcomsoft Phone Password Breaker supports many dictionary mutations and combinations, trying hundreds of options for each word in the dictionary to ensure you never miss the opportunity to guess the right password as soon as possible.
Click to close spoiler: Powerful attacks
Extracting and decrypting stored passwords
In devices Apple iPhone passwords for email accounts, websites and various applications are stored in the system storage (keychain) in encrypted form, and the hardware encryption keys are unique for each specific device. Before the release of the iOS 4 operating system, data in the vault was always encrypted only with unique device keys, but with the release of Apple iOS4, it became possible to create backups in which the contents of the vault will be encrypted with a master key that depends on the user's password. Elcomsoft Phone Password Breaker allows you to instantly read (and decrypt) all data from such storage, including passwords, if the master password is known or recovered using the attacks mentioned above.
Click to close spoiler: Extracting and decrypting stored passwords
Offline work
Elcomsoft Phone Password Breaker does not use Apple iTunes or BlackBerry Desktop Software, so there is no need to install these programs. All password guessing operations are performed offline.
Click to close spoiler: Work offline
Program features
Access information stored in password-protected iPhone, iPad, and iPod Touch backups
Access information stored in password-protected backups of BlackBerry smartphones
Recovering passwords for backup copies of any BlackBerry smartphones
Reading and decrypting data in the system storage (keychain) (passwords for email accounts, passwords for accessing WiFi networks and passwords for accessing websites and third-party applications)
Acceleration with multiple low cost ATI or NVIDIA* graphics adapters installed in the system*
Hardware acceleration using Tableau TACC1441
Dictionary attacks using various dictionary mutations and combinations
The program works completely offline and does not require Apple installations iTunes or BlackBerry Desktop Software
Recovering backup passwords for original and ‘modified’ iPhones, iPhone 3G, iPhone 3GS, iPhone 4, iPad and iPod Touch (up to and including 4th generation)
Compatible with all versions of iTunes (including 10.0), iOS operating system (3 and 4, including 4.1) and BlackBerry Desktop Software
Decrypt iPhone backups with a known password
Using AES-NI instructions to speed up BlackBerry backup password brute force
Support AMD Radeon HD 6970 and NVIDIA GTX 580
Click to close spoiler: Program Features
Elcomsoft Phone Breaker is a universal tool for extracting data from backups and "cloud" iCloud storage mobile devices under the control of all iOS versions. The tool allows law enforcement experts to access password-protected backups or download data from iCloud. The utility supports all portable devices on the Apple iOS platform, including iPhone, iPad and iPod Touch of all generations.
The utility allows you to recover passwords for backup copies of Apple devices using advanced attacks and hardware acceleration through AMD graphics cards and NVIDIA. Backups may contain address books, call logs, SMS archives, calendars, to-do lists, photos, voice mail and email account settings, third-party applications, a history of web pages visited and the contents of these pages stored in the cache.
Extracting data from the "cloud" iCloud
Several options are available to users of iOS devices Reserve copy content on your devices. You can create backup copies of information and save them locally on your computer with help from Apple iTunes. An alternative is to automatically back up data in Apple's iCloud cloud storage. Introduced in June 2011, iCloud allows users to store their device data on remote servers and use them on multiple devices. In addition, iCloud can be used to sync email, contacts, events, bookmarks, photos, and other information.
iCloud backups are incremental. If your device is set up to use iCloud, the device automatically creates a backup every time it connects to wireless network and power source.
With Elcomsoft Phone Breaker, you can extract directly from the "cloud", even without the device itself on hand. All that is required to access iCloud Online Archives is the user's Apple ID and password, or a binary authentication token retrieved from the user's computer. Data can be accessed without the user's consent, making Elcomsoft Phone Breaker an ideal solution for law enforcement and intelligence organizations.
Both iOS device data backups and other files stored in iCloud are retrieved from the "cloud" storage:
- iWork documents (Pages, Numbers, Keynote) - if saving to the cloud is configured
- third-party application documents (game saves, password databases, copies of whatsapp messages etc.)
- some system files, including custom dictionaries
- iCloud Keychain
- SMS and iMessage messages including attachments
From the "cloud" storage, both backup copies of these devices running iOS and other files stored in iCloud or iCloud Drive.
iCloud Keychain
With Elcomsoft Phone Breaker it is possible to remotely retrieve saved passwords, data credit cards and other protected information from the "cloud" Apple service to store and sync iCloud Keychain passwords (“iCloud Keychain”). Elcomsoft Phone Breaker is the only product on the market that provides access to iCloud Keychain.
Health data, messages and attachments from iCloud
The latest versions of iOS sync the user's health data (Apple Health), SMS messages and iMessage with the "cloud" service iCloud. Elcomsoft Phone Breaker allows you to retrieve synchronized Apple Health data, messages and attachments from the cloud, including media files and documents. To access data, in addition to the login, password and secondary authentication factor, you will need to specify a password or PIN from one of the registered devices.
Selective Access
Loading a large number data, which is committed for the first time, may take several hours. Subsequent updates are much faster because an incremental update storage system is used. If download speed is more important than data completeness, Elcomsoft Phone Breaker can quickly get the information you need and skip less important data that takes the longest to download (such as music or videos). Messages, attachments, phone settings, call logs, address books, notes and attachments, calendar, settings mail account, photos, videos and more can be pre-selected and downloaded in minutes, providing access to important information in real time.
Access to synchronized data
Starting with iOS 9, iPhone automatically syncs certain types of data to the cloud. Data goes to iCloud independently of the main backups, and can be retrieved even when iCloud backups are disabled. Unlike backups that are created once a day, this data is synchronized with the user's account automatically and gets into the "cloud" with minimal delay.
Using Elcomsoft Phone Breaker, both synchronized call logs and other information are retrieved: contacts, calendars, notes and attachments (including deleted ones) and the history of user actions in the Safari browser (including deleted entries). Full list retrieved synchronized data includes:
- Safari browser (history, bookmarks, open tabs)
- Calendars, notes, contacts, recordings of Voice Recorder app
- Cloud Keychain and Screen Time passwords
- Detailed call history
- Apple Maps (routes, search terms, marked objects)
- Wi-Fi (access point information, MAC addresses, date and device added from)
- Wallet (except for payment cards)
- Information about the user (address, phones, name) and his devices (including serial numbers and OS version)
- iBooks (documents and PDF files, added by the user)
Accessing deleted photos from iCloud Photo Library
In new versions of iOS and Mac OS X, it became possible to store photos separately from backups in the service iCloud Photo library. iCloud Photo Library uses new API to access files, and the photos themselves are no longer stored in the "cloud" backups of devices.
Elcomsoft Phone Breaker retrieves files from iCloud Photo Library, including photos that have been deleted by the user. With Elcomsoft Phone Breaker, you can retrieve photos that have been deleted within the last 30 days. Selective access by user albums is available.
Decrypting FileVault 2 Volumes
In new Mac versions OS X uses a built-in data encryption mechanism, the FileVault 2 cryptocontainer. Elcomsoft Phone Breaker extracts escrowed encryption keys to encrypted volumes from an Apple ID account and decrypts FileVault 2 volumes without using a frontal attack.
Available to users of the Forensic edition. Volumes with APFS file system on this moment are not supported.
Two-factor authentication
Recently, Apple has been permanent job to improve the security of their mobile platform. All more Apple mobile device users protect access to information using two-factor authentication. Now, to access data from the "cloud" from a new device, you need to go through an additional authentication step: get an access code for a trusted device or enter a special backup access key.
Elcomsoft Phone Breaker supports all relevant two-factor authentication methods, which will allow experts to work with data protected in this way "cloud" data. To extract data from an account that uses two-factor authentication, the examiner will need to use an authorized device to obtain a one-time access code or enter a special key.
When working with two-factor authentication in Elcomsoft Phone Breaker, a one-time passcode or special key will only need to be entered once. Subsequent requests, both in the current session and in subsequent sessions, will be processed without additional checks.
Available to users of Professional and Forensic editions
Extract information from iCloud without login and password
The ability to access data from iCloud without using a login and password is a unique feature of Elcomsoft Phone Breaker. If the user account password is unknown, a special authentication token extracted from the user's computer can be used to access the "cloud" data. Using a binary token does not require a login with a password or secondary authentication.
Authentication tokens are created iTunes and are stored on the hard drive of the computer from which iCloud is accessed. With the help of authentication tokens, it is possible to access data from iCloud without even having information about the user's login and password. You can retrieve an authentication token either directly from the user's computer or from hard drive or its binary image, which is especially important when using the product in forensic laboratories and in conditions where only a hard disk or its image extracted from the computer under investigation is available. To extract tokens, Elcomsoft Phone Breaker has an integrated functionality for searching and extracting authentication tokens from a computer's hard drive or its image.
The set of data available through an authentication token depends on many factors: the version of iOS and the iCloud panel on the user's computer, the presence or absence of two-factor authentication in the account, and others.
Extract files from iCloud
In addition to backups, files such as user documents and spreadsheets, application data, WhatsApp backups, Passbook data, and more can be retrieved from the iCloud cloud. While some types of data (mostly documents) can be retrieved using the iCloud app for Windows/macOS, the bulk of the data can only be accessed using Elcomsoft Phone Breaker. An important point is the lack of notification of the user by e-mail when downloading files from the "cloud". Both classic iCloud and new iCloud Drive accounts are supported.
Available to users of the Forensic edition
Windows Phone 8 & Windows 10 Mobile: Retrieving Data from Cloud Storage
Device data backups Windows control Phone 8/8.1 and Windows 10 Mobile are created and supported exclusively in the cloud, for which Microsoft allocates space in its own OneDrive cloud storage.
Elcomsoft Phone Breaker provides the ability to remotely access data from the Microsoft cloud service, which contains backup copies of data from devices managed by Windows phone 8. Extracting data from the Microsoft service significantly expands the possibilities available to forensic experts in the study of mobile devices. To gain access, you must specify a username and password from a Microsoft Account user account.
Extract data from Apple iPhone, iPad and iPod Touch backups
Historically, Elcomsoft Phone Breaker was developed as a product for extracting user data from password-protected backups of iOS devices. Elcomsoft Phone Breaker is the first program of its kind on the market to access secure backups of iPhone, iPod and iPad and the only utility capable of reading and decrypting the contents of the system storage (keychain) containing encryption keys, passwords for email accounts, websites and third party applications. These operations are possible if the password is known or recovered.
To decrypt the data stored in the backup, you must restore the original text password. For the fastest possible password cracking, ElcomSoft programmers developed a number of technologies that distinguish the product from competitors.
Program features
Hardware acceleration
In order to greatly increase the speed of enumeration, the product uses a technology developed by the company to accelerate using graphics cards. Using hardware accelerated password brute force with gaming graphics cards AMD and NVIDIA can increase the decryption speed by 20-40 times compared to algorithms that have the computing resources of only the central processor. Password cracking technology on graphics cards allows you to get the computing power of a supercomputer at the price of an average graphics card.
Elcomsoft Phone Breaker is able to simultaneously use unlimited amount video cards installed in the computer, even if the devices belong to different generations, use different architectures and are released by different manufacturers. Thanks to this feature, Elcomsoft Phone Breaker users do not have to get rid of old devices when updating the system. If, instead of replacing the video card, you simply add a new adapter to your computer, Elcomsoft Phone Breaker will be able to use the computing resources of all devices installed in the system to achieve maximum password brute force speed.
"Smart" attacks
The use of "smart" attacks and dictionary attacks allow recovering a password much faster. Elcomsoft Phone Breaker supports powerful dictionary attacks using various dictionary mutations and combinations. According to many studies, most users create meaningful passwords from commonly used words that are easier for them to remember. Elcomsoft Phone Breaker can quickly recover such passwords and their variations in any language. The product supports many dictionary mutations and combinations, trying hundreds of options for each word from the dictionary in order not to miss the opportunity to guess the right password as soon as possible.
Extracting and decrypting stored passwords
In Apple devices iPhone passwords To accounts e-mail, websites and various applications are stored in the system storage (keychain) in encrypted form, and the hardware encryption keys are unique for each specific device. Prior to the release of the iOS 4 operating system, data in the vault was always encrypted using unique device keys only, but with the release of Apple iOS 4, it became possible to create backups in which the contents of the vault will be encrypted with a master key that depends on the user's password. Elcomsoft Phone Breaker allows you to instantly read (and decrypt) all data from such storage, including passwords, if the master password is known or recovered using the attacks mentioned above.
Compatibility
| Home (win) |
Pro (Win/Mac) |
Forensic (Win/Mac) |
|||
|---|---|---|---|---|---|
| Support for all iOS versions from 3 to iOS 13.x and iPadOS | ✓ | ✓ | ✓ | ||
| Support for all iPhone models | ✓ | ✓ | ✓ | ||
| iPod touch and iPad support | ✓ | ✓ | ✓ | ||
| Support for all BlackBerry devices (except PlayBook) | ✓ | ✓ | ✓ | ||
| Recover passwords for device backups in iTunes | ✓ | ✓/- | ✓/- | ||
| Number of processors supported | 2 | 32/- | 32/- | ||
| Number of supported graphics adapters | 1 | 8/- | 8/- | ||
| Extract and decrypt data in iOS Keychain | - | ✓ | ✓ | ||
| Extract and decrypt data in iCloud Keychain | - | - | ✓ | ||
| Decryption of backup copies of iTunes(with known password) | - | ✓ | ✓ | ||
| Password recovery for BlackBerry 6/7 backups | - | ✓/- | ✓/- | ||
| BlackBerry 6/7 backup decryption (with known password) | - | ✓ | ✓ | ||
| BlackBerry Password Keeper password recovery (up to BB 10) | - | ✓/- | ✓/- | ||
| Password recovery for BlackBerry Wallet | - | ✓/- | ✓/- | ||
| Password recovery on a Blackberry device | - | ✓/- | ✓/- | ||
| Decryption of SD memory card for Blackberry 6/7 | - | ✓ | ✓ | ||
| Extract and decrypt iCloud Password Bundle (iCloud Keychain) | - | - | ✓ | ||
| Retrieve Messages, Attachments, Apple Health app data | - | - | ✓ | ||
| Download iCloud backup with Apple ID and password | - | ✓ | ✓ | ||
| Uploading an iCloud backup for iOS 11.2+ with two-factor authentication active | - | - | ✓ | ||
| Retrieve synced data from iCloud with Apple ID and password | - | ✓ | - | ✓ | ✓ |
| iCloud Access with Tokens (Authentication Tokens) | - | - | ✓ | ||
| Support for iCloud accounts with two-factor authentication | - | - | ✓ | ||
| Download more data from iCloud (Drive) | - | - | ✓ | ||
| Extracting data from Windows clouds Phone (login and password required) | - | ✓ | ✓ | ||
| Blackberry 10 backup data decryption (requires BB ID and password) | - | - | ✓ | ||
| Extract FileVault Recovery Key from iCloud and Decrypt Drive | - | - | ✓ |
Ability to recover passwords (to backup copies of iOS and BlackBerry, BlackBerry devices) is only available on Windows
Elcomsoft Phone Breaker works on computers running Windows 7, Windows 8/8.1/10 and Windows Server 2008/2012/2016/2019 with x32 and x64 architecture. Password protected backups are supported from original Apple iPhone to latest models inclusive; iPad of all generations, including Pro version, iPad Mini and iPod Touch of all generations.
Please note that Elcomsoft Phone Breaker CANNOT unlock iPhone in any way, bypass Activation Lock, modify iPhone, or remove/change PIN code for SIM cards. The program is intended only for recovering passwords for backups and for accessing data and backups in iCloud. For getting detailed information Refer to the Help Guide or the Phone Password Breaker FAQ (in English).
When downloading iOS 11.2 and newer backups from iCloud accounts with two-factor authentication, the account may be temporarily locked out, requiring a password reset.
If the option to encrypt the memory card with a password is enabled (before BlackBerry 10)
Several hundred thousand passwords per second, depending on the power of the computer
When using hardware acceleration with NVIDIA graphics cards or AMD, we recommend installing the latest drivers for these graphics cards. For configurations consisting of several video cards, we recommend as an operating Windows systems 7.
It is desirable to encrypt data on a laptop, even a home one, in extreme cases, the user needs a strong authentication mechanism with a strong password. Until recently, I, like many others, believed that my home computer few people are interested. Yes, I need a strong password at work, but what should I hide at home? And from whom? However, I had to change my mind. What happened? Everything is simple. I received the latest version of Elcomsoft Phone Password Breaker. With the help of this software You can copy the contents of your iPhone backup to any computer without knowing the password and Apple ID. The only thing that pleases is that all this can be done only in the EPPB Forensic version. Let's look at the features of the program in more detail.
Hack in iCloud: password no longer needed!
I already talked about loading iPhone data(iPad) from iCloud (in an article published in Windows IT Pro/RE #2 2014). This article talked about the fact that the researcher could access "cloud" backups. However, this time we will look at accessing iCloud data without any password. I note that given function is intended primarily for law enforcement, as copying data without passwords to iCloud requires a binary authentication token, which must be obtained from the suspect's computer. To date, EPPB is the only product that can do this. However, it is worth emphasizing that in order to use this method of extracting data, you need physical access to the suspect's computer, which must also have the iCloud control panel installed.
What is iCloud Control Panel
To create an account iCloud entries you need to have an iPhone, iPad or iPod touch with operating system iOS 5 or later, or Mac computer with OS X Lion 10.7.5 or later. Access to email, contacts and calendars requires Microsoft Outlook 2007 or newer or latest browser version. To sync bookmarks with Firefox browser or Google Chrome Requires the iCloud Bookmarks extension.
The iCloud Control Panel (shown in Figure 1) is an integral part of iTunes, but it needs to be installed separately on a Windows computer. On a computer running Mac OS this program already installed.
Get an iCloud authentication token
To obtain an authentication token, you need the suspect's computer (Windows or Mac OS) that has the iCloud Control Panel installed on which the suspect is registered, as well as the EPPB Forensic program.
Most users open the iCloud control panel to sync contacts, passwords (iCloud Keychain) and other data, and remain connected to the "cloud". In other words, the expert has a high chance of obtaining an authentication token with this computer. Next, you must use the command line tools provided by Elcomsoft Phone Password Breaker to find and extract the authentication tokens. Note that you will be able to extract all tokens belonging to all users of the system under investigation, including domain users (if you have their login name and password). After extracting the authentication tokens, save them to a USB flash drive, then run Elcomsoft Phone Password Breaker on your computer and enable iCloud data collection. When you do this, instead of entering your iCloud name and password, enter the authentication token token. All! You no longer need a username and password for authentication.
The tools used to extract authentication tokens are ATEX (Authentication Marker Extract): atex.exe (for Windows) or atex.dmg (for MacOS X). The file can be launched in any folder. In particular, I recommend running given file from a USB flash drive. As a result, you will receive a text file containing an authentication token.
In the command window Windows strings you can enter the following parameters:
>atex.exe -h // Shows help message -l // Shows system users with iCloud tokens -t // Get auth token for specified userTo retrieve the token of a cloud-connected user on Windows, you can run atex.exe without parameters. You will get results like in Figure 2.
To get a list of users who have authentication tokens on this computer, run ATEX with the "-1" option. If you want to get a token for another Windows user, you need to know his name and password
Atex - t name password
You need to have administrator rights to get another user's token on this computer.
macOS X
On MacOS X, ATEX has the extension . DMG with 'atex' appended (executable Mac program). To extract executable file(atex without extension), just double click the DMG file to mount it (on MacOS X). You can copy the executable file to a flash memory card with USB interface. Or you can run atex from any folder on this Mac.
Use of ATEX on Mac systems similar to using under Windows. The differences will be quite subtle. On Windows, if you want to retrieve another user's token, you will set the password in command line. On Mac password requested by the system interactively. Also, in Mac environments, you will enter the "-u" switch in front of the username. The final difference is in the output format. On Windows you get a plain text file, on a Mac you get a file. plist(XML).
The correct way to run ATEX on a Mac is as follows. Start the console, change the current folder ('cd') to the one where 'atex' is saved, and then start APEX.
Using an authentication token
So we've got an authentication token. How to use it? Launch EPPB Forensic Edition, see Figure 4.
Select from the menu Tools, Apple item Download backup from iCloud. Enter the previously received token in the Token line, see screen 5. The further process is no different from downloading a backup using an Apple ID and password. However, the following must be taken into account:
- It is impossible to recover a password using a token.
- If the password is removed from the iCloud control panel, EPPB will not be able to recover it.
- A new token is generated each time the user launches the iCloud Control Panel with their username and password. However, previous authentication tokens can still be used to access the backup iCloud copies.
- If the user opens the iCloud Control Panel on a different computer (but using the same Apple ID), the tokens will be different, but either one will work with EPPB.
- At the same time, markers have a finite “lifetime”. Exact time as of today, I don't know.
- If the user changes the password, the old tokens will no longer work.
- You can use ATEX from a USB flash drive without installation. The markers will be saved to the same flash memory card.
.jpg) |
In conclusion, I want to say that, on the one hand, I am proud Russian developers, on the other hand, I understand that this program opens another Pandora's box. Why? Yes, because there is another way to steal information from mobile phones. And since our management is used to the fact that a fashion smartphone is a smartphone from Apple, there are additional risks. For example, do you always trust customer service? And always able to control an employee who is doing something on your computer? Launching the utility is a matter of a few seconds, and you can analyze backups at home.
A smartphone stores information about you not just a lot, but a lot. And the most interesting, in my opinion, are passwords from mail, Skype, and much more. What to do? Tips are standard. Encrypt HDD, set a strong password to account, change it in time, do not forget to block the computer. Yes, the same applies to the tablet! After all, there is no difference. In short, learn to protect your privacy. Even a bit.
In this article, I would like to lift a little the veil of mystery that shrouds a science called forensics. Forensics collects digital evidence and analyzes it. Naturally, we will consider this through the prism of the Apple universe, or rather, in relation to the iPhone. We will start with an interview with representatives of the company that made a name for itself on the software for this - Elcomsoft.
To begin with, I’ll tell you how I decided to make a material on this topic.
Few of the Russian-speaking representatives of the IT community do not know the now deceased Computerra magazine. I will not spend a lot of time singing praises, since one article would not be enough for this, all the more, we will talk about, perhaps, the most odious of the columnists of this magazine - Sergei Mikhailovich Golubitsky. It was his note on the website of the late publication (he writes there regularly) that became the starting point of this article. I encourage you to read it to understand what is going on.
Since I clearly fall into the category that Sergei Mikhailovich affectionately calls "goblins", perhaps I will emphasize that I respect his work and in many ways consider him my teacher and inspirer. But with regard to his note mentioned above, I will still take the position of disagreement.
I don’t know if intentionally or out of ignorance, but the note is too exaggerated over Apple’s security issues. In his characteristic biting sarcasm, the author ridicules "Apple's attempts to enter the corporate market", alluding to the fact that a lot of holes were found in their security, and recently, oh horror, a freshly discovered huge security hole, which Elcomsoft's product called Phone will help to exploit. Password Breaker. At the same time, allegedly in a manner typical of large corporations, Apple completely ignores the problems of users, which is called the biting word "arrogance" in the title of the article. The article is supplemented by stories about other successes of Elcomsoft (really the largest specialists in recovering passwords from anything) and a discussion of how anyone can easily delve into your data.
In describing the horrors of leaky iCloud, I was confused by the minimum requirement, which is just ... the need to know the login and password from iCloud. Undoubtedly, a huge and critical gap in the security system, which affects 99% of online services, and which allows, knowing the username and password, to find out all the user's data. Frightened by the horror of the prospects that opened up, I decided to turn to the source: Elcomsoft, whose representatives turned out to be super-kind and not only told us everything about Phone Password Breaker, but also allowed us to try it out with our own hands, which we took advantage of.
But we will start, of course, with an interview.
Please tell us about Phone Password Breaker: who needs this program and what can be done with it?
Elcomsoft Phone Password Breaker allows law enforcement experts to access password-protected backups for smartphones and portable devices based on the RIM platform and Apple iOS. The utility supports all Blackberry smartphones and all portable devices based on the Apple iOS platform, including iPhone, iPad and iPod Touch of all generations and versions, including iPhone 4S and iOS 4.x and iOS 5.x.
The program provides the ability to restore access to backup copies of Apple and BlackBerry devices, which may contain address books, call logs, archived SMS messages, calendars, to-do lists, photos, voice mail and email account settings, third-party applications, a log of visited web -pages and the contents of these pages, stored in the cache.
In addition, the program can use hardware acceleration of password cracking using AMD and NVIDIA video cards, which allows you to increase the decryption speed by 20-40 times compared to algorithms that use only the computer's central processor. The brute-force technology for graphic cards was developed and patented by ElcomSoft in the USA. At the moment, many software companies use this technology, as it allows you to get the computing power of a supercomputer at the price of a home graphics card.
A new version EPPB is also capable of remotely retrieving information from the Apple iCloud online storage with a username (Apple ID) and user password. Access to the device itself is not required.
Does EPPB use brute-force passwords? Or are there some "holes" that allow you to do without it?
For backups created on a computer (offline), the program uses password brute force, involving various professional tricks such as rearranging or replacing characters, the so-called mask attacks, dictionary attacks, combined or hybrid attacks, when several dictionaries are used at once. A complete list of attacks is available. Unfortunately (or fortunately, for whom, how - ed. note), encryption of offline backups in iOS system quite durable, so fast recovery password can only be affected by graphic acceleration of brute force and the strength of the password itself, that is, easier password, the faster it is.
Concerning new feature access via iCloud - do I understand correctly that everything is not as scary as they say on the Internet? After all, almost any online service will give access if the username and password for it are known (the same Gmail is also insecure), and PPB simply simplifies access, or is there something deeper?
Everything is not as simple and not as scary as it seems at first glance. Of course, you can access anything if you have a username and password, but in the case of iCloud data come encrypted. In addition, the only "official" way to use your Apple ID and password to download an iCloud backup is to restore the device (new or after Firmware restore) from iCloud. Just logging in to icloud.com and downloading a backup will not work - Apple does not provide such an opportunity.
And although there is encryption in iCloud, the encryption key comes with a backup, which greatly simplifies the entire decryption process. In other words, the backup encryption settings that you can set in iTunes only apply to traditional offline backups and do not apply to iCloud backups. Data is sent to the cloud in virtually unencrypted form, regardless of the encryption settings (although the data transmission channel is securely protected). When we discovered such a security hole when examining online backups, it certainly surprised us, since Apple always cares about the safety of its users, but there are obviously technical reasons for this.
Our program can download backups from iCloud online storage, decrypt these backups and convert them to the familiar iTunes format, although you can also use special software for data analysis, since there are plenty of such tools on the market now.
Are there ways to protect yourself from Phone Password Breaker? Or at least complicate the task of hacking?
In this case, a good defense can only be strong password to an Apple ID, which cannot be quickly picked up by examining some information about the user. In principle, all the requirements of the password security policy are relevant here. In addition, it is necessary to use the password very carefully so as not to leave fraudsters the opportunity to find it, say, in an iPhone stolen and not protected by a strong password, or, for example, in an iPhone left with open access computer, because the registration data can be tritely saved in the web browser through which you accessed the iCloud page. There can be many options for data leakage, which is why it is always better to limit physical access to all the devices that you use, which in the case of remote data storage in the cloud is a little more complicated. In the case of using iCloud, you need to clearly understand that your Apple ID password is the only barrier between attackers and all your data stored online. Alternatively, you can simply not store data in iCloud at all, but only locally on your computer.
Are there versions of your software for OS X?
Unfortunately, we do not have a version of Elcomsoft Phone Password Breaker for OS X, the program works only under Windows. But Elcomsoft iOS Forensic Toolkit works on both PC and Mac, moreover, the program was originally written for Mac, which is not typical for us.
What other Elcomsoft programs might be of interest to users of the Apple ecosystem?
We also have a wonderful product Elcomsoft iOS Forensic Toolkit (EIFT) specially designed for forensic investigations of iPhone, iPad, iPod Touch devices based on Apple iOS. Using the iOS Forensic Toolkit, you can pick up a password for the device (if the password is a 4-digit passcode, the search lasts no more than half an hour) and take an exact image file system and in general all the data available on the device. The product ensures the integrity and immutability of the researched data. Using the iOS Forensic Toolkit, specialists can access the decrypted image of the device's file system, decrypt codes, passwords, and other protected information.
Here is such an interesting and informative story. Before drawing conclusions, I will demonstrate how this very Phone Password Breaker looks like at work. Since the program is available only for Windows, I would like to separately thank Parallels - in the 7th version of Parallels Desktop Elcomsoft Phone Password Breaker works quite well (although, of course, if you are going to collect data on a professional level, you should definitely take care Windows installation).
The program, in addition to recovering passwords for a backup copy of iOS devices, also allows you to work with Blackberry (and very well), and although this is beyond the scope of our article, I cannot help but note this fact. Another important feature of Elcomsoft Phone Password Breaker is the ability to decrypt the Keychain stored in a backup with a password (it is encrypted separately from the backup itself, but I won't go into details now).
By the way, Phone Password Breaker can be useful not only for employees of internal organs or intruders. The fact is that if you choose the option to protect the backup with a password and by negligence forget this password, turn off this option without knowing given password will be impossible, making all backups useless. And making another “passwordless” copy will no longer work. In this case, Apple recommends doing full reset device and set it up again clean from scratch. If your data is dear to you, you can try using PPB as an alternative solution to the problem.
Elcomsoft Phone Password Breaker is installed, like most programs for Windows, with a simple wizard (during installation, I experienced a powerful attack of nostalgia, I haven't done this for a long time).
The program interface is very simple. We select the backup file, configure the types of attack of interest (this is described in more detail on the Elcomsoft website) and run the enumeration. If you're lucky, cracking the password won't take long, especially if the password is a dictionary word, some variation on the theme, or if the password is short.
I was more interested in trying to restore from an iCloud copy. To do this, you need to enter the username and password of the account (of course, I used my own).
A few seconds of waiting, and we see all the devices that have backed up to iCloud. Select the checkboxes you need.
After that, taking care of the user's convenience, PPB will offer us to restore the "understandable" file names and decompose the information into folders. Naturally, this offer is better to accept if you are going to disassemble the "booty" yourself. If you use additional software for analysis, the backup copy should be left as is.
Immediately after that, the process of downloading your data from iCloud will start. It took me about 10 minutes for two devices.
The result will be files saved in the specified folder, extracted from the backup copy of your device, including even very critical ones.
There are no problems with SMS, logins, passwords, and a lot of other valuable data.
Of course, data analysis with the help of specialized software is much easier and more convenient, but for "domestic purposes" such manual viewing will be more than enough.
Initially, I was a little confused by the need Windows usage, but thanks - this problem is perfectly masked.
This is how it all works, what conclusions can be drawn? The main conclusion is that there is no sensational security hole in iCloud, no need to buy into the methods of yellow journalism. If your login and password in iCloud are not compromised, there will be no access to data in the cloud, and picking up a password for your iCloud account remotely is an unrealistic task. If you want to protect yourself use complex password in iCloud, and do not "shine" it on untrusted networks (in the case of public WiFi hotspots I highly recommend using a VPN). Even better - do not trust the Internet with important data at all, store it only locally and with a good password (if it is long enough - it will not be a trivial task to crack it, even for such a powerful tool as PPB). Even better, just don't do anything that might draw the attention of forensic experts to you, because the "elusive Joe" principle from the joke works just fine in this case.
In conclusion, I want to say that forensics is an interesting and extensive topic, so if this article is of interest to readers, we will try to reveal it more deeply and talk about its various aspects, show the software used, and maybe even talk with experts in this field.
P.S. If, for one reason or another, the topic of forensics interests you practically, I can recommend a good (and in fact the only one in Russian) free textbook by Nikolai Nikolaevich Fedotov, which will be equally useful for both lawyers and IT specialists.
