Elcomsoft, the forensicsoftware developer, has just updated its iOS toolkit to extract some of its data from iPhone devices running iOS 12 to iOS 13.3 without unlocking it,media reported. The latest version of 5.21, which primarily upgrades the iOS Keychain element to store credentials for apps and online services, from iPhone 5s and iPhone X, iPad mini 2 to 2018 full-line tablet, iPad 10.2, and first-generation i The Pad Pro 12.9, and the iPad Pro 10.5.
(From: Apple, via Apple Insider)
Specifically, Elcomsoft 5.21 is suitable for devices with Apple A7 to A11 SoC. The update focuses on the so-called “before first unlock” (BFU) status – the device has not been successfully unlocked since it was turned on.
When powered on, the iPhone remains fully encrypted until the lock screen password is entered, which is required by Secure Enclave before decrypting the file system, but this is what the Elcomsoft toolkit targets.
It found that some Keychain projects contained authentication credentials for e-mail accounts, and that some authentication tokens could be accessed while in the BFU state, allowing the iPhone to start correctly before entering the lock screen password.
To do this, the Elcomsoft toolbox needs to install a jailbreak software called “checkra1n” that takes advantage of a vulnerability in Apple’s bootrom.
The jailbreak itself is installed in Device Firmware Upgrade (DFU) mode and can be used regardless of the device’s BFU status and whether it is locked.
Elcomsoft claims that it is designed to provide law enforcement officers with iOS forensic tools in a manner similar to those provided by companies such as Cellebrite.
But it’s clear that businesses and individuals can also easily take advantage of Elcomsoft’s tools, which currently sell for $1,495 in both Windows and macOS versions.
Limited by jailbreak mode, this tool can only be used when physically exposed to the target device and therefore cannot be used for a wide range of attacks. In addition, the high cost of software can also block some malicious people out of the door.
Of course, this is only an ideal situation. Elcomsoft tools have previously been used in illegal acts, including the infamous “Celebgate” hacking (breaking iCloud accounts and retrieving photos).
In addition to accessing data on an iOS device that has never been unlocked, elcomsoft forensics tools provide additional services such as access to all protected information (including SMS and email), call history, contacts, web browsing history, voice mail, account credentials, geo-location history, instant messaging sessions, Specific data for the application, and the original plain text Apple ID password, and so on.