ElcomSoft's Phone Forensics Software Offers Near Real-Time Access to iCloud Backups

[123]

They just reverse-engineered the proprietary iCloud protocol and created a simple visualization tool. Everyone who thinks that proprietary protocols are a good way to improve security is an idiot.

In fact, Apple should have gone with an open protocol in the first place. This would allow others to create useful tools and integrate iCloud with devices, software and services not controlled by Apple. This is in fact the whole point of Cloud services such as Dropbox and Google Drive. They provide an open web-based API which is used by thousands of developers.

As for unencrypted data: It is always possible that your iPhone is lost or stolen. Somebody could then get all your data off your phone. Apps dealing with sensitive information (e.g. account data/passwords, documents, card numbers etc.) must encrypt their stuff anyway, otherwise it's entirely the App maker's fault if someone can get this information off your phone or iCloud.

----------

Without access to your computer or iPhone it's quite hard to get your UDID.

What are you talking about? The point was to limit iCloud access to phones, even new ones, as opposed to computers. But, as has been pointed out, it is easy to obtain a phone UDID and spoof a phone MAC address, so this is a completely useless approach.

Besides, iCloud is even supposed to work with computers (iCal, iPhoto etc.), so the original idea was flawed in just about every aspect.

 

[burne]

But, as has been pointed out, it is easy to obtain a phone UDID and spoof a phone MAC address, so this is a completely useless approach.

Like I said, it's quite hard to get a specific UDID. For instance, what is the UDID of my iPhone?

Locking data to a specific UDID makes it quite a bit harder to access data, unless you know three things, not two. (Apple-ID, password and UDID)

Besides, iCloud is even supposed to work with computers (iCal, iPhoto etc.), so the original idea was flawed in just about every aspect.

There's a lot more in iCloud than iCloud.com shows you. Sent and received text messages, call history lists, cookies, passwords and browsing history for Safari and the list goes on. All the stuff that magically gets transfered from your old phone to your new when you 'restore' to a new phone.

Elcomsoft sells forensic software. The whole point of that kind of software is recovering information like call history. With other phones you have to seize the phone (by legal means), connect it to special hardware to read out the hidden parts of memory and feed that to software which decodes it. Elcomsoft Phone Password Breaker has been used for years for this purpose. It just has a new feature.

When Samsung expands its sCloud-service (no joke) to include online backups of your Samsung-phone we will see a fresh press-release by Elcomsoft, discussed to bits, but on SamsungRumors.com

 

[123]

Like I said, it's quite hard to get a specific UDID. For instance, what is the UDID of my iPhone?

And like I said, that's not the point. Nobody was talking about locking data to a specific UDID because this would defeat the whole purpose of cloud backups.

There's a lot more in iCloud than iCloud.com shows you.

Ah, no shlt?! What are you even arguing?

 

[Thunderhawks]

Hmm. I don't get it. One billion people reveal far to much about themselves on Facebook. And 30 people in here care about their sensitive data. So please tell me. Did you discover the cure for cancer, the meaning of life or have you just written the next best seller? What is it that is so secret about your life that you absolutely need it of line? And that takes a lot of storage space?

Let's not make sense here

Obviously none of these people have ever heard that a secret is no longer a secret if more than one person knows about it.

Put in digital/computer teams:

A secret/your private stuff is no longer a secret as soon as you have it on your computer/device and are connecting to the internet or make phone calls
with your smart phone.
Even if you burn a DVD (can be stolen) , erase your HD (can be recovered, unless you use a certain set up) it is available.

If you don't do anything illegal, why are people worried about a forensic program?

 

[KidPub]

What's in the box, a house key?

How is this even a 'product'?

To 'break in' to the iCloud backup, you need the target's username and password.

If you don't have that, you might be able to get credentials from the offline, local backup, which means you have physical access to the target's computer.

I suppose it would be handy for spouses who suspect their mate to be up to something sneaky.

Perry

 

[cgc]

Hmm. I don't get it. One billion people reveal far to much about themselves on Facebook. And 30 people in here care about their sensitive data. So please tell me. Did you discover the cure for cancer, the meaning of life or have you just written the next best seller? What is it that is so secret about your life that you absolutely need it of line? And that takes a lot of storage space?

No Facebook account for me...the Internet is a gigantic vulnerability. I bet your condescending attitude is really appreciated here (as is my sarcasm ironically).

----------

If you don't do anything illegal, why are people worried about a forensic program?

The DHS has put in talking street signs to warn citizens of events but they can also record audio. The NSA is building a gigantic data processing center in Utah capable of deciphering global communications in real-time and the USG is deploying drones over US cities/homes to monitor for bad guys.

These are things in the news in the last couple of weeks...I have nothing to hide, but infringing on our freedoms begins with monitoring dissidents. They may call them "terrorists" today but citizens who complain may be targeted for monitoring tomorrow. Everything starts out with good intentions but they soon get exploited and used for other reasons (especially by the government). I'd prefer to not give them an inch lest they take a mile.

 

[IlluminatedSage]

Apple better fix this security bug ASAP.

What makes us apple users think apple doesn't have *****ty privacy protection on purpose?

They have allowed :
easy data pulls from device/pc's by clandestine remote access for years. ( or from wired devices from law enforcement)
Disabled owner control of devices by not allowing battery removal
Built devices with built it cameras and mics that n be activated remotely without indication on device
Built in gps locator by gov mandate

And now easy access to expose iCloud stored data, phone data And more

Simply put apple is a spy's best friend. Or more aptly put in league with the NSA.

Let's see if they make any attempt to protect security, they havent so far tried to protect much at all

sadly role of law is being avoided. the need for judicial court approval of any spying has not been adhered to by the NSA and much worse , now just any any anybody buys this software can spy, stalk or find somebody is very sad.

Since 9/11 the role of privacy in the USA has been continually been degraded. It's time to fight back... Demand more security and and safety built in!

And to those who think they have nothing to hide, everyone has a right to privacy. No one should have to prove they are not a criminal by granting the gov't or others access to their phone, computers and more. just in a land grab to destroy privacy. Sorry. But all of this crap is illegal.

 

[Kwill]

Perhaps ElcomSoft is trying to stand out as a potential Russion Apple acquisition...

Apple is one of several parties in talks with Russia's Skolkovo technology park about possible research and development facilities there, according to local publication Izvestia. Other interested companies are said to include Google and Facebook; agreements are reportedly already in place for firms such as Microsoft, IBM, General Electric, and Cisco. Skolkovo's organizers are said to be aiming at making the park a Russian equivalent of Silicon Valley.

Read more: http://www.macnn.com/#ixzz1vQAyQcRR

 

[IlluminatedSage]

For shame, MacRumors. This is scaremongering, caveat-in-the-nineteenth-paragraph of the highest order.

YOU NEED THE ICLOUD USERNAME AND PASSWORD.

This is not hacking! This is accessing your own data!

Obtaining someone's password: that's "hacking", if we can call it that. Apple makes the entirely reasonable assumption that someone with your iCloud username and password is YOU. If they didn't do that, the entire concept of username/password identification is pointless.

If you couldn't access your iCloud backups with your iCloud username and password, then when you're restoring to a new device, how on earth are you supposed to identify yourself?

BS, this is software with their other software which HACKS the username and pw. gives people access to the info. spy on them, track them.

sorry but this software is evil. Anyone like Piers Morgan could simply hack a celeb's phone and illegally invade their privacy.

 

[marcusj0015]

I need exactly ONE UDID. Yeah, vast amounts of money required to get that...

You need the UDID tied to the account to get the backup. I've said that like three times now omg.

 

[FishTender27]

You need the UDID tied to the account to get the backup. I've said that like three times now omg.

Which is provided to App developers along with the associated Apple ID to anyone whom purchases their app. Leaving only one piece of information needed, the password. Which this software can attack and, as previously mentioned, is weak in a vast majority of the cases.

----------

Great first post, I completely agree. It's like you can use a secure courier to deliver a parcel, but that doesn't stop it being stolen if the sender or recipient leave it lying around before or after it's in transit.

Exactly. These technologies are complex and easily misunderstood. That's why poor implementations of a product get through and put people unknowingly at risk.

 

[Glideslope]

Wow. Hopefully Apple with patch this. It makes you wonder though about the backdoors that are built into this sort of thing for the NSA/FBI.

I feel confident in saying this is the front door now.

 

[winston1236]

I sure hope law enforcement has to have a warrant to use this sort of thing.

they already do, its called the Patriot Act

 

[auto4d]

they already do, its called the Patriot Act

I don't know if anyone here has already mentioned this, but it looks like UK Police are already collecting and keeping smart phone data from suspects (people suspected of crimes, not actually charged).

http://www.bbc.co.uk/news/technology-18102793

 

[123]

You need the UDID tied to the account to get the backup. I've said that like three times now omg.

So you tie the backup to exactly one device? Brilliant idea! And what happens when your phone is lost or stolen, when you damage the phone or want to buy a new model? You can't access the backup? Hold on, I'm going to solve this one for you: users can register new devices with.... their account login and password. If only Apple hired geniuses like you.

 

[marcusj0015]

Which is provided to App developers along with the associated Apple ID to anyone whom purchases their app. Leaving only one piece of information needed, the password. Which this software can attack and, as previously mentioned, is weak in a vast majority of the cases.

----------



Exactly. These technologies are complex and easily misunderstood. That's why poor implementations of a product get through and put people unknowingly at risk.

Oh ****, I didn't know the UDID was public like that. :/

 

[FishTender27]

So you tie the backup to exactly one device? Brilliant idea! And what happens when your phone is lost or stolen, when you damage the phone or want to buy a new model? You can't access the backup? Hold on, I'm going to solve this one for you: users can register new devices with.... their account login and password. If only Apple hired geniuses like you.

I'm almost certain the ID is tied to the backup to identify which device updates which backup, in the case of multiple iOS devices using iCloud backups. This association is then changed when restored to a different device.

 

[Black Belt]

1) Apple is already synonymous with "security vulnerability" in the hacker community.

2) "Law Enforcement" is an oxymoron as they seek every opportunity to bypass and ignore the law.

If you have some fantasy that you are not being watched and monitored, this is the smallest tip of a ginormous iceberg. It has nothing to do with protecting us. It has to do with power and control. Doesn't matter if you are doing nothing wrong or not. It has to do with whether someone will benefit from them coming after you. Your "crimes" are incidental and can be contrived anyway, that's what press releases are for - to villianize the arrested.

 

[knucklehead]

I completely agree about the security lapses at Apple. They can do more when it comes to patching security exploits. Flashback made it even more apparent.

But about Dropbox, I know they use SSL and AES-256 on their servers. You may know something I don't, but my assumption was that Apple did the same with iCloud backups and that the issue at hand is that the backups should be encrypted locally on the iPhone before being sent to iCloud.

As it stands, Dropbox should be vulnerable too. If someone had their Dropbox account stolen and they logged in, they should be able to download any of their files even if it's over HTTPS and even if they were encrypted on the servers with AES256. Cloud solutions like SpiderOak do the encryption on the local computer first. So even if the account name/password was stolen ... they would need the local encryption keys before the server assumes they are properly authenticated to see the data. This stops Spideroak employees and hackers, who may steal files from their servers, from seeing the data. But even then with all that encryption (2048 RSA + AES256), knowing the password of an account leaves you vulnerable no matter what. I believe with Spideroak, if you lose the local encryption keys you can still get them back with your password and use them to unlock the data. Safest way to keep the data private is to never allow regeneration of the keys, which leaves you without your data, which defeats the point of cloud backup storage.

I've been looking for a cloud security solution for a couple of weeks now. I just set up Spideroak today, and I don't see that it encrypts form the iOS side -- at least not in the way I'm looking for. I might just have to spend a bit more time learning how to use it.

I also just ran across this today:

http://www.boxcryptor.com/

Which looks like it could be great.
Still Beta on the OSX end, but I know it can encrypt from the iOS app.

Doesn't really help with the iCloud backup thing, but I'll do any sensitive syncing using something like boxcryptor and dropbox. For iCloud, I'll just use strong passwords that I regularly change. That should keep the criminals at bay --- As for the crocked cops, and corrupt government trying to frame me with something ... well, there's plenty of other ways they could do that other than through the cloud. so why worry about it too much.

 

[charlituna]

You'd have to have each specific UDID, limiting it to only criminals with vast amounts of money and a massive botnet, or legit customers.

Which, again, means limiting the person to only using that backup with he original device so if it was lost, stolen etc and the owner didn't have an iTunes backp, which is likely since iTunes doesn't do backups on the computer when iCloud backups are turned on and most users don't know how to trigger one manually, the owner is totally screwed since he/she can't access their own data.

And before you say 'well they can set up a system where you can have the access transferred to another UDID', what's to stop me from doing that to get access to your information. I have your username and password after all. Which means I can get in to see your real name, your billing address, change your securit questions to answers I know, even see the serial numbers of the stuff you registered.

 

[marcusj0015]

Which, again, means limiting the person to only using that backup with he original device so if it was lost, stolen etc and the owner didn't have an iTunes backp, which is likely since iTunes doesn't do backups on the computer when iCloud backups are turned on and most users don't know how to trigger one manually, the owner is totally screwed since he/she can't access their own data.

And before you say 'well they can set up a system where you can have the access transferred to another UDID', what's to stop me from doing that to get access to your information. I have your username and password after all. Which means I can get in to see your real name, your billing address, change your securit questions to answers I know, even see the serial numbers of the stuff you registered.

You're completely missing what I'm saying, Make sure that only iOS devices can download backups. It's not that difficult.

 

[NovapaX]

You're completely missing what I'm saying, Make sure that only iOS devices can download backups. It's not that difficult.

Riiigghtt.... So that's why you can't buy iOS devices on like every corner of the street.... :roll eyes:
And I'm so glad you can't also reverse-engineer that security-protocol.... It's not that hard for software to pretend to be an iOS device...

Oh wait... maybe we can restrict it to an IP-address too... and maybe the outside temperature and humidity... Why don't we throw in the GPS-coordinates and compass-orientation too.

You just have to pick a good password and protect it with your life! That's all....

 

[cyclotron451]

we need HARD CLIENTSIDE CRYPTO

which is currently unavailable, certainly not easy to use with the available GPG tools. The iCloud and all other clouds which are based or partly based in US jurisdiction need to comply with USAPATRIOT, which implies that covert national security letters may be used to access any and all of your cloud data.

It is just part of a law enforcement (actually intelligence agencies) grab for any and all data to feed their Bayesian analysis systems.

look at these two articles : Susan Landau reported in ZDNET where she gives facts about use of captured data and UK (MET) Police to store ALL persons' smartphone data where anyone who meets a police officer may have their entire phone contents dumped to database! No warrant, No judge involved - not just the guilty. UDID, IMEI etc disclosed..

It's a question of balance - at present the security/privacy debate looks unbalanced - since basically the NSA/FBI international lobbying in the nineties for full access to digital traffic. It looks like they have their wishes!
I trust my government, at present. These spying powers will still be working in 20 years, in all nations that have signed the international user requirements MoU. DO I trust all future governments with my data?

 

[ogee]

These tools aren't used until a suspect is arrested and a warrant issued to allow for the search of their electronic devices.

Yeh right. Also software never crashes.

We all know that they use this type of software daily without permission, and only "apologize" when caught. Then they keep on using it.

 

[alic01]

The thing about this for me is that we would all be very nieve if we didnt beleive this was already possible for government agencies anyway.

As was mentioned back on page 1 if something illegal happened and a mobile phone could be tracked to help the case I want that mobile phone checking and i dont care how they do it. Exactly the same as if i was accused of something and my phone proved i was innocent they can check that with pleasure. If the software doesnt exist to allow this i would hope apple would provide the information upon request with a court order anyway.

The fact your user name and password is required to me means that my data is as secure as the money in my bank which only needs an access code and a pin number for internet banking.

If someone is arrested they would be asked for the user name and password, if they didnt provide it a warrant would get them access to the computer in their house and then through interogation of details there would get the user name and password.

As for encrypted or not, software can decrypt physical backups anyway, it just takes longer, so apart from interception during transmission which this software does not do (but others potentially do, thats a different matter) it makes no difference to security.

These software tools exist, as well as ones which can interogate your computer remotely etc, the very best hackers often end up getting caught and working for governments, its a fact of life and most likely how we foil terrorist plots, imo its a necessary evil, nothing to hide = no problem.