Elcomsoft Phone Breaker 7.0 is a major release adding the ability to extracts saved passwords, payment data and other sensitive information from Apple’s secure online storage, the iCloud Keychain. The new release can extract and decrypt iCloud Keychain records; Apple ID authentication credentials and access to a trusted device are required.
In its 7th major update, Elcomsoft Phone Breaker receives the ability to extract, decrypt and view passwords, financial information and authentication credentials stored in iCloud Keychain, Apple’s securely protected online storage.
iCloud Keychain is an Apple’s solution for securely storing and synchronizing passwords, keys, certificates, payment data and app-specific credentials. A user can unlock a keychain by authorizing an additional Apple device such as a new iPhone, iPad or Mac. Adding a new device into the chain of trust requires (besides an Apple device) to confirm a notification prompt on an already enrolled device and entering the PIN code or system password from an already enrolled device. Alternatively, if two-factor authentication is not enabled on the user's Apple ID account, access can be granted via iCloud Secure Code.
Elcomsoft Phone Breaker 7.0 is the first solution ever that can successfully authenticate with and obtain passwords from iCloud Keychain. Unlike a newly initialized Apple device, Elcomsoft Phone Breaker does not become part of the circle of trust, offering truly forensic extraction of iCloud Keychain.
The most interesting forensic artefacts that can be found in iCloud Keychain include Wi-Fi passwords and keys, social network credentials and saved passwords to instant messengers and various online accounts. These can help an examiner to discover evidence that would be otherwise inaccessible. In addition, saved passwords are perfect for building custom dictionaries for targeted brute-force attacks on user’s encrypted containers, archives and documents.
More information available in the following blog entries.