Technology

Company says it can extract email addresses and passwords from locked iPhones

Published

4 years ago

December 20, 2019

A Russia-based cybersecurity company said it found a new way into your locked iPhone.

Elcomsoft, which creates digital forensic software for governments and law enforcement agencies, on Friday that its iOS Forensic Toolkit can now extract some data from locked iPhones and iPads in Before First Unlock (BFU) mode.

The tool takes advantage of a vulnerability, known as the Checkm8 exploit, in certain iPhone and iPad models. The Elcomsoft iOS Forensic Toolkit sells for $1,495.

The BFU mode detail is important to note. BFU is the state an iPhone is in before a user unlocks the device for the first time after booting up or restarting the phone. It is the device’s most secure state.

If you ever restarted your phone and then received a phone call from your mom before unlocking it, you may notice that her telephone number appears in the call notification instead of her contact name. That’s a function of the iPhone being in BFU mode.

As Elcomsoft puts it:

In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.

It is the “almost” part of the “everything” that we target in this update.

The company discovered that some data in the keychain, which is where Apple stores a users’ passwords and other protected information, is actually accessible before a user unlocks the phone.

This data includes email usernames and passwords, according to the company.

While the forensic tool works on iPhones and iPads running on even Apple’s most recent operating system, iOS 13.3, it doesn’t work on all models of the device. Devices that run on the A12 chip, like the iPhone XR, or the new U1 chip, like the iPhone 11, are immune to the vulnerability that phones that run on the earlier A-series chips — the iPhone 5S to the iPhone X— have.

Being that the forensic tool uses the Checkm8 exploit, it requires a jailbreak installation, known as Checkra1n, on the devices in BFU mode. However, this can be done while the iOS device is locked.

This news comes a little over a week after Apple’s iOS device encryption came under fire during a . The Cupertino-based tech giant has been a strong advocate for security protocols that make it nearly impossible to pull private data off a user’s locked iPhone.

Apple claims that even it can’t access these locked devices. Some in law enforcement, like Manhattan district attorney Cyrus Vance, have criticized Apple for these practices. These critics would now like Congress to step in and force companies like Apple’s hand.

The truth is that while it isn’t easy, there are a few security companies that have been able to bypass Apple’s encryption and crack into locked iOS devices. The Israel-based Cellebrite sells a $6,000 device which has been to break into locked smartphones. U.S.-based Grayshift a deal with Immigration and Customs Enforcement earlier this year for the use of the company’s iPhone hacking tool, GrayKey.

Elcomsoft’s latest tool just shows once again that even with Apple’s encryption, our smartphones aren’t as secure as we think.