Elcomsoft’s Phone Breaker 7.0 extracts and decrypts Apple’s iCloud Keychain

ElcomSoft’s latest release of Elcomsoft Phone Breaker gains the ability to extract, decrypt and access passwords stored in Apple’s cloud password storage, the iCloud Keychain. Elcomsoft Phone Breaker 7.0 is the first forensic solution that can gain access to passwords, credit card data and other sensitive information from iCloud Keychain.

“iCloud Keychain was long considered to be unbreakable,” says Vladimir Katalov, ElcomSoft CEO, in a statement. “Gaining access to passwords from iCloud Keychain was a major challenge. iCloud Keychain is a complex and extremely secure online password storage and synchronization system. Building a tool that can enroll into iCloud Keychain was a major achievement.”

By extracting user’s saved passwords from iCloud Keychain, experts examine the user’s online accounts, access social networks, extract chats and conversations. In addition, saved passwords make for a highly targeted custom dictionary for running accelerated brute-force attacks on user’s encrypted containers, archives and documents.

Information is obtained directly from the user’s iCloud account. In order to access iCloud Keychain, the original Apple ID login and password are required. Access to a trusted device is mandatory if two-factor authentication is enabled on the user’s account, along with device passcode (iOS) or system password (macOS) of a device already enrolled to iCloud Keychain. Without two-factor authentication, the expert will need to confirm a notification prompt on one of the trusted devices and supply the user’s iCloud Security Code.

Elcomsoft Phone Breaker is an all-in-one mobile acquisition tool to extract information from a wide range of sources. Supporting offline and cloud backups created by Apple, BlackBerry and Windows mobile devices, the tool can extract and decrypt user data including cached passwords and synced authentication credentials to a wide range of resources from local backups. Cloud extraction with or without a password makes it possible to decrypt FileVault 2 containers without lengthy attacks and pull communication histories and retrieve photos that’ve been deleted by the user a long time ago.

Source: ElcomSoft Co.Ltd.

“In an email to The Register, CEO Vladimir Katalov said this capability is not the consequence of any vulnerability. Rather, it’s intended for forensic investigators and law enforcement, given that an Apple ID and a trusted device are necessary,” Thomas Claburn reports for The Register.

“Katalov said this is not a exploitation of a vulnerability and there’s nothing Apple can patch. Rather, ElcomSoft is exposing functions that Apple has not made available – Apple does not provide any means of accessing iCloud Keychain,” Claburn reports. “Katalov said the technique works with beta releases of iOS 11 and macOS High Sierra, which Apple is expected to introduce in a month or two.”

Read more in the full article here.

MacDailyNews Take: Yet another reason to enable two-factor authentication if you haven’t already done so.

Apple keeps constant log of phone calls in iCloud, security firm says – November 17, 2016


  1. The headline makes this appear to be some kind of security vulnerability. Don’t be surprised if the media reports it along those lines. But the text of the article is clear – this is simply a tool that can examine the contents of an iCloud keychain once you have access to it.

    Essentially, if you can steal the vault out of the bank, they can crack it open to see what is inside. Mountain, meet molehill.

  2. “In order to access iCloud Keychain, the original Apple ID login and password are required. Access to a trusted device is mandatory if two-factor authentication is enabled on the user’s account, along with device passcode (iOS) or system password (macOS) of a device already enrolled to iCloud Keychain.”

    Ah, so how stupid is this? If you give the robber the keys to your front door….. WTF. I guess this is a program for lazy hackers?!

    1. Not really you have to be able LOG ONTO THE TRUSTED DEVICE

      Just Press and hold the power button, in your pocket, and he won’t even be able to use your finger to log on

      Also it takes time to do all that shit and once he’s gone you can call apple asap and deactivate the trusted status of the phone

  3. Did anyone notice where the company is based? It’s in Moscow.
    Reading through their feature list, it makes me very, very nervous (although some of their hacks are Windows only, it appears):

    Gain access to information stored in password-protected iPhone, iPad, iPod Touch and Blackberry backups

    Decrypt iPhone and BlackBerry backups with known passwords

    Recover master password to 1Password containers extracted from Dropbox, local and cloud iOS backups

    Extract FileVault 2 recovery keys and use them to decrypt FileVault 2 containers without lengthy attacks

    Read and decrypt keychain data (email account passwords, Wi-Fi passwords, and passwords you enter into websites and some other applications)

    iOS: view saved passwords and authentication tokens including Apple ID password or token

    iOS: access passwords/tokens to email accounts, instant messengers and social networks

    iCloud Keychain: access, decrypt and explore iCloud Keychain records

    Perform advanced dictionary attacks with highly customizable permutations

    Perform offline attacks without Apple iTunes or BlackBerry Desktop Software installed

    Recover passwords to backups for original and ‘jailbroken’ iPhone (all models up to iPhone 7 and 7 Plus), iPad (all generations incl. iPad Pro), and iPod Touch (all generations) devices

    Download Apple iCloud backups (including iOS 10) with Apple ID and password, or authentication tokens (no hidden fees: unlimited extractions with no subscriptions or additional fees)

    Remotely extract synced data such as call logs, contacts, notes and attachments, calendars as well as Web browsing activities including Web browsing history and open tabs from iOS and Windows devices

    Locate and extract iCloud authentication tokens

    Download iCloud Photo Library including photos during the past 30 days

    Download extra data from Apple iCloud accounts (files from iCloud Drive, incl. ones not accessible by operating system)
    Decrypt BlackBerry 10 backups with known BlackBerry ID and password

    Compatible with all versions of iTunes, iOS (up to the latest iOS 10), BlackBerry Link and BlackBerry Desktop Software*

    Note: password recovery features are available in Windows version only.

  4. This is such a non-story– “I can magically extract the encrypted iCloud Keychain data, and all I need from you is the Apple ID/iCloud ID, its password, access to a trusted device for 2 factor Auth, and the iOS device unlock code or the Mac’s login and password, and I will MAGICALLY extract this data.” I think they may just have put some kindergarteners out of business…

    1. Great, I’m not the only one.

      So if I have your device and all of your passwords/passcodes, the software can decrypt your passwords and anything encrypted that uses your passwords that you had to provide in the first place?

      This is like selling software the tells you the meaning of life, but the first thing it prompts for is for you to enter the meaning first.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.