Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Elcomsoft tool can seize partial keychain from locked iPhones on iOS 13.3

Last updated

Forensic software developer Elcomsoft has updated its toolset for iOS to enable the extraction of Keychain elements from iPhones running iOS 12 to iOS 13.3, with the ability to acquire partial Keychain data from disabled and locked iPhones that have yet to be unlocked after being turned on.

The update to Elcomsoft's iOS Forensics Kit brings the software up to version 5.21, and chiefly enables the partial extraction of data from the iOS Keychain, which is used to store credentials for apps and online services. Under the update, the security firm claims it can be accomplished on iOS devices ranging from iOS 12 to iOS 13.3.

The list of affected devices includes iPhones from the iPhone 5s to the iPhone X, and all iPad models from the iPad mini 2 to the 2018 iPad, the iPad 10.2, first-generation iPad Pro 12.9, and the iPad Pro 10.5. Specifically, it functions for models that use Apple's self-designed SoC, from the A7 through to the A11.

The main point of the update is to acquire data from a device that has not been successfully unlocked since being powered on, in a so-called "Before First Unlock" (BFU) state. After being turned on, an iPhone is kept fully encrypted until a screen lock passcode is entered, something that is required by the Secure Enclave before the file system is decrypted.

According to Elcomsoft, "almost everything" remains encrypted until the user unlocks the iPhone with the passcode after booting, and it is the remainder that the firm is targeting with the toolkit. It found some Keychain items containing authentication credentials for email accounts and some authentication tokens are available to access while in the BFU state, to allow the iPhone to start up correctly before the code is entered.

To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom. The jailbreak itself is installed via a device firmware upgrade (DFU) mode and can be used regardless of the BFU status of the device and its lock state.

Elcomsoft's iOS Forensic Toolkit interface Elcomsoft's iOS Forensic Toolkit interface

Elcomsoft's iOS Forensic Toolkit is intended for use by law enforcement, in a similar manner to services provided by Cellebrite and others, though they are also available to businesses and even individuals. The company sells the pack starting from $1,495 in both Windows and macOS variants.

The existence of a tool to access data in this manner may be concerning to some, but at the same time it is relatively limited in terms of how it can affect normal users. For example, the toolkit requires physical access to the target device, so it cannot be used remotely or as part of a widespread attack by a bad actor, while the cost of the software is a disincentive for individuals wanting to use it for malicious purposes.

Elcomsoft's tools have been used for illegal acts in the past, including most famously the "Celebgate" hack, where it was used to acquire iCloud accounts that were then searched for compromising photographs.

Aside from accessing data from a locked state, the toolkit also provides other services, including access to all protected information including SMS and email, call history, contacts, web browsing history, voicemail, account credentials, geolocation history, instant message conversations, application-specific data, and the original plain-text Apple ID password.



22 Comments

bulk001 16 Years · 795 comments

So Apple can just buy a version of the tool and write code to fix it? $1,500 is a trivial price to pay. 

dewme 10 Years · 5775 comments

I’m curious why Apple would keep some unencrypted data around when the phone is in the BFU state. Does this have anything to do with apps that provide UI in the lock screen state? If so, would disabling all lock screen UI apps (other than log-in UI) close this gap? 

robjn 8 Years · 283 comments

“ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

Does the new vulnerability described in this article effect all phones or just those that have been jail broken?

lostkiwi 18 Years · 640 comments

Interesting that the iPhone 11 isn’t affected. 

hexclock 10 Years · 1316 comments

robjn said:
“ To accomplish this, the toolkit requires the installation of a jailbreak known as "checkra1n," which uses vulnerabilities in the Apple bootrom.”

I was under the impression that the checkm8 boot rom exploit required the user passcode. The exploit and jailbreak cannot be used to break into a locked phone!

Does the new vulnerability described in this article effect all phones or just those that have been jail broken?

If it requires a jail broken phone, then the headline is somewhat misleading. 

The article is a little unclear, but implies that the device does the jailbreak and then runs the extraction routine.