ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4 and will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic, and intelligence agencies.
iPhone devices store or cache enormous amounts of information about how, when, and where the device has been used. The amount of sensitive information collected and stored in Apple smartphones is beyond what had previously been imaginable. Pictures, e-mails, and text messages—including deleted ones—calls placed and received are just a few things to mention. A comprehensive history of user’s locations complete with geographic coordinates and timestamps. All Google maps and routes ever accessed. Web browsing history and browser cache, screen shots of applications being used, usernames, Web site passwords, and the password to iPhone backups made with iTunes software, and just about everything typed on the iPhone is being cached by the device.
Protected iPhone backups can be broken into with Elcomsoft Phone Password Breaker; once decrypted, information stored in these backups can be viewed by many commercial products. However, the amount of information that these backups contain is reasonably limited. Analyzing actual iPhone device could provide forensic access to much more data.
By breaking the protection system of Apple iPhone 3GS and later devices running iOS 4, ElcomSoft opens the possibility of an extremely comprehensive forensic analysis of affected iOS devices. While this is a big achievement in cryptographic terms, iPhone backups produced with Apple iTunes software already contained a lot of sensitive information, including keychains. ElcomSoft makes forensic analysis easier, faster (the extraction of file system encryption keys is nearly instant as opposed to lengthy dictionary or brute force attacks which are required to obtain a password to an iPhone backup) and more comprehensive.
The updated toolkit includes the Elcomsoft Phone Password Breaker which was fitted with new function to decrypt iOS 4.x file system images, as well as optional tools to obtain filesystem images of the iOS 4.x devices, extract keys required for image decryption, and brute-force passcode.