Hackers Can Now Extract Some Passwords from Locked iPhones (But You Don’t Need to Worry)

The iPhone is famous — or infamous, depending on your look at it — for its high level of security, but that doesn’t stop forensics experts and researchers from finding ways to extract data from iPhones that proves that no level of security is truly unbreakable.

The indefatigable team at Elcomsoft, a company that specializes in building forensic tools for law enforcement agencies, say they’ve found a way to extract email usernames and passwords from an iPhone even when its locked down in the most secure state that it can possibly be in.

In a post on the Elcomsoft blog, the company explains that it was able to take advantage of the checkm8 exploit found earlier this year, a hardware-level vulnerability in several generations of Apple’s A-series chips, to gain access to secure data that wouldn’t otherwise be available, even after an iPhone has just been powered on.

As the post explains, when an iPhone is powered up or rebooted, it begins in a mode known as BFU or Before First Unlock. As the name implies, this is the state the iPhone (or iPad, or iPod touch) is in before you’ve entered the correct screen lock passcode.

Before First Unlock

In this state even Face ID or Touch ID aren’t available, and you may have noticed that your iPhone won’t even connect to a known Wi-Fi network until you’ve entered your screen lock passcode at least once to unlock it. This is because in BFU mode, almost everything on the iPhone remains securely encrypted — including your Wi-Fi network passwords — waiting for you to supply your passcode as the necessary component of the decryption key. This is also why Face ID and Touch ID don’t work either — your iPhone needs the actual passcode in order to decrypt the keychain, and is why forensic investigators have such a challenge getting into Apple’s devices without knowing the passcode.

Unfortunately, as Elcomsoft points out, not everything in the keychain is encrypted, even in BFU mode. Its analysis found that certain keychain items containing authentication credentials for email accounts and some other authentication tokens are available before the iPhone is unlocked. Some of this is necessary as this information is needed to allow the iPhone to start up correctly and connected to services like iCloud and iMessage before the user punches in their passcode, while others were likely the result of poor software design on the part of third-party developers.

This wasn’t really an issue before the checkm8 exploit surfaced, however, since Apple’s hardware-level security prevented the keychain from being extracted — or even anything from accessing the hardware Lightning port at all — prior to the screen lock passcode being entered. In short, you couldn’t get any data off of an iPhone that had just been powered on because you couldn’t connect to the iPhone in the first place.

Thanks to checkm8, though, Elcomsoft is now able to extract the keychain from an iPhone that’s in BFU mode. While the keychain data is mostly very securely encrypted gobbledygook, Elcomsoft found that a few items were unencrypted, including things like email account credentials and addresses and usernames.

It’s not entirely clear why email account credentials would be required during iPhone startup, and while Elcomsoft doesn’t really provide any thoughts on that, it does suggest that they may have been leaked by insecure third-party apps, rather than by data stored in Apple’s own Mail app or system settings. Developers determine what security level to use when storing their own data in the keychain, and are therefore free to use the lowest possible setting (known as kSecAttrAccessibleAlways) if they want to, which results in those items being stored in the keychain “in the clear.”

Along the same lines, while most passwords were still encrypted, usernames — which commonly include email addresses — were generally not, and this alone can be useful in a forensic analysis.

What’s interesting is that Apple deprecated this keychain storage mode four years ago in iOS 9, but it still remains available for developers to use, and we’re almost certain that leaked security credentials in BFU mode are the fault of third-party apps by developers who are basically too lazy to use a higher security setting, possibly for fear that it might break their apps.

Why You Probably Don’t Need to Worry

Firstly, Elcomsoft’s entire business is based on selling tools to law enforcement agencies — Elcomsoft’s iOS Forensic Toolkit sells for $1,495 — so these are not tools that are readily available to the average hacker.

Of course, if Elcomsoft has figured this out, then it’s not a huge stretch that other less reputable hackers could do the same, since it’s the checkm8 exploit that’s made this possible, and that’s basically available in the wild now.

As noted above, most of the data leakage is almost certainly coming from poorly-written third party apps that are storing passwords in the keychain without the proper security. There’s really no good reason why most apps would need to keep passwords accessible even after an iPhone is first booted — most apps can’t run until the user unlocks the iPhone anyway — which is why Apple has deprecated this mode. So if you’re reasonably careful about which apps you’re using, and particularly ensure that they’ve all been recently updated, your risk of passwords being exposed is much lower. No modern app from a reputable developer should be storing unencrypted data in the keychain.

The data that iOS itself stores unencrypted in the keychain is limited to things like Bluetooth keys, your SIM PIN, and certificates and tokens for VPN configurations, Apple Push Notifications, iCloud, iMessage, and mobile-device-management (MDM) systems used by businesses and schools. For obvious reasons, the token used to connect to Apple’s Find My service is also included. Note that these are not passwords, but rather device-specific credentials that are used specifically to connect to these services. All actual passwords stored by Apple’s own apps and services — including VPN and Mail passwords — are encrypted until the iPhone has been unlocked at least once.

It’s also worth noting that this particular technique has the usual set of limitations, which first and foremost is that somebody would need to have uninterrupted physical access to your iPhone for an extended period of time in order to pull it off, along with having the necessary tools available (basically a laptop with the appropriate software installed).

So this isn’t something that can be quickly done to your iPhone while you’re not looking, but it’s certainly something that could be done after your iPhone has been stolen — which makes a good case for using Find My to try and erase your iPhone without delay as soon as you notice it missing; you’ll lose the ability to track the iPhone later, but in some cases the data your iPhone contains may be worth more than the iPhone itself, although statistically most iPhone thieves are more concerned about the value of the hardware itself than trying to hack into the data that’s stored on it.

It’s also worth noting that there are a limited number of iPhone models that are vulnerable to the checkm8 exploit, and therefore to this particular forensic extraction. Specifically, only those iPhones using an A5 through A11 CPU, or the 2011 iPhone 4S to the 2017 iPhone 8, iPhone 8 Plus, and iPhone X — and equivalent iPad and iPod touch devices. This does include the 2019 seventh-generation iPod touch and 10.2-inch iPad, however, since both of these still use the A10.

If you have a recent iPhone — an iPhone XS model, iPhone XR, iPhone 11, or iPhone 11 Pro model — you’re safe from this particular attack, and there are no vulnerabilities that are even close to the seriousness of checkm8 that have been found for Apple’s A12- and A13-equipped devices.

Ultimately, this is a vulnerability that will likely be of interest mostly to law enforcement, but it does provide yet another example of how third-party companies can help government and law enforcement agencies access the data on locked iPhones even when Apple refuses to compromise its security.