This article is more than 1 year old

Apple slaps a passcode lock on iOS 8 devices, but cops can still inhale your iCloud

Don't congratulate yourselves too soon, Apple – securobod

Improved security features in iOS 8 prevent Apple from unlocking phones – even when requested to by law enforcement. But search warrant-holding cops can still get almost everything through iCloud backups, according to ElcomSoft.

The consumer device manufacturer's attempts at upgrading iOS encryption to "defeat lawful search warrants" earned criticism from former DoJ prosecutor turned law professor Orin Kerr and praise from the ACLU, which credited Apple for laying down a marker on the road to improved privacy.

However, Vladimir Katalov, chief exec of computer forensics software firm ElcomSoft, told El Reg that although Apple will not help with physical device forensics anymore (for passcode-protected iOS 8 devices, at least) it will still be able to "provide everything stored in its data centres (including device backups, which contain almost the same amount of information as devices themselves)."

To understand the changes, it's helpful to review Apple’s "law enforcement process" document, which explains the type of data Apple was able to turn over in response to a valid search warrant.

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple's native apps and for which the data is not encrypted using the passcode ("user generated active files"), can be extracted and provided to law enforcement on external media.

Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

Katalov explained: "Apple had the *technical* ability to extract most data from all devices, even passcode-locked ones. In iOS 7 and older, passcode protects only the device keychain, that stores passwords and tokens to different accounts (mail, social networks, VPN etc), Wi-Fi access points, passwords saved in Safari etc."

With iOS 8, everything has changed, according to Katalov, who points us towards Apple's low-down on iOS 8.

On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.

Katalov said that the iOS 8 security enhancements will render one of the computer forensics products the Russian firm sells to law enforcement ineffective.

"That will affect only one of our products – ElcomSoft iOS Forensic Toolkit, designed for physical device acquisition (and anyway, for iPhone 4S+, it supported jailbroken devices only without jailbreak, physical acquisition was available only to Apple itself)," Katalov told El Reg

However, a browse through Apple's document on government information requests reveals links to Apple's guidelines for law enforcement requests that paint a different picture (see links to guidelines for the US, EMEA and APAC – warning: all PDFs).

The "Information Available From Apple" section reveals all sorts of information is potentially accessible from the manufacturer through this route, for example:

  • device registration information,
  • customer service records,
  • iTunes information,
  • Apple retail store transactions,
  • Apple online store purchases,
  • iCloud: subscriber information, mail logs, email content, photo stream, documents, contacts, calendar, bookmarks and iOS device backups and
  • location information

The iCloud Terms and Conditions state "Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate".

The T&Cs leave plenty of wiggle room for Apple to hand over data for reasons ranging from "comply[ing] with legal process or request" to "detect, prevent or otherwise address security, fraud or technical issues", among other reasons.

"Apple will not help with physical device forensics anymore (as far as they technically will not be able to do that for iOS 8, if device is passcode-protected), but still provide everything stored in their data centers (including device backups, which contain almost the same amount of information as devices themselves)," Katalov concluded. "Some of that work could be done with our ElcomSoft Phone Password Breaker product (but if one has proper credentials: ID and password, of course)."

Security guru Bruce Schneier recently blogged: "Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant... "Of course they still have access to everything in iCloud, but it's a start." ®

More about


Send us news

Other stories you might like