Elcomsoft is a forensic company that sells tools for cracking various electronic devices to law enforcement agencies and more – even iPhones are not spared.
Elcomsoft has announced news regarding iPhone cracking. According to the company, it is now able to crack iPhone models to a limited extent. It would now be possible to extract email usernames and passwords, for example. Any iOS version between iOS 12 and iOS 13.3 is required. But how exactly does it all work? According to Elcomsoft, the $1,495 tool takes advantage of the Checkkm8 vulnerability - the exploit that enables the Epic jailbreak and is considered unpatchable because it is based on a loophole in some A chips themselves. But that's not all. Elcomsoft even claims that iPhones in "BFU" mode are vulnerable. "BFU" mode is considered the safest state an iPhone can be in. The company's own blog states:
BFU stands for “Before First Unlock.” BFU devices are phones that have been turned off or rebooted and have never been subsequently unlocked, not even by entering the correct screen lock password. In Apple's world, the contents of the iPhone remain securely encrypted until the user types in the screen lock password. The screen lock password is required by the Secure Enclave to generate the encryption key, which in turn is used to decrypt the iPhone's file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after booting up the phone. It's the “almost” part of the “everything” that Elcomsoft iOS Forensic Toolkit targets. The company has discovered certain pieces of data that are available in iOS devices even before the first unlock.
Unfortunately, it goes further. According to Elcomsoft, certain data on the keychain is also accessible in advance.
Some keychain items, which contain authentication data for email accounts and a set of authentication tokens, are available before the first unlock so that the iPhone can start correctly before the user enters the password.
In order to be able to carry out the process at all, however, a jailbreak on the affected device is necessary. So are we safe, right? No, because that is not a problem despite the screen being locked, as this is where checkra1n comes into play.
Not all devices are affected
Accessing the keychain in BFU mode requires installing the checkra1n jailbreak, which targets vulnerabilities in the Apple bootrom. The jailbreak is installed via DFU mode and is available for all compatible devices regardless of their lock status or BFU/AFU status.
But there is also good news. As we reported a few months ago, not all devices are affected by the Epic jailbreak. The checkra1n jailbreak can only be carried out on iPhone or iPad models that have an A7 or a maximum of A11 chip. This means that all devices between 2011 and 2017 - including the iPhone X - are vulnerable. Since the vulnerability is present in the chips in question, it is considered unpatchable. (Photo by ValeryBrozhinsky / Bigstockphoto)
