If you want to stay off of the radar, make sure you don’t enable Apple’s iCloud services, because new software from ElcomSoft allows police investigators to access your iPhone or iPad data without ever touching your device.
ElcomSoft’s Phone Password Breaker cracking tool is now able to automatically download your iOS device backups from iCloud. All investigators need is a valid Apple ID and a password to access backups in real time, while the device is still in the hands of a suspect.
According to the company, approximately 125 million Apple users store data in iCloud, including emails, call logs, text messages, and website visits. That data is automatically updated every time an iPhone or iPad user charges their phone while connected to Wi-Fi.
Previously, the Phone Password Breaker software required investigators to be in physical possession of a device or a PC the device had been synced with in order to download data, but it now works with iCloud because the company was able to crack the communication protocols used by Apple.
Here’s what the company had to say about the new software:
“ElcomSoft researchers analyzed the communication protocol connecting iPhone users with Apple iCloud and were able to emulate the correct commands in order to retrieve the content of iOS users’ iCloud storage. It’s important to not that, unlike offline backups that may come encrypted and must be broken into–a time consuming operation–data retrieved from iCloud is received in plain, unencrypted form. The 5GB of storage space can be retrieved in reasonable time, while receiving incremental updates is even faster.”
Of course, in order to access the data, investigators must have your Apple ID and your password. Without a valid password or ID, the service does not work.
iCloud has, in the past, been exploited by hacker groups, most notably when LulzSec and Anonymous were able to access an iCloud account to intercept an FBI conference call, likely using the same basic software that ElcomSoft has designed.
While I doubt my iPad and iPhone will ever be the targets of a criminal investigation, I do find it concerning that it’s both simple and quick to access unencrypted iCloud data that contains quite a bit of sensitive information. Scary.