iOS 11.4 has finally brought a feature Apple promised almost a year ago: the iMessage sync via iCloud. This feature made its appearance in iOS 11 beta but was stripped from the final release. It re-appeared and disappeared several times, and has finally made it into iOS 11.4. Let’s have a look at how iMessages are protected and how to download them from iCloud.
iMessages in iCloud
Even before iOS 11, Apple had Continuity, a convenient mechanism for accessing iMessages from multiple Apple devices registered with the same Apple ID. With Continuity, users can effectively send and receive iMessages on their Mac. Speaking of Mac computers, one could access iMessages by simply signing in to the same iCloud account in the Messages app. Without Continuity, one would only receive iMessages with no SMS; with Continuity, both iMessages and SMS messages would be delivered.
However, even with Continuity in place, iMessages were never stored in iCloud or synced with iCloud. Instead, the messages were only stored locally on enrolled devices. This led to a major problem, making it impossible for the user to keep iMessage conversations in sync between their iPhone, iPad and Mac devices. If the user deleted a message in the iPhone app, it would not be deleted on their Mac, and vice versa. Forensic experts knew about this and made active use of this feature. Multiple cases are known where law enforcement experts were analyzing the user’s Mac in order to gain access to iMessages that were already wiped from their iPhone.
iCloud sync for iMessage introduced in iOS 11.4 takes care of this problem by changing the way iMessage sync is handled. Instead of using the flawed Continuity mechanism, iOS 11.4 now stores iMessages in iCloud. The messages are automatically synchronized across all enrolled devices on the user’s Apple ID. iCloud sync works similar to existing synchronizations such as iCloud Keychain, iCloud Photo Library or iCloud contacts.
Apple protects iMessages with a strong protection mechanism much like the one that is used to protect the iCloud Keychain. iMessage synchronization only works for accounts with Two-Factor Authentication; messages are exchanged exclusively between devices enrolled into the trusted circle. The messages are securely encrypted with a key that is encrypted with devices’
lock screen password.
Apple officially states they don’t have access to that encryption key and cannot decrypt iMessages stored in iCloud, even for GDPR requests. According to Apple (https://support.apple.com/en-us/HT208502), “your messages are encrypted on your device and can’t be accessed by anyone without your device passcode”. This may not be entirely true.
The iCloud synchronization mechanism is separate from and works in addition to iCloud system backups. Unlike daily iCloud backups, synchronization happens near instantly. If the device has an Internet connection, information is updated with little or no delay. This enables near real-time remote access to iMessages sent and received by the user.
In order to access iMessages, one must enroll a new device into the trusted circle. Enrolling a new device or accessing iMessages from iCloud requires experts to provide a lock screen passcode (iOS devices) or system password (macOS computers). Let’s have a look at the process.
Obtaining Messages from Apple iCloud
In order to extract iMessages from iCloud, you will need Elcomsoft Phone Breaker 8.30 or newer: https://www.elcomsoft.com/eppb.html . Use the following steps to access messages.
Elcomsoft Phone Breaker 8.30 or newer
Apple ID and password
Access to the second authentication factor (SIM card, or unlocked iPhone or iPad device registered on the same Apple account) Passcode (iPhone/iPad) or system password (Mac) of at least one device enrolled to iMessage sync
Steps to extract iMessages from iCloud:
- Launch Elcomsoft Phone Breaker and select Apple > Download from iCloud > Synced Data 2. Specify the user’s Apple ID and password.
- Provide one-time code to pass Two-Factor Authentication.
- Select data to obtain from iCloud. Make sure the “Messages” box is selected.
- Elcomsoft Phone Breaker will sign in to the user’s Apple account. Select a trusted device to which you know the passcode or system password, and type in the passcode/password.
- Messages will download.
- After the messages are downloaded, click Finish.
- You can now use Elcomsoft Phone Viewer to analyze downloaded messages.
At this time, the iMessage sync is not entirely stable due to the way Apple implemented the syncing. The message synchronization mechanism is very similar to iCloud Keychain. While iMessage sync and iCloud Keychain are two separate services, disabling iCloud Keychain effectively prevents messages from syncing. In addition, while iCloud Keychain can work with or without Two-Factor Authentication, messages will only sync if 2FA is enabled.
Seth Moresby is computer forensics professional for a law-enforcement department. He regularly uses software like Elcomsoft Phone Breaker to gain access to smartphone backups stored online or on suspect’s computers.