Elcomsoft releases iPhone 4 password cracker

Apple changed the iPhone 4 software in a way that makes it easier to recover the plain-text password used to encrypt data

Russian password-cracking company Elcomsoft has released new software that can in some instances figure out the password used to encrypt backed-up iPhone data.

Elcomsoft said Apple somewhat changed the way their encryption system works for its latest iPhone 4 software. When an iPhone is plugged into its home computer, its data -- such as e-mail passwords, calendar events, text messages -- are automatically backed up in a so-called "keychain."

That information was previously encrypted using a device-specific encryption key, but with "iOS 4 this is not necessarily the case" if someone choose a master password to access the data, according to Elcomsoft.

If a person chooses to encrypt the data, the backup is encrypted with a master password selected by a user. But if the person can't remember their password, the data can't be restored to an iPhone. A user would have to do a full software restore and set up a new backup, with all of the other data lost.

But Elcomsoft says it can figure a password out with its latest iPhone Password Breaker application. The company says that Apple's encryption of the backup is excellent, as the passwords can only be figured out using brute-force attacks, where a computer tries millions upon millions of possible combinations, or dictionary attacks, which use lists of commonly used words.

Elcomsoft said its software doesn't have a 100 percent success rate, but if a person selects a short and simple password, it could be recovered in seconds. Other factors in how long its software takes to recover a password depends on a person's computer and the power of its CPU and graphics card.

Once the password is recovered, Elcomsoft said its software allows a person to examine their keychain and export that data into XML (Extensible Markup Language) or plain text document.

The iPhone Password Breaker is legal for people to use on their own backups or if they have the permission from someone to examine their iPhone. The software costs £79 (US$126) for the home edition and £199 for the professional edition.

Send news tips and comments to jeremy_kirk@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 4telecommunicationsecuritypasswordsAccess control and authenticationElcomsoftsoftwareMobile operating systemsencryptionmobileApple

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place