The same exploit that enables the jailbreaking of Apple devices can be used to extract some keychain data, including email usernames and passwords, from devices running iOS 12.0 through 13.3. The good news? It only applies to iDevices with A-series chips from A7 to A11, so if you’ve got a recent iPhone or iPad, you need not worry.
According to a report from 9to5Mac, the worrying weakness was identified by data forensics company Elcomsoft, which makes tools for law enforcement, businesses, and individuals to “unlock and decrypt protected data." The tool in question costs a little shy of $1,500.
How does it work? — In a blog post on its website, Elcomsoft explains how the exploit works, and that it works even if a device has been restarted — assuming the device hasn’t been unlocked since — which leaves it in a state called BFU (Before First Unlock). In other words, the vulnerability is only exploitable in pretty niche circumstances.
“In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode,' Elcomsoft says. "The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.”
It is the “almost” part of the “everything” that the company has managed to exploit. “We’ve discovered that certain bits and pieces are available in iOS devices even before the first unlock. In particular, some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock. This is by design; these bits and pieces are needed to allow the iPhone to start up correctly before the user punches in the passcode.”
Do you need to worry? — Unless you have an older device running an A11 chip or earlier, you lose it and fail to wipe it remotely, and the person who finds it is committed to trying to get your email usernames, you’re probably safe. But the news does provide some more fodder for those Android fans who love to trot out when Apple users pontificate about their chosen platform’s impenetrability.