iCloud backups inside out

February 25th, 2013 by Vladimir Katalov

It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release). Many customers all over the world are already using this new feature intensively, but we still get many questions about its benefits, examples of cases when it can be used and how to use it properly. We also noticed many ironic comments in different forums (mostly from users without any experience in using iOS devices and so have no idea what iCloud backups actually are, I guess), saying that there is nothing really new or interesting there, because anyone with Apple ID and password can access the data stored in iCloud backup anyway.

Well, it seems some further explanation is needed. If you are already using EPPB (and this feature in particular) you will find some useful tips for future interaction with iCloud, or even if you don’t have an iOS device (you loser! just kidding :)) please go ahead and learn how iCloud can be helpful and dangerous at the same time.

Let’s start from the very beginning. Once you got an iPhone (iPad or even iPod) you definitely should create backups on a regular basis. Just in case you get it stolen, lose it, or break it. I should confess that I personally have the 8th iPhone. No, not the Chinese-made 8th gen one with 3 SIM cards, removable battery and TV J. I simply had 7 of them before. And from those seven, I lost as many as three. One was left in a taxi in Vienna on my way to the airport, in just half an hour before boarding to Brussels where I was going to attend another security conference. The other one was lost in a cold Russian forest (please don’t ask me what I was doing there at 4 AM at 30 degrees below zero J). And the last one was dropped in the North Sea when I was yachting around Norway. And you know what? The very same day I got everything back. Well, not my iPhone itself, but all the contacts, SMS messages, pictures and whatever else that was stored in my iPhone. Even though I did not have a computer with me.

There is no magic here at all. I simply purchased a new iPhone and restored it from backup saved in the iCloud. As already noted, I did not have computer handy, and never cared to connect my phone to anything but the charger and Wi-Fi (or sometimes 3G only). Backups were created automatically, over the air, thanks to iCloud. Local backups are good (at least they’re faster), but in many situations iCloud backup comes like a life-saver. There are some security risks there (we will back to this later), but still it is extremely convenient. Please believe the owner of the 8th iPhone :)

There is a lot of valuable information about iCloud backups on Apple website; I would recommend you to start reading from the following articles:

However, all you can do with iCloud backup is just restoring your device from it. The same (well, similar) device; you can restore from iPhone to iPad (or from iPad to iPod and vice versa), but some information will not be available then. And this process only goes over the air, which means Wi-Fi. You should either get a new iPhone, or completely reset an available one. During the setup, you will be ask to enter your Apple ID and password to get the backup loaded into it. So, if you have both local (offline) and iCloud backups, you can choose between them to restore the most recent or complete one.

But what if you have Apple ID and password, but don’t have an appropriate i-device at hand or Wi-Fi connection? Well, almost nothing (it’s so typical of Apple. I really love them, but sometimes they think they know better what I really need, like my mom). You know that your information is stored in a safe place (well, the term “safe” is questionable, but that’s the other story: yes, Apple do have access to your backups, because though they are encrypted – read the iCloud: iCloud security and privacy overview – but the encryption key is stored along with the backup; the only exception is keychain encryption, see below). But you cannot reach it. You can only get to www.icloud.com and get your contacts, notes and documents, that’s all – you can get neither SMS conversations nor call logs, for example.

And what can you do using the EPPB? Simply download the whole backup. It is stored (and encrypted) the other way than the local one, but we do convert it to the same format as iTunes uses (well, in fact it creates hundreds of files with long unreadable names and encrypted contents, but keep on reading). Another option available in EPPB is to rename the files to their real names — so you will easily get your pictures, as well as SQLite databases with SMS and iMessages and whatever else you have.

By the way, did I also mention that EPPB downloads iCloud backups using any available (not just wireless) Internet connection? Well, now you know :).

However, using iTunes format is preferable, because instead of wasting your time browsing through hundreds or even thousands of files, it’s much easier to use a special software that works with iTunes backups. Here are my two favorite programs: Oxygen Forensic Suite and iBackupBot.

The first one is for professionals. It gets everything from backups, even some data you never thought would be there). Not just the contacts, messages, and pictures, but also conversations in different messengers such as WhatsApp and Skype, GPS location data, deleted conversations, and much more. If you never used this excellent package before, you will be really surprised. Especially when looking at the contents of someone else’s iPhone (just kidding :)). This is probably the best software of this kind on the market – it just extracts everything and shows it in a very convenient way.

iBackupBot (available for both Windows and Mac, btw) is not so advanced as Oxygen software but still extremely worthy. This small goodie only shows SMS messages (including iMessage conversations, of course), as well as contact list, call logs, notes and media (pictures and videos). A must-have tool if you need to get the most important information from backup in just seconds.

There is one more important point worth mentioning: iCloud stores not just one backup, but the latest three – and EPPB can get all three backups. Backup process, btw, is very intelligent, for they are incremental. Once a backup is created, next time this smart device backs up only the changes, saving your time and traffic. So, downloading backups with EPPB also gets faster – you should be patient only when downloading your backup the very first time; after that it only gets the latest changes.

We also get questions how to get the password to someone else’s Apple account. Sorry, but we only give such advices to law enforcement. All I can say is that in most cases a password is stored in the device (particularly, in the keychain), and once you have the local backup (which should be password-protected, and you should know the password – if you do not, EPPB can help you to crack this password, too), you can extract it easily. That may sound like a “chicken and egg” problem, and sometimes it is, but there is still one of the ways to get the password – better than nothing.

Oh, one more thing, now it’s time for some bad news, sorry. In iCloud backup keychain is encrypted the same way as in local backup without password, i.e. using the hardware key unique for the device. That means that you cannot get some data from it, such as saved passwords to mail accounts, Wi-Fi access points, web sites etc.

And the last for today. How can you protect yourself from downloading your backup by someone else (from law enforcement agencies to your curious girlfriend)? Just keep your password safe. Nothing new. It should be long, complex, unique (that’s probably the most important!), with good security questions, and it is a good idea to change it from time to time; some tips are available at  iCloud: Change your iCloud account password article on Apple web site. Moreover, Apple has very strict requirements to passwords, as described in Frequently asked questions about Apple ID article:

(Interestingly, these requirements have been strengthened only recently. I still have one very old Apple ID with simple password that contains lowercase letters only, and it works just fine; however, I cannot use iCloud services with it)

You can even use different Apple IDs for Store purchases and iCloud services. Or you can just neglect iCloud backups at all and keep only the local ones, but as previously noted, this is not so convenient. As always, you should find your best balance between convenience and security – you can never have both to the full degree.

To my mind, Apple has done everything right – iCloud security is good enough. There are no vulnerabilities or security holes there. However, if I were Apple, I would add an extra layer of security by allowing users to set an additional password to iCloud backup, so even if someone knows your Apple ID and password, they still would not be able to access your backup. And though I personally trust Apple, they will not have a chance to read your private data either.

Conclusions? Please make them yourself. We only give you the tool, and that’s your choice how to use it. May be you don’t need it at all. In an ideal world, nobody loses or breaks their iPhones or forgets passwords. And there are no bad guys trying to get access to your private data. But once you find this world, please let us know – I have my credit card ready to get one-way ticket to this magic place :).


Tags: , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

80 Responses to “iCloud backups inside out”

  1. Andrey says:

    EPPB 1.89 r1408 [RELEASE][PROFESSIONAL EDITION]
    [22-03-2013 11:00:13] GetAccountSettings: No error (0); HTTP 200
    [22-03-2013 11:00:13] Getting iCloud account information…
    [22-03-2013 11:00:13] Fetching account information…
    [22-03-2013 11:00:14] Get 1974738814: No error (0); HTTP 400
    [22-03-2013 11:00:14] Unable to process account information
    [22-03-2013 11:00:22] There was a problem while performing task: Invalid data (Error code -4)
    Can’t get data from icloud now. :(

  2. Greig says:

    Same as Andrey – the icloud backup retrieval feature appears to be broke !

  3. Marcus says:

    I am a paying customer of the phone breaker software, the getting backups via Cloud no longer works. I wonder if a patch to fix this issue is in the wings? Otherwise, I am not going to purchase subsequent version of the software.

  4. Roy says:

    Same here.
    Not so pleased, since the software isn’t cheap. Hope this is gonna be fixed soon.
    Already contemplating about asking my money back.

  5. Jay says:

    Looks like iCloud changed something and EPPB will need a patch. Anyone from Elcomsoft care to chime in?

  6. Andrey says:

    How fix this bug?

  7. Jack says:

    I bet it has to do with the new two factor authentication. Can we get an official status update on this?

  8. Andrey says:

    Скорее всего apple сменили сертификацию. Перестал работать доступ через caldav к календарям IOS и синхронизация контактов. Сертификат при обращении запрашивается, выдается, но не утанавливается. Можете сами проверить https:\\p12-caldav.icloud.com:443 etc – yourappleid%40idapple.com@p12-caldav.icloud.com:443

    Probably apple changed certification-signons. Stopped working accessvia Caldav to calendars and contact synchronization IOS. Certificate handling is requested, issued, but not setingup. Can check yourself yourappleid%40idapple.com@p12-caldav.icloud.com:443.

    I thik the developers read tthis blog ang can do some fix.

    P.S. Sorry fo my english/

  9. Todd says:

    Yeah, what’s going on with this? Why hasn’t Elcomsoft put out an announcement or responded to any of these posts? We would like a status update and an ETA of when this will be fixed. This software was NOT cheap by any means and it hasn’t even been six months yet since I bought my license and I bought two years of support/updates.

    I bought this specifically for the iCloud feature.

  10. Andrzej says:

    Hey elcomsoft! Fix that issue already!

  11. Andrey says:

    It’s useless. The developer got the money for the license. and that’s all.

  12. Andrey says:

    Alexander Guretsky

    As of March 21, 2013, this particular feature has stopped working,
    probably because of recent changes in iCloud backup protocol. We are
    working on that and will do our best to resolve the problem as soon as
    possible.

    Эта особенность перестала работать,
    вероятно, из-за последних изменений в протокол резервного копирования iCloud. Мы
    работаем над этим и будем делать все возможное, чтобы решить проблему, как только
    возможно.

  13. Tom says:

    I seriously doubt this issue will ever be fixed and people should probably start thinking about refunds.

  14. Sam says:

    I was able to get a refund. Don’t leave it too late to ask.

  15. EricT says:

    refunds… bit worried that since they haven’t updated their website with any progress, ebbp will not be updated anytime soon

  16. Bob says:

    Elcomsoft could you please update us on any progress you have made. It doesn’t have to be a deadline just let us know what’s going on. The silence is driving customers away.

  17. Yo-ho-ho! says:

    Earned!

    Заработало!

  18. Andrey says:

    Yo-ho-ho! says:

    April 5, 2013 at 6:16 pm

    Earned!

    Заработало!
    А где серийник новый брать? Старый к новой версии не подходит. :(

  19. Thank you all for your patience. The problem has been fixed in version 1.90 (released last Friday, April 5th) — yes, Apple has changed the authentication protocol.

    The other good news are: this feature works even for accounts with two-step verification enabled.

  20. Andrey says:

    Hey! what about produktKey? How update new version.

  21. Jason says:

    This is not fair, I purchased v1.85 pro which cost a hell of alot of money and now it doesnt work, I either want my money back or serial code for v1.90 so I can actually use the software I paid you for.

    Surely selling software and not ensuring people get a patch or update when it stops working is wrong. You cant just say “This software doens not work anymore but you can purchase our update that will work”

  22. Andrey says:

    Забудь об этом. Я обнаружил этот баг, и даже не получил нового серийника. Разработчик жадный.

    Forget about it. I discovered this bug, and did not even receive a new serial. Developer is greedy.

    Hey there is my SN?!

  23. Jason, Andrey -

    We do provide free upgrades during a year after purchasing the license — your old registration code should still work. If that’s not the case, please contact our support team (or me directly), indicating your old code or order ID.

  24. Ariel says:

    Hello Vladimir.

    Do you have an app that can download an Icloud backup cheaper than 80 Euros? This price is too much for people like me in South America.

    That is the only feature I need right now, if you have a cheaper small app that can do that, I will be very grateful.

    spasibo!

  25. Mike says:

    2 BACKUPS FROM 2 DIFFERENT IPHONES ON ICLOUD, BOTH APPEAR IN THE PROGRAM AFTER SUCCESSFUL LOGIN, HOWEVER I AM ONLY ABLE TO DOWNLOAD 1 OF THEM.

    1ST BACKUP IS THE LATEST, IPHONE (5,1; 2 SNAPSHOTS) 46MB
    2ND BACKUP WILL NOT DOWNLOAD (3,1; 1 SNAPSHOT) 2400MB

    ERROR MESSAGE IS AS FOLLOWS:

    “There was an error downloading backup (name): Network Error (-299)
    “There was a network problem while performing the task”: Network Error (no error); Last http response: 403

    WHY IS THIS?

  26. M Steigman says:

    I am now receiving network errors as well. -299 error when trying to download iCloud backups. Wordked perfectly since last update until now.

  27. Tarek says:

    Everything was working well until starting getting error -299 as previous post, any reason? is a fix coming soon?

  28. M Steigman says:

    I corrected the problem by saving to a fresh directory rather than using the directory I had been using locally.

  29. Tarek says:

    thanks for the feedback, still same problem, did u save on a usb instead of hard drive? I was able to download one file on the icloud but not the other for other device, interesting

  30. Dane says:

    Anyone with a solution/ update to this HTTP error? Its urgent, please respond.

    Vladimir, could you please help?

  31. Fix for -299 error is coming, will be available in a month. It may happen when one of the chunks (that is being downloaded) is large enough, and the authentication token expires; so we need to re-authenticate. As a workaround, just try to download the same backup again — it will resume from the same point.

    The new version of EPPB will also allow to download not only the full backup, but just the selected categories (such as SMS/iMessage database, contacts, call logs, camera roll etc).

    After all, I should note that it is much more effective to send a technical support request or feature suggestion via our online support system at:

    http://support.elcomsoft.com

  32. john says:

    Where’s the fix?.. BY THE WAY you work around doesn’t work AT ALL.. please release a workaround that WORKS..
    your software NEVER gets to pass the error point.. so no other file is downloaded..
    I PAID FOR IT.. i NEED it to work.

  33. Dane says:

    Vladimir Katalov,

    Any news regarding the updates? Do reply ASAP!

  34. John, please contact us through our online support system — we may ask you about some additional details.

  35. Dane, we plan to release it till the end of the month — sorry for the delay.

    Btw, there could be two different reasons for -299 error you mentioned. First one is the network error, while backup downloading simply interrupts (i.e. if connection has been lost or authentication has expired). In that case, simply try to start downloading again, it should resume.

    The second reason if the last backup available in the cloud is not complete. In that case, it cannot be downloaded even theoretically (the server simply does not allow that). But all previous backups (if any) are downloaded just fine. Usually, you can detect this situation right after you enter Apple ID and password, when the list of available backups is shown — typically, EPPB shows that for for this particular device 4 backups are there (normally, it should be just three or less).

    Sorry for confusion about this error — we will make it better in the new version.

  36. John says:

    Is there any way to get Oxygen Forensic Suite Analyst cheaper? The quote they gave me was an insane price!

  37. John,

    Oh yes, OFS is expensive (even after the discount for our customers), especially the Analyst version. But please note that it supports a few thousand phones, not just the iPhone. If you are going to work with iPhone backups only, I would recommend you to get one of the other tools, such as:

    iBackupBot (Windows and Mac OS X)
    http://www.icopybot.com/itunes-backup-manager.htm

    iPhone Analyzer (Windows)
    http://www.crypticbit.com/zen/products/iphoneanalyzer

    iOS Backup Analyzer (Windows)
    http://www.ipbackupanalyzer.com/

    iExplorer (Windows and Mac OS X)
    http://www.macroplant.com/iexplorer/

    /Vladimir

  38. John says:

    Hey Vlad,

    Thanks for the reply. Of the programs you mentioned, which wold be best for recovering deleted texts/images (in usable format)? I’m currently using iBackupBot and Decipher TextMessage, both of which work well for regular use. I am interested in recovering deleted text/images, and Decipher Text found them (I’m unaware of this feature in iBackupBot), however it could only read the texts–I was unable to extract the images.

    I’m thinking that Oxygen would be able to extract them, which is why I was interested. Are you allowed to say what your discount is? If not, I understand. My quote was $2,500.

    Does the free version of Oxygen recover deleted files? I would like to use that one, but they won’t accept my email, so I’m out of luck there.

  39. John,

    To be honest, I did not know that they increased the price to $2500 (it was about two times cheaper). I’ll contact them asking about current discount for our customers, but I doubt that they can give more than 20% off.

    So far, I have found two programs that are able to recover deleted SQLite records (and so deleted messages):

    http://www.sqliterecovery.com/sqlite-record-recovery.html
    http://sqlrecovery.narod.ru

    (the second one is mostly on Russian, but there is some info in English at the bottom of the page)

    About recovery of deleted files: sorry, but for iOS 4+ (so including versions 5 and 6), it is not possible at all, neither with Oxygen nor with any other software. We have made some progress here (analyzing the flash memory extracted from the iPhone), but that’s an extremely hard work — we are still not sure that we will be able do do that.

  40. NIk says:

    How can i recover my icloud password. I forgt it i have my email though

  41. Nik,

    No way, sorry. But you can reset it:

    http://support.apple.com/kb/HT5624

    /Vladimir

  42. Kevin says:

    Hey Vladimir, Any update on the new release?

    I am also facing the -299 error. Where a particular backup is not downloaded at all. Rest all other backup work fine. As soon as I click to download it, it throws the -299 error followed by HTTP 403 message.

  43. Kevin,

    Still working on it — will be available till the end of this month, sorry for the delay. Just wanted to note that incompleted backup cannot be downloaded at all (iCloud server simply returns an error message, not allowing to get any data). So new release simply will not show incompleted backups in the list (counting only full ones) and will not even try downloading them.

  44. Teresa says:

    I am using EPPB to get an iCloud back file from Apple. I successfully log in and see my file size at 586MB

    However, when I go to download the file locally I do not get any errors. However the download time takes less than 2 seconds and when I go to open the backup using iBackUp, there are 0 files available. The backup is basically empty.

    I have been trying to search for help on this. Anyone know a solution or WHY this is happening?

    Thank you.

  45. Teresa,

    Please contact our support team, including the following information:

    - Your EPPB order ID or registration code
    - Your operating system
    - Version of EPPB you’re using
    - Is there enough space on the target disk (and permissions to write)

  46. Claudio says:

    Hey Vladimir,

    Any update for the -299 error?
    It is a problem from icloud?

    Thanks!

  47. Misko says:

    Hi is there a way to access to Viber messages downloaded from IOS7? i tried with Sqlite opening contacts.data but got error message this is not SQLite file.. also iBackupBot does not seem to show viber history or messages..
    Thanks

  48. Misko,

    Sorry, we have to look into it — thanks for the suggestion. Probably, Viber database is encrypted.

  49. Misco,

    I have made a quick test — Oxygen Forensic SQLite Viewer (part of Oxygen Forensic Suite) has opened “contacts.data” just fine; all the contacts and conversations are visible.

  50. misko says:

    Thanks Vladimir, one more thing was phone backup you were testing on Jailbroken or not? I am trying on my IOS 7.0.2 backup that is not JB , my friend managed to open his backup as well from SQLite his phone was JB IOS 6.. in case Oxygen Forensic SQLite Viewer works with non JB phones than its great..

Leave a Reply