• Russian cybersecurity company Elcomsoft claims its iOS Forensic Toolkit can now extract some data while a device is in BFU mode.
  • The latest update of iOS Forensic Toolkit allows it to extract select keychain records from iPhone devices
  • The toolkit can be used on iPhone 5s up to iPhone X running on iOS 12 and up to iOS 13.3

A Russian cybersecurity company that makes digital forensic tools for law enforcement and business specialists has discovered a way to hack into locked Apple iPhone devices. The method reportedly works on most iPhone models ranging between iPhone 5s and iPhone X. It is also effective on iPhone devices running on iOS 12 through iOS 13.3.

The cybersecurity company is called Elcomsoft. It's newly expanded capability to extract data even on devices running on iOS 13.3, which many claims unlockable, is through the update rolled out on its iOS Forensic Toolkit. The company claims that its iOS Forensic Toolkit can extract specific pieces of data from an iOS device before it has been unlocked.

Apple made sure that nearly all of the data stored on an iPad or an iPhone is safely and securely encrypted following a restart or a reboot until a passcode has been keyed in. However, the little part that is now, which includes keychain data, can be obtained, says Cult of Mac. Over the years, the Cupertino-based tech company has been making it more difficult to crack into iOS devices through every major software build.

Right now, it is almost impossible to access a locked iPhone without a special tool that could cost hundreds of thousands of dollars, adds the site. However, there might still be some data that you can get from an iOS device without the need to unlock it. Elcomsoft thinks that it is the iOS Forensic Toolkit.

The latest update of the IOS Forensic Toolkit enables the software to extract chosen keychain records in the Before First Unlock ( BFU ). In other words, it can collect sensitive information from infected iPhone devices that have been rebooted or powered off, and it does not require a passcode entry. According to Elcomsoft,

In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is absolutely required to generate the encryption key, which in turn is absolutely required to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.

The partially exposed bits, are by design and are necessary to enable the iPhone device to boot up properly. It is not clear if a software update or a firmware fix from Apple could render this newly-discovered method ineffective. Also, there is no mention that this method could work on the current generation of iPhone devices, which is the iPhone 11 series.

The cybersecurity company also made it clear that it will not, in any way, help unlock iOS devices. Instead, its recently updated iOS Forensic Toolkit could come handy, especially to law enforcement officials in extracting data from an iPhone without having to unlock or jailbreak it.