Elcomsoft, a company which sells tools to law enforcement agencies to access locked iPhones, says that it is now able to extract some data from devices running any version of iOS from 12.0 to 13.3.

It relies on the checkm8 exploit of a vulnerability present in most A-series chips, which made possible the Checkra1n jailbreak.

Crucially, Elcomsoft says that the $1,495 tool works even when the iPhone is in its most secure state, known as BFU…

The company says that its tool works even after a restart.

The BFU stands for “Before First Unlock.” BFU devices are phones that have been powered off or rebooted and have never been subsequently unlocked, not even once, by entering the correct screen lock passcode.

In Apple’s world, the content of the iPhone remains securely encrypted until the moment the user taps in their screen lock passcode. The screen lock passcode is required by Secure Enclave to produce the encryption key, which in turn is used to decrypt the iPhone’s file system. In other words, almost everything inside the iPhone remains encrypted until the user unlocks it with their passcode after the phone starts up.

It is the “almost” part of the “everything” that’s being targeted by Elcomsoft iOS Forensic Toolkit. The company has discovered certain parts of data being available in iOS devices even before the first unlock.

Elcomsoft discovered that some keychain data is accessible even at this stage.

Some keychain items containing authentication credentials for email accounts and a number of authentication tokens are available before first unlock to allow the iPhone to start up correctly before the user punches in the passcode.

Running the tool does require installing a jailbreak, but this too can be done on locked iPhones and iPads.

Accessing the keychain in BFU mode requires installing the checkra1n jailbreak that targets vulnerabilities in Apple bootrom. The jailbreak is installed via DFU mode and is available for all compatible devices regardless of their lock state or BFU/AFU status.

Apple’s latest iPhones and iPads are, however, protected from the vulnerability, which is found in the A-series chips from A7 to A11.

This includes the iPhone 5s, 6, 6s, SE, 7 and 8 along with the Plus versions, as well as the iPhone X. Apple iPad devices running on the corresponding CPUs are also supported, which includes models ranging from the iPad mini 2 all the way up to the 2018 iPad, iPad 10.2, iPad Pro 12.9 (1.Gen), and iPad Pro 10.5.

Elcomsoft sells a range of different tools to law enforcement agencies and governments, businesses and even individuals.

FTC: We use income earning auto affiliate links. More.

Pocketalk translation device

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear