Elcomsoft has announced that its latest Phone Breaker forensic tool can now access messages stored in iCloud from devices running iOS 11.4 or later, but the requirements for doing so actually serve to illustrate how secure the feature actually is. Elcomsoft notes that “Apple protects iMessages with a strong protection mechanism much like the one that is used to protect the iCloud Keychain,” adding that Apple even takes it one step further by requiring devices participating in Messages in iCloud to use two-factor authentication, and that all messages are “securely encrypted with a key that is encrypted with devices’ lock screen password.” Apple also specifically states in a support article that the user’s “messages are encrypted on your device and can’t be accessed by anyone without [the] device passcode.”
The result is that while Elcomsoft Phone Breaker _can_ technically access and download Messages in the iCloud, so much information is required to do so as to make the process almost pointless. Specifically, Phone Breaker 8.30 or newer will require that you supply the user’s Apple ID and password along with having access to the “second authentication factor” — which basically means the user’s iPhone or iPad, although a SIM card could also work — and the passcode or system password of at least one of the devices participating in Messages in the Cloud (iPhone, iPad, or Mac). In other words, extracting Messages in iCloud with Phone Breaker requires all of the same information that would be needed to access and configure Messages in iCloud normally. While the tool can still be useful simply for downloading data for forensic analysis, it doesn’t actually bypass any of the security that Apple has put in place.