Late last year there was a blog piece on a very real and present threat to users of Apple devices and iCloud. “How Your Nakes Pictures Ended Up on the Internet” was an attempt at contributing awareness to the very real threat of attackers using victim’s iCloud credentials to download the victim’s iCloud backup and pilfering private data.
Months after it was published, Apple introduced 2-factor authentication for iCloud accounts. Using the additional layer of authentication is completely optional, but highly recommended. This works great to protect your iCloud account, and is especially effective at preventing unauthorized purchases on your iCloud account – assuming that you never lose your device that you’re receiving the PIN on. Nothing new there.
What is new is that Elcomsoft has not only confirmed the method of attack that was described the blog, but verified that Apple 2-factor auth does not protect iCloud backups from attackers with a pilfered account and their Elcomsoft Phone Password Breaker tool. That’s right, the same old attack from yesteryear still works – 2-factor or not. Heck, you don’t even need Elcomsoft’s tool to download the backup onto another device!
I continue to hear that people still have had their personal data stolen this way, and are incredibly frustrated by the “bolt on” approach that Apple has taken to 2-factor authentication.
For those that are unfamiliar with how these attacks typically occur (this is explained in greater detail in the link above), it can boil down to an attacker resetting an iPhone to ‘factory fresh’ and using the stolen iCloud credentials to restore from the latest backup – and presto, you have all of their stuff. A second scenario would involve using the Elmsoft tool to make use of the victim’s credentials and then download the iCloud backup to a computer. From there, the attacker could use a tool like iBackupBot or Oxygen Forensic Suite to look through the victim’s data.
Moral of the story: Apple’s 2-factor is a good start, but needs to expand the implementation to protecting iCloud data. Users need to remain vigilant against the usual assortment of phishing attacks – and be cautious of what data is stored on their mobile devices.