Apple's iCloud cracked: Lack of two-factor authentication allows remote data download

Apple's iCloud cracked: Lack of two-factor authentication allows remote data download

Summary: Notorious Russian hacker Vladimir Katalov released findings showing Apple's iCloud vulnerable to unauthorized download access, with iCloud data stored on Microsoft and Amazon servers.

(Image: Violet Blue/ZDNet)

KUALA LUMPUR, MALAYSIA — Russian security researcher Vladimir Katalov analyzed Apple's secretive iCloud and Find My Phone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing.

In "Cracking and Analyzing Apple’s iCloud Protocols," presented to a crowded room at Hack In The Box security conference last Thursday in Kuala Lumpr, Malaysia, Vladimir Katalov revealed that user information and data is not as inaccessible as Apple is telling the public.

Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access.

A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices.

He explained that there is no way for a user to encrypt their iCloud backups.

The data is encrypted, he explained, but the keys are stored with the data. Katalov added that Apple holds the encryption keys.

Katalov told ZDNet he was shocked to discover that in addition to all of these security chain issues, Apple's iCloud data is stored on Microsoft and Amazon servers.

Katalov's presentation pointed out that because Apple provides full request information to its third-party storage providers (Amazon and Microsoft), Apple could provide this data to law enforcement. 

In Apple's July public statement on the NSA PRISM surveillance program, Apple denied any backdoor server access for government agencies. Apple unequivocally stated, "Apple does not give law enforcement access to its servers."

When a user performs an iCloud backup download, they receive an email informing the user that the process is complete.

"Apple does not give law enforcement access to its servers." — Apple, July 2013

Katalov discovered that when a remote download is performed, the user receives no notification email. If a user's data is accessed and downloaded from iCloud by a remote third party, they would not know.

Katalov's work represents the first time anyone has analyzed and publicly presented findings on Apple's secretive iCloud protocol.

Vladimir Katalov analyzed Apple's iCloud and Find My Phone protocols by sniffing http traffic on jailbroken devices — though he was careful to explain that a user's devices do not need to be jailbroken for a malicious entity to exploit the remote backup protocol security omissions Katalov discovered.

Analyzing the traffic, he told the crowded room during his Thursday presentation, was not difficult.

Apple's iCloud data is comprised of what a user stores as a data backup. It contains documents, Dropbox files and sensitive user data.

In his analysis, Katalov discovered that iCloud files are stored as a container — plist and content — in a files-to-chunks mapping schema.

But he found that Apple's two-factor authentication, a layer of user security used in addition to a username and password, is not used for iCloud backups (or Find My Phone).

(Image: Violet Blue/ZDNet)

Apple's two-step authentication ("2FA") does not protect iCloud backups, Find My Phone data and the documents stored in the cloud. Katalov details this further in a blog post: "Apple Two-Factor Authentication and the iCloud."

Katalov showed Hack In The Box attendees that with simple queries, it's possible to get the authentication token for accessing the iCloud backup, backup IDs, and the encryption keys. Then one can download the files from where they're stored in Windows Azure or Amazon AWS.

ZDNet caught up with Katalov after his presentation to find out more.

When asked if he had presented his discoveries to Apple, he explained that his findings were the results of protocol analysis — and are not a vulnerability.

Put another way, the iCloud security hole falls into the "it's a feature, not a bug" category.

(Image: Violet Blue/ZDNet)

When ZDNet asked Katalov if there was a way for Apple to fix this issue — such as extending two-factor authentication to its iCloud and Find My Phone services — he shook his head and told us that Apple's implementation of two-factor auth was likely "only an afterthought."

Katalov told ZDNet the best thing a user can to do to protect their iCloud data is to simply not use iCloud.

However, Katalov told us he still uses Apple's iCloud as a backup service. "It is not exactly safe, but I am selecting between security and privacy," he said.

It's easy to argue that because a remote attacker needs an Apple user ID and password, the data is still out of reach to most malicious entities.

However, obtaining Apple user IDs and passwords isn't impossible — aside from email phishing techniques, which are more effective than most would believe. Social engineering techniques are sadly common and also very effective.

A recent example is the spate of Apple ID data thefts in Norway. This past February, a significant number of teenage girls were targeted by boys who easily surmised the girl's user ID and password recovery information to gain access to their Apple accounts, download photos and the girls' data — which, sadly, ended up pass around and also sold online.

In his Hack In The Box presentation, Katalov told the audience that he was also surprised to discover that when a user shuts off location tracking services, the user's location is still stored for around 3-6 hours.

We wondered if this is what led Katalov to mention that next he will analyze Touch ID protocol and storage — as soon as iOS 7 is jailbroken, he told ZDNet.

"Apple says it never sends the information, and it is never copied to local [storage]" he added, "but I am not so sure."

ZDNet asked why Katalov felt this way, when Apple specifically states that it does not transmit Touch ID information.

Katalov's eyes glittered, and a boyish smile crept across his face. In his thick Russian accent he replied, "Trust no one."

ZDNet has contacted Apple for comment and will update this article if Apple responds.

Related stories:

Topics: Security, Amazon, Apple, Cloud, iPhone, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Translation: you can't actually hack iCloud, but

    if you could somehow trick people into giving your their credentials, we can pretend we are you. In other earth-shattering news, the sun will rise in the East, and clear skies will be blue.
    • Gosh!!

      So I guess this also means if I can trick someone into giving me their MS login credentials I could access their Skydrive files???? Who would have thought it - this is indeed amazing stuff!
      The Central Scrutinizer
      • Everytime I use my skydrive on

        a new computer I am required to use two factor authentication. Usually a code sent to me via a previously provided phone number or email address, so it wouldn't be nearly as easy.
        Sam Wagner
        • If I can phish you credentials, I can phish your phone number.

          Actually snagging a cell number would be easier, since that is public information.
          • Definitely true.

            But the two factor authentication just makes it that much harder. Bottom line is, if some one really wants in and they know what they're doing, they can likely get in. It's up to the individual user to pick complicated passwords and keep them safe.
            Sam Wagner
    • Not exactly...

      From reading the article, I believe he grabbed the user ID and password with a simple packet sniffer, without the user knowing he grabbed it.
      • Many people

        have no idea what a packet sniffer is. But they should not have to.
      • Yep, very possible

        The guy owns a packet sniffer that decodes 256bit AES encryption in real time. Beware of Russian technology! :)

        Alternatively, he could own a Russian make mind reading device and not need to sniff anything.
      • Even more likely…

        He used his own ID/password from another machine that allowed to see the actual URLs and thus accessed his own data.

        Hence the emphasis on keeping that info secure.
    • The context of the discussion was two-factor authentication.

      An Apple ID and password are not, by themselves, two-factor authentication. The discussion is about how Apple's half hearted implementation of two-factor authentication is easily bypassed with the very credentials two-factor authentication was meant to reinforce.
      • What is bypassed?

        Care to elaborate what is bypassed?
      • Re: the context of the..................................

        I copied from her article, "Apple's secretive iCloud and Find My Phone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing."
    • WRONG!

      It means your credentials are shared with both Microsoft and Amazon. So now you have three big companies denying they turn over your data to the Feds. Who have all have employees YOU have to trust to not get HACKED themselves. Not to mention there are tons of Hackers out Brute Forcing random accounts on all three of these Cloud servers besides looking for doors into these servers now that they know the credentials are stored with the files!

      At least Google has moved to fully encrypt user's data on their Cloud Storage and tell users to use their remote two factor authentication system if they want better security! Apple making any move to build their own Database Networks? NO!!!! ....they like using OPM other people's money, so they can just point the finger at others being to blame! ;-P

      Yep ! In a way , this is how they do it ! The perpetrator or imposter in my case was a supposed unrequited romance from high school days! Oh ! Now it was our time to text message on Facebook and reacquaint our old feelings!!!! Then he became strange. Only messages in morning in afternoon at night constantly . If I was not at home he knew it and I was states away!! Then there is so much more but my creepy imposter was a KEY LOGGER AND SOME KIND OF STEALTH GENIE TYPE THING. First I cleaned up my computer but APPLE IPHONE HAS GIVEN ME HELL!!! Meanwhile THE RAT haunts me and steals all my data and my friends data and probably their data!! I hear it is a very profitable business !!! I had never heard of it but I am not a hacker. Being tracked, spied on and my privacy violated plus being taken advantage of monetarily and hurting your loved ones feels like being raped as a female speaking. Sorry for the harshness but my vulnerability level is touchy and I really don't think that some net users understand the seriousness that can really happen online. Because of messaging to a real or shadow profile and at the least the use of a KEY LOGGER!!! That simple... If you have daughters please watch their internet usage. I have not told you the worst of this cyber stalker ' violations. But , you got it above Mr. V. and I knew way before then and I also knew APPLE WAS NOT GOING TO DO ANYTHING ABOUT IT. But he is right ! You keep using the phones because they still are the easiest to operate and safer than any of the others that seem to be more complicated. I suppose all cell phones and yes the internet has issues. Do we hide in shells? APHELIADAWN
  • Maybe Apple cannot implement excatly what they want because

    "Apple's iCloud data is stored on Microsoft and Amazon servers.

    Katalov's presentation pointed out that because Apple provides full request information to its third-party storage providers (Amazon and Microsoft), "

    That is what you get when you trust Amazon or Microsoft... The real devils in this story.
    • please

      Never have children....
    • What next? Blame Verizon-ATT since iPhones send dataover their networks?

      Apple relies on Amazon and Microsoft for cloud services, because this is not an area of strength for Apple.

      Apple is a hardware companies first and formost. Their efforts into services is where they have had the most issues, so there is no need to imply secret fault of other companies to deflect blame.

      It isn't the first time a flaw has been found in the way a tech giant does something.
  • Not news

    You can get people's data if you have their logon and password! You can do that for everything. Apple does not say you can't do this. This is total junk. YOu can do that with Google and Microsoft and everything! If you could not do this no one would use it. And to require 2 factor authorization is a pain and no one would use it.
  • The two key points here are two-factor authentication and encryption

    I think the point he is trying to make is that they should/could have used two-factor - only allowing you to access your iCloud account from a device you have already registered (e.g. Your iPhone). If you manage to phish/steal someone's credentials, 2FA would hinder the attack.
    Recently, Apple said that iMessage was encrypted and they had no way to read messages (although it QuarksLab have shown there are ways they could). What we see here is that iCloud is not protected to the same level
    Gerry C
  • So I am hearing several things here.

    1. The authentication is simply an ID and a password. Like most of the Internet.
    2. Once you ask, with the proper credentials, Apple doesn't ask back "do you want to verify this" even at the device level. Again, like most of the Internet
    3. Apple uses third parties for hosting. (Did I say like most of the Internet?)
    4. iCloud is not tied to a device itself. Gee, why do you think you can have an iCloud account on a NON-APPLE device???
    5. If a valid request for iCloud data is made, the third parties have to respond. Is that any different than any LAWFUL service?
    6. Aren't 1 through 5 common across the Internet. (Maybe...)
    7. He's looking for data persistence on TouchID. Which would seem to add one more (maybe two) layers of complexity because you would have to get an iPhone with it, swipe a fingerprint, unlock it, and... (think we did this dance when the new iPhone was released).

    Truth is kiddies, if you don't want to get caught with it for real, don't assume the Internet is any different. if you are encrypting your porn and stuffing it in iCloud, it's the same as stuffing your Playboy under the mattress. Your parents will find it.