Apple's iCloud cracked: Lack of two-factor authentication allows remote data download

Notorious Russian hacker Vladimir Katalov released findings showing Apple's iCloud vulnerable to unauthorized download access, with iCloud data stored on Microsoft and Amazon servers.
Written by Violet Blue, Contributor
Image: Violet Blue/ZDNet

KUALA LUMPUR, MALAYSIA — Russian security researcher Vladimir Katalov analyzed Apple's secretive iCloud and Find My Phone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing.

In "Cracking and Analyzing Apple’s iCloud Protocols," presented to a crowded room at Hack In The Box security conference last Thursday in Kuala Lumpr, Malaysia, Vladimir Katalov revealed that user information and data is not as inaccessible as Apple is telling the public.

Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access.

A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices.

He explained that there is no way for a user to encrypt their iCloud backups.

The data is encrypted, he explained, but the keys are stored with the data. Katalov added that Apple holds the encryption keys.

Katalov told ZDNet he was shocked to discover that in addition to all of these security chain issues, Apple's iCloud data is stored on Microsoft and Amazon servers.

Katalov's presentation pointed out that because Apple provides full request information to its third-party storage providers (Amazon and Microsoft), Apple could provide this data to law enforcement. 

In Apple's July public statement on the NSA PRISM surveillance program, Apple denied any backdoor server access for government agencies. Apple unequivocally stated, "Apple does not give law enforcement access to its servers."

When a user performs an iCloud backup download, they receive an email informing the user that the process is complete.

"Apple does not give law enforcement access to its servers." — Apple, July 2013

Katalov discovered that when a remote download is performed, the user receives no notification email. If a user's data is accessed and downloaded from iCloud by a remote third party, they would not know.

Katalov's work represents the first time anyone has analyzed and publicly presented findings on Apple's secretive iCloud protocol.

Vladimir Katalov analyzed Apple's iCloud and Find My Phone protocols by sniffing http traffic on jailbroken devices — though he was careful to explain that a user's devices do not need to be jailbroken for a malicious entity to exploit the remote backup protocol security omissions Katalov discovered.

Analyzing the traffic, he told the crowded room during his Thursday presentation, was not difficult.

Apple's iCloud data is comprised of what a user stores as a data backup. It contains documents, Dropbox files and sensitive user data.

In his analysis, Katalov discovered that iCloud files are stored as a container — plist and content — in a files-to-chunks mapping schema.

But he found that Apple's two-factor authentication, a layer of user security used in addition to a username and password, is not used for iCloud backups (or Find My Phone).

Image: Violet Blue/ZDNet

Apple's two-step authentication ("2FA") does not protect iCloud backups, Find My Phone data and the documents stored in the cloud. Katalov details this further in a blog post: "Apple Two-Factor Authentication and the iCloud."

Katalov showed Hack In The Box attendees that with simple queries, it's possible to get the authentication token for accessing the iCloud backup, backup IDs, and the encryption keys. Then one can download the files from where they're stored in Windows Azure or Amazon AWS.

ZDNet caught up with Katalov after his presentation to find out more.

When asked if he had presented his discoveries to Apple, he explained that his findings were the results of protocol analysis — and are not a vulnerability.

Put another way, the iCloud security hole falls into the "it's a feature, not a bug" category.

Image: Violet Blue/ZDNet

When ZDNet asked Katalov if there was a way for Apple to fix this issue — such as extending two-factor authentication to its iCloud and Find My Phone services — he shook his head and told us that Apple's implementation of two-factor auth was likely "only an afterthought."

Katalov told ZDNet the best thing a user can to do to protect their iCloud data is to simply not use iCloud.

However, Katalov told us he still uses Apple's iCloud as a backup service. "It is not exactly safe, but I am selecting between security and privacy," he said.

It's easy to argue that because a remote attacker needs an Apple user ID and password, the data is still out of reach to most malicious entities.

However, obtaining Apple user IDs and passwords isn't impossible — aside from email phishing techniques, which are more effective than most would believe. Social engineering techniques are sadly common and also very effective.

A recent example is the spate of Apple ID data thefts in Norway. This past February, a significant number of teenage girls were targeted by boys who easily surmised the girl's user ID and password recovery information to gain access to their Apple accounts, download photos and the girls' data — which, sadly, ended up pass around and also sold online.

In his Hack In The Box presentation, Katalov told the audience that he was also surprised to discover that when a user shuts off location tracking services, the user's location is still stored for around 3-6 hours.

We wondered if this is what led Katalov to mention that next he will analyze Touch ID protocol and storage — as soon as iOS 7 is jailbroken, he told ZDNet.

"Apple says it never sends the information, and it is never copied to local [storage]" he added, "but I am not so sure."

ZDNet asked why Katalov felt this way, when Apple specifically states that it does not transmit Touch ID information.

Katalov's eyes glittered, and a boyish smile crept across his face. In his thick Russian accent he replied, "Trust no one."

ZDNet has contacted Apple for comment and will update this article if Apple responds.

Related stories:

Editorial standards