Apple's iCloud iConundrum - does convenience mean insecurity?

Filed Under: Apple, Apple Safari, Cryptography, Featured, iOS, OS X, Privacy

shutterstock_AppleArrow170Information security has become such a booming business that it seems there is a conference somewhere in the world every single week.

Back in the day we saw big hackerish announcements twice a year, during Black Hat and the Chaos Communication Congress. Now it is happening everywhere, all the time.

Last week at the Hack in The Box conference in Malaysia, researcher Vladimir Katalov made some rather bold claims about the security of Apple's iCloud backups and iCloud document storage.

It must first be noted that more than six months after launch, Apple has still only introduced two-factor authentication in a handful of countries. I was not able to test all of these claims as it is not yet available in Canada.

In his talk, "Cracking and Analyzing Apple's iCloud Protocols", Katalov showed how Apple's optional two-factor authentication is selective in its application, even where it is available.

First, two-factor is optional. This is true for most services, but I would like to see someone begin making it mandatory.

Apple2Factor500

Passwords are just too vulnerable and unfortunately two-factor has become the bare minimum for cloud services if you don't want others accessing your information.

Second, but more importantly, Apple's two-factor authentication only applies to three specific applications of your Apple ID:

  • Making a purchase in iTunes/App Store.
  • Managing or changing your Apple ID.
  • Working with Apple's technical support team.

Notice how it is inclusive, rather than exclusive. These are the only things protected and nothing else is guaranteed or indeed, included.

What Katalov discovered is that iCloud backups and iCloud documents are not protected by the two-factor system and that they are stored on Microsoft Azure and Amazon AWS cloud services.

Additionally, while the files are stored encrypted, the encryption keys are stored with the files. . . rendering the encryption largely worthless. It also means that Apple can disclose the contents of iCloud stored files on request of law enforcement and governments if they are required to.

ipad-iphone-170Katalov demonstrated that by simply acquiring the Apple ID and password of another user, whether they have enabled two-factor authentication or not, he can download their iPhone/iPad/iPod backups and documents from iCloud and see their pictures, music, emails, contacts, documents, presentations, spreadsheets or anything else without the victim being alerted.

Most users likely assume that by enabling two-factor authentication they are protecting their iCloud data from being stolen if their password is guessed, get infected with a keylogger or are phished. That is true for making an App Store purchase, but all bets are off for iCloud.

Furthermore, iPhone backups can be restored to any device with just the password. If I am able to acquire your Apple ID, I can download everything on your phone to mine. You will get a warning email after the fact, but arguably that is too little too late.

Katalov's research shows that Apple has only half implemented their two-factor technology and has chosen convenience over actual security. Hopefully his shining a light on the problem will prompt some action from Apple to close these holes.

Image of a apple with an arrow through it courtesy of Shutterstock.

, , , , , , ,

You might like

7 Responses to Apple's iCloud iConundrum - does convenience mean insecurity?

  1. Jake · 334 days ago

    So, if someone restores an image of my phone onto another one, have they effectively cloned my phone? I guess without the SIM they won't be able to get my phone calls or texts, but what about iMessage etc? (which I also heard had some security issues).

    Hopefully the screen lock password should be in place, but if they know my apple ID/password that's probably resettable somehow too.

  2. nruth · 334 days ago

    Good to know, but I have a couple of queries:

    What would you advise for avoiding this? Disable iCloud backups wherever it pops up?

    Keychains recently started cloud-syncing again (10.9). Are these better encrypted, or should we avoid that too?

    • Chester Wisniewski · 331 days ago

      It is my understanding that Keychains is protected by the 2-factor option. I haven't test it though as 2-factor is not available to Canadian Apple customers. I guess we don't deserve protection, seeing as we are all not-American and all.

      I certainly wouldn't back up my phone or store my documents on iCloud, but it really is a personal decision. The researcher who delivered the talk states he still uses iCloud, he just hopes that by pointing out its flaws Apple will fix their errors.

      I doubt it will work. Apple customers aren't much for holding Apple accountable for its questionable security practices.

      • nruth · 331 days ago

        The Keychain is also protected/encrypted by a user provided password, which I'd hope solves the key-stored-alongside-file issue. For me, that's the real problem raised here.

        2-factor authentication before getting access to the files at all would be better, but I can't imagine them rushing to make their services less user-friendly, even at the cost of weak or no security.

  3. Gavin · 334 days ago

    "...the encryption keys are stored with the files..."

    Apple, I have an idea. Why don't you encode the files with ROT13 but release a white paper announcing that you really use ROT9. I believe that might be a more secure than what you're doing now with iCloud.

    Seriously, how did a company the size of Apple ever release a product where this blatant misuse of encryption made it all the way to production? Where is the oversight? Is there any Quality Assurance process at all? Code review? Internal audits? Vulnerability or penetration testing perhaps?

    Wow. Time for yet another forehead-shaped dent in my keyboard.

  4. Apple is not using Amazon or Microsoft infrastructure to host iCloud. They did for the first few months when iCloud was launched several years ago. Simply not true and hasn't been for three years.

    • Polsy · 333 days ago

      Sure they are, at least for mobile backups; my iPhone made multiple 'PUT https://eu-irl-00001.s3.amazonaws.com/.....' requests when I plugged it in just today.

      In any case while it doesn't hurt to raise awareness it's not particularly shocking (and indeed it isn't even mentioned in the talk abstract) that two-factor authentication doesn't apply to things when Apple already explicitly say that's the case.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.