iCloud two-factor protection, security flaw or deliberate choice?

June 2, 2013  By Pierluigi Paganini


iCloud could not properly protect the user’s data despite the implementation of a two-factor protection.

Millions of users access to the iCloud to store their data such as photos, music and documents and Apple has tried recently to improve their security introducing in March a two factor authentication system … Do users really know the security mechanisms that protect their data?

Last week I wrote a post on benefits and limits of a two-factor authentication process, the reflections made rise serious questions on possible incorrect implementations of security mechanism.

I started remarking to be deeply opposed to the storage of my information on a system of which I know very little as it can be any Cloud architecture managed by an enterprise.

iCloud 2FA

 

The two-factor authentication has been introduced by Apple to preserve the use of user’s Apple Id for fraudulent purchases but it seems not sufficient to protect user’s files stored in the cloud.

The discovery has been done by researchers at ElcomSoft, a Russian company specialized in the providing of forensics software for cracking passwords and system auditing, in a post recently issued.

In case an attacker is able to access to user’s account credentials despite the Apple adopted a  two-factor verification he is anyway able to access data stored in user’s iCloud account.

The ElcomSoft CEO Vladimir Katalov has written in the post:

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.”

“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.”

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,”

Although Apple hasn’t introduced the two-factor authentication to reinforce security of data stored in the iCloud architecture the flaw has puzzled researchers because the security mechanism not protect user’s data.

The security mechanism prevents in fact attackers from resetting a user’s iCloud password,but it doesn’t impede them from accessing data stored in an account. Apple two-factor authentication allows an attacker to restore backed up iPhone or iPad data to a new device or delete them permanently.

 iCloud backup

 

Resuming the 2FA solution added by apple doesn’t provide extra security for data, on the contrary it adds a wrong perception of security to the users which could have serious consequences.

Probably the flaw found in the Apple implementation of 2FA in not casual but it is the compromise between level of security ensured to the users and usability of the solution.

Other 2FA solutions such as the ones implemented by Microsoft or Google request customers to come up with a “second piece of an ID when attempting to access their services from a new device” to prevent anyone stealing user’s credentials.

“The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage.”

The CEO of Duo Security, a firm specialized in providing of two-factor authentication services, commented the technical choice with following statement:

“It’s a worthwhile discovery,” “It’s good for people to know and understand that their account is not 100-percent protected by this new feature that rolled out. But I don’t think it’s an unaddressable limitation, and to be fair to Apple, I don’t know if this was ever intended to protect this model.”

Pierluigi Paganini

(Security Affairs – Apple iCloud, 2FA)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Liberty Reserve suspension and impact on criminal underground

 Private currency exchange system Liberty Reserve was shut down by US law enforcement, it is considered most popular payment...