iCloud two-factor protection, security flaw or deliberate choice?

iCloud could not properly protect the user’s data despite the implementation of a two-factor protection.

Millions of users access to the iCloud to store their data such as photos, music and documents and Apple has tried recently to improve their security introducing in March a two factor authentication system … Do users really know the security mechanisms that protect their data?

Last week I wrote a post on benefits and limits of a two-factor authentication process, the reflections made rise serious questions on possible incorrect implementations of security mechanism.

I started remarking to be deeply opposed to the storage of my information on a system of which I know very little as it can be any Cloud architecture managed by an enterprise.

 

The two-factor authentication has been introduced by Apple to preserve the use of user’s Apple Id for fraudulent purchases but it seems not sufficient to protect user’s files stored in the cloud.

The discovery has been done by researchers at ElcomSoft, a Russian company specialized in the providing of forensics software for cracking passwords and system auditing, in a post recently issued.

In case an attacker is able to access to user’s account credentials despite the Apple adopted a  two-factor verification he is anyway able to access data stored in user’s iCloud account.

The ElcomSoft CEO Vladimir Katalov has written in the post:

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.”

“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.”

“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,”

Although Apple hasn’t introduced the two-factor authentication to reinforce security of data stored in the iCloud architecture the flaw has puzzled researchers because the security mechanism not protect user’s data.

The security mechanism prevents in fact attackers from resetting a user’s iCloud password,but it doesn’t impede them from accessing data stored in an account. Apple two-factor authentication allows an attacker to restore backed up iPhone or iPad data to a new device or delete them permanently.

 

 

Resuming the 2FA solution added by apple doesn’t provide extra security for data, on the contrary it adds a wrong perception of security to the users which could have serious consequences.

Probably the flaw found in the Apple implementation of 2FA in not casual but it is the compromise between level of security ensured to the users and usability of the solution.

Other 2FA solutions such as the ones implemented by Microsoft or Google request customers to come up with a “second piece of an ID when attempting to access their services from a new device” to prevent anyone stealing user’s credentials.

“The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage.”

The CEO of Duo Security, a firm specialized in providing of two-factor authentication services, commented the technical choice with following statement:

“It’s a worthwhile discovery,” “It’s good for people to know and understand that their account is not 100-percent protected by this new feature that rolled out. But I don’t think it’s an unaddressable limitation, and to be fair to Apple, I don’t know if this was ever intended to protect this model.”

Pierluigi Paganini

(Security Affairs – Apple iCloud, 2FA)