Apple’s two-factor authentication now protects iCloud backups
Apple has put fixes in place to its iCloud cloud storage service that now prevent an attacker from mining data from an iOS device backup stored in the cloud by gaining access to the user’s password—at least if that user has turned on Apple’s new two-factor authentication.
As we reported last week, iCloud previously did not use two-factor authentication to help protect backup data or the Find My iPhone service. This meant that the accounts of victims of social engineering attacks or those who used passwords based on personal data could be harvested of their backup data—allowing the attacker to gain access to photos, call records, SMS records, e-mail, and other personal data. Apple had said that it was moving to provide additional protection through two-factor authentication in advance of the release of iOS 8.
We tried accessing one of the accounts attacked during our testing just prior to the Apple event last week using Elcomsoft Phone Password Breaker, a forensic tool that uses a reverse-engineered version of Apple’s iOS backup protocols to extract backup data from an iCloud account. The account now has two-factor authentication turned on, and the attempt failed—it yielded an unspecified HTTP error.
However, for accounts that don’t have two-factor authentication—which at the moment makes up the vast majority of iCloud accounts—Elcomsoft’s tool was still able to retrieve phone backups and the data within them. This means that other tools that spoof the iOS backup protocol will also be able to “rip” backup data from iCloud accounts without the protection.
The bottom line: if you haven’t turned on two-factor authentication for your iCloud device and you use iCloud backups, now is the time to make sure you start.