Apple iCloud two-factor authentication does not seal it off from hackers

Vladimir Katalov, a Russian security expert, revealed that Apple's iCloud and Find My Phone services are not protected by two-factor authentication, which adds an additional security layer underneath the standard username and password.

This means that hackers can download the data of a user that is stored on iCloud remotely without the user even knowing of the transfer.

Katalov revealed his discovery in the Hack In The Box security conference held in Kuala Lumpur, Malaysia. Katalov's talk, entitled Cracking and Analyzing Apple's iCloud Protocols, focused on the fact that user data and information stored on iCloud is not as protected as Apple is saying.

The iCloud data of Apple users contains data backup, including documents, confidential user information and media such as pictures and videos.

The issue is very relevant today due to the reported celebrity picture hack that obtained a massive collection of intimate pictures of several celebrities that were supposedly obtained through the iCloud accounts of the affected celebrities.

Katalov said that a hacker does not need the user's device to gain access to a user's iCloud account. The hacker only needs the Apple ID and password of the user.

Katalov also added that users are not able to encrypt their iCloud data on their own. While the data itself is encrypted, the keys are also stored within the iCloud data, with Apple holding the encryption keys.

Why does the user not know that data is already being downloaded from his or her iCloud account? This is because when a remote download is made, no notification email is sent to the user. This bypasses the procedure of an email notification being sent to the user when the user performs a download of the iCloud backup through the device.

Another revelation that Katalov made is that Apple stores iCloud data on servers of Microsoft and Amazon. With Apple providing full request information to these two storage providers, Apple could forward the data on the iCloud to law enforcement if requested.

According to Katalov, the best thing that users can do to protect the data that they have stored on iCloud is to simply not use the service for confidential data such as intimate pictures.

In a statement released by Apple, the company expressed its outrage over the hack that targeted certain celebrities.

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone," the company wrote in the statement.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics