Apple’s Two-Step Authentication Doesn’t Protect Your iCloud Backups

Apple_Two_Step_Verification_610x406

Apple’s two-step authentication process is designed to make your Apple ID more secure. When attempting to reset a password or make other kinds of account changes, a separate verification code is sent to an iOS device you own. That code is then used to verify that you are who you claim to be before you’re allowed to make any changes.

Many big tech companies have offered two-step authentication for quite some time, and Apple’s process is only a couple months old.

Now that security researchers have had time to dig through Apple’s implementation of two-step, some problems have surfaced. Once the login details for an Apple ID with two-step authentication enabled are compromised, there’s nothing stopping hackers from accessing iCloud data, like device backups.

ElcomSoft, a company that specializes in password cracking software, has published a new report highlighting the secure holes in Apple’s two-step authentication process:

In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.

In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past and will be exploited in the future.

12

Two-step turns a blind eye to backups.

The report goes on to demonstrate how knowing an Apple ID’s login details grants full access to device backups stored in iCloud. ElcomSoft was able to download a backup using the ID’s login details without ever coming into contact with two-step authentication. The physical iOS device that the backup came from wasn’t needed; ElcomSoft simply loaded it onto a new device and restored.

Another security issue is that Apple sends two-step verification codes directly to an iOS device’s lockscreen, which means that anyone could get the PIN without unlocking the device. A hacker would have to have physical access to the device for that to work, however. ElcomSoft suggests that the verification code not be displayed on the lockscreen so that the user would have to enter the device’s unlock passcode first.

“For a record, I’d like to say that Apple’s approach in implementing two-factor authorization does not look like a finished product,” said Vladimir Katalov of ElcomSoft in the report. “It’s just not as secure as one would expect this solution to be.”

It’s important to note that the aforementioned hack would only happen if a victim was being specifically targeted, and you can never have a 100% guarantee that data stored on the internet won’t be compromised.

Apple’s two-step authentication feature is currently available in the United States, UK, Australia, Ireland, New Zealand. Mexico, Germany Netherlands, Russia, Austria, Brazil, Belgium, Portugal, Italy and Poland. Two-step authentication can be enabled under your Apple ID’s “Password and Security” settings on the web.

  • technochick

    What a pile of FUD. It only sends it to your lock screen if you were dumb enough to have that one. And if someone knows your password you have a bigger issue than whether or not they need to verify a device to load a backup (which is a tad impossible since you have to load the backup before you can see things like that verification message

  • rosenkrieger

    So let me get this straight. If someone knows my Apple-ID and my secure Password, they are able to download a backup?! OH NO!

    Sorry, but this is a bunch of bull….

    And the so called Security-Specialist should know that Messages are only displayed if you have the Preview set to YES. In my case I first have to UNLOCK to see the message in full and therefor the PIN.

  • Gregory Wright

    I’m not following the point this article is trying to make. i mean, the whole point of security is using a strong password and keeping ones password secret. Without the password a hacker cannot reach ones backups stored on iCloud. Am I missing something.

  • Raoul Miller

    two factor support is broken the way it is implemented. If someone tries to get into your account and apple resets your password you have lost access to your account unless you have the printed RK key created when you set it up. Having access to the SMS device, emails, security question answers, credit card # and address on account doesn’t matter – you are locked out of everything in iCloud with no way to recover. Do not use 2 factor auth in its current state

About the author

Alex HeathAlex Heath is a senior writer at Cult of Mac and co-host of the CultCast. He has been quoted by the likes of the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories |