Apple iCloud security exploit is a concern, experts say

Jennifer Lawrence Cloud services are in the spotlight after naked images of Jennifer Lawrence and others were leaked online

Related Stories

Apple's iCloud facility, which stores iPhone and iPad users' photos and personal data, has a "fundamental security flaw", an expert has warned.

The online service is under scrutiny after intimate images of celebrities were stolen and leaked.

It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups.

Apple declined to comment.

The program still requires hackers to know the user's email address and password, and there is no clear evidence that it was used in the recent breaches.

Start Quote

It's like double locking your front door and leaving the window open”

End Quote Prof Alan Woodward University of Surrey

Two-step verification - which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account - is supposed to offer an extra level of protection.

On Tuesday, Apple suggested its customers "always use a strong password and enable two-step verification" after it acknowledged that some of its accounts had been compromised by a "very targeted attack".

But one expert said Apple had given people "a false sense of security".

Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts.

The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned.

It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data.

It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others.

Vladimir Katalov Vladimir Katalov said his software can be used for both "good and bad"

But Mr Katalov told the BBC that, although he could not be "100% sure", he believed the software was used in the recent celebrity hacks, as ElcomSoft's program is "the only one able to do that".

He added that while his company "didn't like it much" when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities.

Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple's two-step verification system, which he believed was "implemented only to protect your credit card".

Start Quote

Many users would rather have their credit card numbers stolen than their private photos”

End Quote Mikko Hypponen Security expert

"It doesn't require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up," he said.

Using ElcomSoft's program, he added: "I can use my computer to extract files from your online back-up - something you can't do yourself".

Indeed, Apple's own page on two-step verification explains that it protects:

  • The My Apple ID webpage, where users can manage their iCloud account
  • App Store, iTunes or iBooks Store purchases from a new device
  • Getting Apple ID-related support

It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud.

Apple Apple's two-step verification tool makes it difficult for hackers to reset users' passwords

However, the BBC understands that it does protect against hackers trying to use the "forgotten password" facility on Apple's website.

Usually, people who have forgotten their login details can regain access to their accounts by entering the answers to some personal questions - and this process cannot be exploited when two-step verification is enabled.

But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about.

"For many users they would rather have their credit card numbers stolen than their private photos," he said.

'Chinks in armour'

Other security experts said Apple's advice about two-step verification was possibly misleading.

"There is a danger in suggesting that two-step verification is an umbrella that will protect, because obviously that is not the case," said David Emm, a senior analyst at Kaspersky Lab.

BBC At a 2013 conference in Vienna, Mr Katalov showed how he could access iCloud back-ups

"There are chinks in the armour which could potentially be exploited."

Mr Emm added that he was concerned by the fact that ElcomSoft's software has been around since 2012.

"I think [the vulnerability] has probably been raised several times," he said, and the fact that Apple had not beefed up its two-step verification system was "a surprise".

However, he emphasised that overall: "It's clear that Apple does take security seriously."

Prof Alan Woodward, a computer security expert at the University of Surrey, said the holes in Apple's two-step verification system amounted to a "fundamental security flaw" and that it was "like double locking your front door and leaving the window open".

He added that the advice given by Apple "gives people a false sense of security".

But Mikko Hypponen said that iCloud was not the only service to have vulnerabilities.

"We don't really know if this is the only way in," he said.

"It's also highly likely that users not using Apple products were also targeted."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.