Editorial

The war between security and convenience

News

iOS diagnostic services, their uses and protections, outline by Apple in response to 'backdoor' allegations

Editorial

Apple: No backdoors created for NSA

How to

Contacts disappearing or not syncing with iCloud under iOS 7.1.2? Here's the fix!

How to

How to re-download movies, music, and TV shows to your Mac or PC with iTunes in the Cloud

How to

How to re-download previously purchased apps and games on iPhone and iPad

News

Apple blocking older versions of Flash after yet another security exploit

How to

How to re-download purchased books with iBooks and iTunes in the Cloud

How to

How to re-download purchased music, movies, and TV shows with iTunes in the Cloud

News

UK government set to rush through emergency surveillance legislation

News

UK officials follow US counterparts by banning electronics with no charge from boarding flights

How to

How to enable automatic downloads for music, books, and apps with iTunes in the Cloud

Accessories

Apple's security lock adapter will chain your Mac Pro to your desk

News

Two-factor iCloud authentication now live

How to

How to set up iCloud Mail, Contacts, Calendars, and more on your iPhone or iPad

How to

How to access iCloud sync settings on your Mac

How to

How to access iCloud sync settings on your Windows PC

How to

How to manually set up iCloud mail using IMAP and SMTP

How to

iTunes Match showing duplicate songs? Here's how to fix it!

Apps

Not only is Yo stupid, it's now also a security risk

Researcher continues exploring iCloud security, some media outlets continue to overreact

Russian security researcher Vladimir Katalov gave a talk last week at Hack in the Box security conference detailing his findings on Apple's iCloud protocols. Katalov's research highlights several shortcomings in iCloud's security model, including the fact that iCloud data is not protected by the two-step verification system Apple rolled out earlier this year.

Katalov's talk seems to be largely based on research he initially discussed this past May. The primary concern raised is that even if a user has two-step verification turned on, an attacker could download an iCloud backup from Apple's servers even if they "only" possess a victim's Apple ID and password. If a malicious person is able to obtain your Apple ID and password, and they possess software capable of downloading iCloud backups (like the kind that Katalov's own company sells starting at $1,399), they will be able to retrieve your backed-up iCloud data. The only way to prevent an attacker in possession of those credentials and tools would be to not use iCloud.

Despite what many sites are reporting, this isn't some new vulnerability that's just been discovered. Katalov even said as much on his site back in May:

Is it a newly discovered security flaw? No, not really. Is Apple misguiding its customers? No: their two-step authentication process does exactly what they say it does.

Over time we will continue to see Apple improve security for people and their data. Two-step verification was introduced earlier this year as a way to stymy criminals who were abusing stolen Apple IDs to commit fraud. Two-step verification has significantly increased the difficulty of such an attack. It's clear that the system is not without its shortcomings, but hopefully in time we will see Apple continue to refine and enhance their security.

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at Double Encore. Writes on neglectedpotential.com about QA & security, and as @noir on Twitter about nothing in particular.

More Posts

 

3
loading...
10
loading...
50
loading...
0
loading...

← Previously

Imagining the iPad 5 and iPad mini 2: What we expect Apple to cover next!

Next up →

Tired of waiting in the BBM for iOS line? Turns out there's a proxy-based skip for that!

There are 4 comments. Add yours.

Carioca32 says:

After Mat Honan's last year piece about how his life was hacked starring Apple and Amazon, I think there is no such thing as overreacting, and worse than overreacting is this overprotection of poor Apple, the eternal "victim of the media".

Let people worry and complain, its best for them, and best for Apple in the long run.

Ipheuria says:

I see your point it is better for them in the long run. Highlighting the flaws and having the public know about it pushes them to do something. However there is overreacting. It is the same as the story about the Touch Id being spoofed, hacked or tricked. A story that will scare the general public into staying away from a useful tool. The forensic level of precision needed means that it is not something that will happen often if ever. This is similar because not only would the perpetrator need to have very expensive software but they would also need the Apple ID and password. Something that will not come together often.

Sent from the iMore App

Neo Jit says:

Apple always giving the best. The cloud looting problem is not only existing in the apple, sites like facebook, yahoo, amazon, paypal are always facing this problems. A year ago yahoo's 1 million plus data's hacked by someone. Thanks for your post.
http://appvsgame.com

HOLERNIYI says:

HOW CAN I BREAK APPLE ID ON IPHONE PLS I NEED UR HELP ON THIS