Researcher continues exploring iCloud security, some media outlets continue to overreact

Russian security researcher Vladimir Katalov gave a talk last week at Hack in the Box security conference detailing his findings on Apple's iCloud protocols. Katalov's research highlights several shortcomings in iCloud's security model, including the fact that iCloud data is not protected by the two-step verification system Apple rolled out earlier this year.

Katalov's talk seems to be largely based on research he initially discussed this past May. The primary concern raised is that even if a user has two-step verification turned on, an attacker could download an iCloud backup from Apple's servers even if they "only" possess a victim's Apple ID and password. If a malicious person is able to obtain your Apple ID and password, and they possess software capable of downloading iCloud backups (like the kind that Katalov's own company sells starting at $1,399), they will be able to retrieve your backed-up iCloud data. The only way to prevent an attacker in possession of those credentials and tools would be to not use iCloud.

Despite what many sites are reporting, this isn't some new vulnerability that's just been discovered. Katalov even said as much on his site back in May:

Is it a newly discovered security flaw? No, not really. Is Apple misguiding its customers? No: their two-step authentication process does exactly what they say it does.

Over time we will continue to see Apple improve security for people and their data. Two-step verification was introduced earlier this year as a way to stymy criminals who were abusing stolen Apple IDs to commit fraud. Two-step verification has significantly increased the difficulty of such an attack. It's clear that the system is not without its shortcomings, but hopefully in time we will see Apple continue to refine and enhance their security.

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Nick Arnott

Security editor, breaker of things, and caffeine savant. QA at POSSIBLE Mobile. Writes on about QA & security, and as @noir on Twitter about nothing in particular.

More Posts



← Previously

Imagining the iPad 5 and iPad mini 2: What we expect Apple to cover next!

Next up →

Tired of waiting in the BBM for iOS line? Turns out there's a proxy-based skip for that!

Reader comments

Researcher continues exploring iCloud security, some media outlets continue to overreact


After Mat Honan's last year piece about how his life was hacked starring Apple and Amazon, I think there is no such thing as overreacting, and worse than overreacting is this overprotection of poor Apple, the eternal "victim of the media".

Let people worry and complain, its best for them, and best for Apple in the long run.

I see your point it is better for them in the long run. Highlighting the flaws and having the public know about it pushes them to do something. However there is overreacting. It is the same as the story about the Touch Id being spoofed, hacked or tricked. A story that will scare the general public into staying away from a useful tool. The forensic level of precision needed means that it is not something that will happen often if ever. This is similar because not only would the perpetrator need to have very expensive software but they would also need the Apple ID and password. Something that will not come together often.

Sent from the iMore App