May 31, 2013
Apple’s Two-Step iCloud Authentication Deemed Unsecure By Third-Party Security Firm
Michael Harper for redOrbit.com — Your Universe Online
Apple recently rolled out two-step authentication check for iCloud to protect users from having their account info changed without an additional, one-time password. They were a tad late to the game, however, as companies like Dropbox, Google, Facebook, Twitter and others have already implemented this additional security step for their users.Now that security researchers have had enough time to scour Apple´s methods for this two-step authentication and give it a test drive, it´s been found to be less secure than the others. ElcomSoft, a Russian security software company, claimed in a blog yesterday that Apple´s security measures only protect users from having account info like passwords and billing address from being accessed or changed. If this information is already compromised, or if a hacker is able to gain physical access to your iPhone, however, this two-step measure could be essentially worthless. ElcomSoft even went so far to say that Apple´s two-step authentication process, as it currently exists, is not a “finished product.”
Vladimir Katalov with ElcomSoft put Apple´s security measures to the test and found it lacking. To begin, Katalov takes issue with the optional nature of this two-step authentication, especially considering the incredibly important information stored in iCloud. As Mat Honan discovered last year, an iCloud hack could give cyber thieves access to nearly all of your digital life.
Going further, Katalov found that even when a user chooses to turn on two-step authentication, this doesn´t protect iOS backups or iCloud data, like calendars, mail or photos.
“In its current implementation, Apple´s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” writes Katalov.
“In addition, and this is much more of an issue, Apple´s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user´s Apple ID and password to download and access information stored in the iCloud.”
This is frighteningly easy to verify, unfortunately. Any user can log into the iCloud website and see their data, and if the login credentials have been compromised, this means any hacker can have access to the same information. During their tests, ElcomSoft was able to gain access to iCloud data without ever running into any two-step authentication barriers. Even when this feature is turned on, Apple sends the unlock PIN to the iPhone´s lock screen rather than sending it through an iMessage or text message. This means any hacker with physical access to the phone only needs the login credentials to have complete control of an iCloud account.
“In ElcomSoft´s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past and will be exploited in the future,” says ElcomSoft.
To be fair, any Apple ID or iCloud account is as secure as its password. It´s also true that one must trade some convenience to gain some security. Any two-step measure is more complicated by its very nature.
The most secure way to lock down an iCloud account is to simply change passwords every few weeks or so, using strong and secure passwords each time. Yet as this is likely a little too inconvenient for most (and very hard to remember), measures like two-step are a helpful way to keep users protected. It seems Apple´s method, however, isn´t doing much to protect users at all.