Kuala Lumpur, Malaysia- The Russian security researcher Vladimir Katalov analyzed Apple's iCloud and discovered that his phone is not protected by two-factor authentication. There is even worse though. His data iCloud they can download the computer to anyone who has the skills, without the owner of the data ever learning it.
In “Cracking and Analyzing Apple's iCloud Protocols,” held in a packed room at the conference Hack In The Box last Thursday in Kuala Lump, Malaysia, Vladimir Katalov revealed that the data of Apple's iCloud users is not as safe as the company claims.
A malicious attacker only needs an Apple ID and password to get iCloud backups - without having to connect to the victim's device. The researcher explained that there is no way for a user to encrypt their data in iCloud.
The data is already encrypted, he explained, but the keys are stored together with the data. Katalov added that Apple keeps the encryption keys.
The security researcher reported to ZDNet ότι όταν βρέθηκε μπροστά από το τεράστιο security gap συγκλονίστηκε, αφού ανακάλυψε ότι except of all of them, Apple's iCloud data is stored on Microsoft and Amazon servers.
During his presentation, Katalov pointed out that because Apple places its user data on third-party storage providers (Amazon and Microsoft), it could very well give this data to the Authorities.
In July, Apple announced (after revelations about the NSA PRISM surveillance program) that there are no backdoors in its systems and does not give access to government services.
When one user downloads his data from iCloud, he will receive an e-mail informing him that the process is complete.
Katalov thus discovered that if someone downloaded their data by skipping Apple directly from the servers that they store, the owner does not receive any email notification.
Katalov's research is the first publicly released analysis for Apple's iCloud service.
The researcher analyzed Apple's iCloud service and Find My Phone by performing sniffing on http traffic from jailbroken devices – although they don't need to be jailbroken to exploit the vulnerabilities. The analysis of the motion reported in the packed room was not difficult.
In his analysis, Katalov found that the files stored in iCloud were the way Apple used to store them, ie as - plist and content - (plist and content).
However, the two-factor authentication of Apple, used with AppleID and a password, was not necessary for iCloud backups as well as for Find My Phone.
Katalov proved to the audience of Hack In The Box that in a very simple way he can access iCloud, retrieve data, backup IDs, and encryption keys. Then one can download the files stored in Windows Azure or Amazon AWS.
When asked if he had presented his findings to Apple, he explained that his findings were the results of protocol analysis – and not a vulnerability issue. In other words, the iCloud security hole is one feature and not a bug!
Read the latest again "is a feature and not a bug”And think about who such a feature might serve.
