Security Researcher Claims Two-Step Verification from Apple Makes iCloud Data Insecure


By: Ali Raza  |   May 31st, 2013   |   Apple, News

Apple has introduced a two-step verification in US and four other countries earlier in March that offer users “an optional security feature for your Apple ID,” which “requires you to verify your identity using one of your devices. Later the Cupertino-based company released the feature in several other countries as well, so users in other parts of the world could also avail the security feature and avoid a crisis. However, now a security researcher from CrackPassword, Vladimir Katalov, has claimed that the two-step verification from Apple actually makes iCloud data and backups of devices insecure. The security researcher described how his team members at Elcomsoft gained access to documents and backups of users. Katalov also revealed that his team has also restored an iCloud backup over a new device of Apple without going through the second step of security.

 

To break into the iCloud account of the targeted user, Katalov’s team used Phone Password Breaker software, which they had developed themselves. “Then, to look at that data, they used software that can browse and analyze offline iTunes backups,” according to iPhoneinCanada. Finally, the team was able to restore the full backup of the user’s iCloud data and device to a new iPhone.

 

“Apple stipulates that “Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.” But is this implementation enough to secure personal information of Apple users? According to our research, Apple did a half-hearted job, still leaving ways for the intruder to access users’ personal information bypassing the (optionally enabled) two-factor authentication”.

 

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud”.

 

If Katalov’s claim proves true then, it would be a horrible situation for Apple, as the iOS device maker is known for bringing in concrete solutions for its users and breach in its security would seriously damage its repute.

 

At this point in time, the two-step verification process of Apple is available for customers in UK, US, Australia, Canada, New Zealand, Ireland, Germany, Mexico, Austria, Netherlands, Belgium, Brazil, Italy, Portugal, Poland and Pakistan.

 

Source: iPhoneinCanada, iPhoneinCanada

Photo: iPhoneinCanada

 

Leave a Reply

Your email address will not be published. Required fields are marked *