In March, Apple was praised for introducing the option of two-factor authentication for AppleIDs. But on Thursday a security researcher noted some glaring weaknesses in what Apple has implemented so far. While Apple users can require a regular password and a four-digit passcode in order to gain access to their devices and accounts protected by an AppleID, this does not cover access to iCloud, according to Vladimir Katalov, CEO of Elcomsoft Software.
On the company’s blog, CrackPassword, Katalov writes of how he and his team were able to access a user’s backups (including photos) and documents, and were able to restore an iCloud backup onto a new Apple device without being asked for the second mode of security, the four-digit passcode, even with two-factor authentication turned on:
In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.
The Elcomsoft team used their own Phone Password Breaker software to sign into the targeted user’s iCloud account with the Apple ID and password. Then, to look at that data, they say they just used software that can browse and analyze offline iTunes backups.
They were then able to restore an entire backup of the user’s device and iCloud data to a new iPhone without ever being asked for secondary security information — again, even though they say two-factor authentication was turned on.
The one way the unsuspecting user whose account is being targeted would know this was happening is via an automatically generated email from Apple letting them know that their Apple ID was used to sign onto a new device.
An Apple spokeswoman declined to comment on the article’s findings.
Obviously this is concerning for Apple users who assumed far more security from Apple’s recently introduced system. But the weaknesses, as Katalov points out, tend to come at the expense of convenience. Why aren’t you asked for your passcode when setting up a brand new device? Presumably so the purchase of new phones or replacement devices at Apple Stores can happen a faster and with fewer hiccups.
He points out that Apple isn’t promising more than it’s delivering, but concludes the company has much further to go to offer real protection for users from targeted hacking.
Updated at 11:52 a.m. PT with response from Apple.