Apple’s 2-Step Authentication Leaves iCloud Data Unprotected, Says Researcher

According to security researcher Vladimir Katalov from CrackPassword, Apple’s recently introduced 2-step verification leaves iCloud data and device backups unprotected. The researcher details how his team at Elcomsoft, was able to access a user’s backups and documents and even restore an iCloud backup onto a new Apple device, without being asked for the second mode of security i.e the 4-digit passcode, even with 2-step authentication turned on.

2 step

The team used their own Phone Password Breaker software to sign into the targeted user’s iCloud account with the Apple ID and password. Then, to look at that data, they used software that can browse and analyze offline iTunes backups. Eventually, they managed to restore an entire backup of the user’s device and iCloud data to a new iPhone.

“Apple stipulates that “Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.” But is this implementation enough to secure personal information of Apple users? According to our research, Apple did a half-hearted job, still leaving ways for the intruder to access users’ personal information bypassing the (optionally enabled) two-factor authentication”.

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud”.

Apple’s 2-step verification process is currently available to Apple customers from the U.S., UK, Canada, Australia, Ireland, New Zealand, Mexico, Germany, Netherlands, Austria, Brazil, Belgium, Portugal, Italy, Pakistan and Poland.