Apple iCloud security exploit is a concern, experts say By Joe Miller

Technology Reporter Published duration 3 September 2014

image copyright AP image caption Cloud services are in the spotlight after naked images of Jennifer Lawrence and others were leaked online

Apple's iCloud facility, which stores iPhone and iPad users' photos and personal data, has a "fundamental security flaw", an expert has warned.

The online service is under scrutiny after intimate images of celebrities were stolen and leaked.

It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups.

Apple declined to comment.

The program still requires hackers to know the user's email address and password, and there is no clear evidence that it was used in the recent breaches.

Two-step verification - which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account - is supposed to offer an extra level of protection.

On Tuesday, Apple suggested its customers "always use a strong password and enable two-step verification" after it acknowledged that some of its accounts had been compromised by a "very targeted attack".

But one expert said Apple had given people "a false sense of security".

Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts.

The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned.

It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data.

It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others.

image copyright Vladimir Katalov image caption Vladimir Katalov said his software can be used for both "good and bad"

But Mr Katalov told the BBC that, although he could not be "100% sure", he believed the software was used in the recent celebrity hacks, as ElcomSoft's program is "the only one able to do that".

He added that while his company "didn't like it much" when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities.

Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple's two-step verification system, which he believed was "implemented only to protect your credit card".

"It doesn't require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up," he said.

Using ElcomSoft's program, he added: "I can use my computer to extract files from your online back-up - something you can't do yourself".

The My Apple ID webpage, where users can manage their iCloud account

App Store, iTunes or iBooks Store purchases from a new device

Getting Apple ID-related support

It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud.

image copyright APple image caption Apple's two-step verification tool makes it difficult for hackers to reset users' passwords

However, the BBC understands that it does protect against hackers trying to use the "forgotten password" facility on Apple's website.

Usually, people who have forgotten their login details can regain access to their accounts by entering the answers to some personal questions - and this process cannot be exploited when two-step verification is enabled.

But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about.

"For many users they would rather have their credit card numbers stolen than their private photos," he said.

'Chinks in armour'

Other security experts said Apple's advice about two-step verification was possibly misleading.

"There is a danger in suggesting that two-step verification is an umbrella that will protect, because obviously that is not the case," said David Emm, a senior analyst at Kaspersky Lab.

image caption At a 2013 conference in Vienna, Mr Katalov showed how he could access iCloud back-ups

"There are chinks in the armour which could potentially be exploited."

Mr Emm added that he was concerned by the fact that ElcomSoft's software has been around since 2012.

"I think [the vulnerability] has probably been raised several times," he said, and the fact that Apple had not beefed up its two-step verification system was "a surprise".

However, he emphasised that overall: "It's clear that Apple does take security seriously."

Prof Alan Woodward, a computer security expert at the University of Surrey, said the holes in Apple's two-step verification system amounted to a "fundamental security flaw" and that it was "like double locking your front door and leaving the window open".

He added that the advice given by Apple "gives people a false sense of security".

But Mikko Hypponen said that iCloud was not the only service to have vulnerabilities.

"We don't really know if this is the only way in," he said.

"It's also highly likely that users not using Apple products were also targeted."