According to the information that is now floating around it is clear the attackers exploited a flaw in the way the Find My iPhone API works and leveraged that against the constant backup that iCloud performs on a phone unless you opt-out. The flaw was not having a set number of failed password attempts before locking someone out. This was exacerbated by not having ANY system of notification for either the user or Apple. If any of these systems had been in place the image theft would not have happened. As we have stated before, it is Apple’s responsibility to keep their customer’s data safe.
To add a little more to the falsehood Apple is putting out there is even a commercial application that allows you to gain access to information stored in iCloud. It is produced by Elcomsoft and is called the phone password breaker. This application is just one of many that you can find if you do a search in some of the more shady parts of the internet. With EPPB you can grab data from the iCloud backup including pictures, texts, email information etc. after you have compromised the account.
Reading the description of the application we find that there are ways to access iCloud data with little more than a compromised desktop (a very simple task).
“The Forensic edition of Phone Password Breaker enables over-the-air acquisition of iCloud data without having the original Apple ID and password. Password-free access to iCloud data is made possible via the use of a binary authentication token extracted from the user’s computer.”
As we have seen it is a simple task to push out malware that allows for scavenging of very specific data from someone’s computer. However, even without the token EPPB has another way to gain access to iCloud data and rip out what you want. Under Features and benefits of this application it lists: “Perform advanced dictionary attacks with highly customizable permutations”. This is exactly how it is suspected the attackers gained entry.
In all the tool is a very sophisticated one that was designed for legitimate forensic uses and to help people recover data. If this software (or many other advanced forensic tools) were to get in the hands of malicious people it could enable them to do many bad things. We are not saying this was the tool used in the attack, but it is clear that there are tools out there that allow the data access that we saw in the iCloud attacks. Oh, and to add insult to injury, if you are thinking that two factor authentication will help Elcomsoft has this to say: “The given feature is confirmed to work even for acconts with Apple's two-step verification enabled, but does NOT work for Microsoft Live! accounts that use 2FA.”
Some food for thought as you think about what you have stored in the iCloud or any other cloud application.
Tell us what you think in our Forum