Apple Two-Factor Authentication and the iCloud

May 30th, 2013 by Vladimir Katalov

Some time ago, I wrote a blog post on hacked Yahoo!, Dropbox and Battle.net accounts, and how this can start a chain reaction. Companies seem to begin recognizing the threat, and are starting to protect their customers with today’s cutting edge security: two-factor authentication.

A word on two-factor authentication. In Europe, banks and financial institutions have been doing this for decades. Clients needed to enter an extra piece of information from a trusted media in addition to their account credentials in order to authorize a transaction such as transferring money out of their account. For many years, bank used printed lists of numbered passcodes serving as Transaction Authentication Numbers (TAN). When attempting to transfer money out of your bank account, you would be asked to enter a passcode number X. If you did not come up with the right code, the transfer would not execute. There are alternatives to printed TAN’s such as single-use passwords sent via a text message to a trusted mobile number or interactive TANs generated with a trusted crypto token or a software app installed onto a trusted phone.

Online services such as Microsoft or Google implement two-factor authentication in a different manner, asking their customers to come up with a second piece of an ID when attempting to access their services from a new device. This is supposed to prevent anyone stealing your login and password information from gaining access to your account from devices other than your own, verified PC, phone or tablet.

The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage. Passwords are way too easy to compromise. Social engineering, keyloggers, trojans, password re-use and other factors contribute to the number of accounts compromised every month. An extra step in the authorization process involving a trusted device makes hackers lives extremely tough.

At this very moment, two-step authentication is being implemented by major online service companies. Facebook, Google and Microsoft already have it. Twitter is ‘rolling out two-factor authentication too.

A recent story about a journalist’s Google, Twitter and Apple accounts compromised and abused seems to have Apple started on pushing its own implementation of two-factor authentication.

Two-Factor Authentication: The Apple Way

Apple’s way of doing things is… different. Let’s look at their implementation of two-factor authentication.

According to Apple, two-step verification is an optional security feature requiring Apple users to verify their identity via one of their trusted devices before they can do any of the following:

  •  Signing in to My Apple ID to manage their Apple account
  • Making iTunes, App Store, or iBookstore purchases from a new device
  • Receiving Apple ID-related support from Apple

Apple stipulates that “Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account.” But is this implementation enough to secure personal information of Apple users? According to our research, Apple did a half-hearted job, still leaving ways for the intruder to access users’ personal information bypassing the (optionally enabled) two-factor authentication.

No Two-Factor Authentication for iOS Backups and iCloud Data

You can trade a little security for a bit of convenience. Then sacrifice some more security for some extra convenience. Then buy even more convenience at expense of security. There’s nothing particularly bad in this tradeoff in non-mission critical applications, but where should it stop? Apparently, Apple decided to maintain its image as being more of a “user-friendly” rather than “secure” company.

In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device. In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.

In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.

Geographic Restrictions

Even that half-hearted two-factor authentication scheme has not been rolled out globally as of yet. Initially, the two-step verification process was only available to Apple customers from the U.S., UK, Australia, Ireland, and New Zealand. Mexico, Germany Netherlands, Russia, Austria, Brazil, Belgium, Portugal, Italy and Poland were added to the list of supported countries later on; however, as of this writing, the feature was still not in fact available at least in Russia.

Playing Hacker

Let’s play hacker for a moment. Let’s say we have valid Apple ID and password information obtained by playing some dirty trick on a teenage girl. She has two-factor authentication enabled as you can see by logging into her Apple account at AppleMyAppleID.

Clicking on Manage your Apple ID” and entering her login and password, we can see that two-factor authentication is indeed enabled on that account:

 1

Apparently, if we want to initialize a new Apple device and start buying stuff from iTunes or Apple Store, we would have to receive a verification code on a trusted device:

2

3

As you can see, the verification code is delivered right to the user’s lock screen via the Find My iPhone protocol (well, that’s not exactly a protocol, but an iCloud feature/service). This in itself is a concern, as anyone holding the device could read the verification code without having to enter the correct passcode.

You read it right: the verification code appears on the lock screen. This is not a text message, but rather a message delivered via the Find My iPhone – it’s the same way as if you lost your iPhone and used this service to send a notification to the current “owner” of the device asking to return it. Apparently, is the Find My iPhone service is disabled, the code is being sent as a text message (at least according to Apple Knowledge Base).

The reason for this, as we see it, is simple. Text messages will not work for iPod and iPad devices, but one of those could be the only Apple device you have. The Find My iPhone service will, however, work for either device.

Whatever the reasoning, the current implementation of two-factor authorization is clearly an afterthought. While the choice of the Find My iPhone service is understandable, Apple should have implemented a way to prevent certain types of messages from being displayed on the lock screen. Having something like “You have a new message. Please unlock your screen to see it.” would be nice.

However, regardless of two-step authentication settings, backups and documents are still accessible from anywhere. We can restore an offline or iCloud backup onto a new Apple device (or use Elcomsoft Phone Password Breaker to download and access on the computer) without being requested or entering the second passcode. Here’s how.

Using Elcomsoft Phone Password Breaker to Download Teenage Girl’s Private Photos from the iCloud

Yep, this can be done. We can access her iCloud backup even though two-factor authentication is enabled for that Apple account. Here’s how.

 Use Elcomsoft Phone Password Breaker to sign into the iCloud account by using her logon credentials.

  4

You’ll then select her Apple device from the list:

  5

The information will be downloaded to your computer:

 6

And you’ll get to see her personal stuff! All you need is some software that can browse and analyze offline iTunes backups, such as iBackupBot or more advanced Oxygen Forensic Suite, see Phone Password Breaker FAQ. For more information on iCloud backups, see iCloud backups inside out.

 Here was the photo from the backup. Sorry, we decided not to publish it after all J

 What about that teenage girl? Her private photos ended up in public access.

Using a Fresh iPhone to Restore Someone Else’s Backup from the iCloud

Now, what if we don’t want to bother with Elcomsoft Phone Password Breaker, and just want to restore everything from the iCloud onto a new device? In this case, all we need is still her login and password. No two-factor authentication kicks in during the process.

 So let’s take a fresh phone and restore it from the iCloud (sorry for these low-res pictures; is not technically possible to make screenshots during the iPhone restoration process):

  7

We’ll have to supply the correct Apple ID and password:

  8

Agree with Apple’s terms of service and their Privacy Policy (let’s not make any jokes about it now):

  9

Choose the most recent backup:

  10

Wait a bit…

  11

And make sure that everything has been restored correctly:

 12

As you can see, nowhere in the process of restoring the new device from an iCloud backup was I asked for anything but Apple ID and the password. Ditto for Apple’s implementation of two-factor authentication.

One last thing to mention. After I restored a new, non-trusted device from the iCloud backup, I received an email from Apple:

Your Apple ID (xxx@xxxxxxx.com) was used to sign in to iCloud on an iPhone 4.

If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn more. 

While this is not related to two-factor authentication per se, this notification will at least let you know your information has been used to restore another device.

What about using Elcomsoft Phone Password Breaker? When I was using this product to download the backup instead of restoring it onto a new device, Apple did not send this email.

How Much Security Can We Trade for Convenience?

Apparently, Apple is torn between creating a secure environment and scaring away its customers by implementing security measures that are simply too tough.

iCloud access to documents is not yet integrated into two-way authentication process. As usual, Apple refuses to comment on anything concerning security, so we can only guess whether or not the two-step protection will be extended to cover information stored in the iCloud.

As we see it, there’s no big problem securing iCloud documents; a verification code can be delivered to iOS user via a text message or as a push notification via the Find My Phone protocol.

The situation with iCloud backups is more complex, and the solution is much less obvious. If legit customers are restoring their device from a backup, they normally have a valid reason such as initializing a brand-new device fresh from Apple store (Apple would certainly not want to scare them away), or restoring a device after a complete reset. Either way, at the time of the restore the device is not yet validated, so it’s not clear how exactly the pre-authorization step should be performed.

Conclusion

Is it a newly discovered security flaw? No, not really. Is Apple misguiding its customers? No: their two-step authentication process does exactly what they say it does. So what’s the deal?

For a record, I’d like to say that Apple’s approach in implementing two-factor authorization does not look like a finished product. It’s just not as secure as one would expect this solution to be. Don’t get me wrong; it’s not flawed or anything. It does everything that it claims to be doing (see above). What it doesn’t do, however, is protecting users’ personal information stored in the iCloud from unauthorized access. It’s not on the spec list, either.

In addition, the choice of the Find My iPhone service, while understandable, is clearly an afterthought, as supposedly secure verification codes are displayed in plain view on the lock screen. Finally, despite Apple’s claims, two-factor authorization is not currently available in all countries listed. We tried enabling two-factor authentication for an Apple account based in Russia, and found no way to do this.

Finally, two-factor authentication is not a silver bullet. There are scenarios where two-factor authentication simply is not enough. But still, it is a good idea to enable 2FA on all your accounts.

 

Updated on June 1, 2013: if the [trusted] device is locked with a passcode, then the verification code does NOT appear on the lock screen. Instead, you get the Unlock to view your verification code message, and have to enter the passcode to get it. Sorry that I missed it.


Tags: , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

15 Responses to “Apple Two-Factor Authentication and the iCloud”

  1. artesea says:

    After downloading the iCloud backup to a blank phone, do you then get the “Find My iPhone” push message to the screen when attempting the 2-Factor Auth at say MyAppleID?

  2. Joe says:

    Are you saying that a newly restored device (by our hacker) is automatically signed in to Find my iPhone, and receives the verification code, thus giving them full access to the account with only a username and password as long as they have a device to restore?

  3. artsea: you will get the push message, but at old (trusted) device. The devices are identified by the unique hardware IDs (fortunately).

    Joe: the new device is signed into Find My iPhone automatically only if the old one (you made the backup from) was; but again — no, verification code is still being sent to old device only. Otherwise, Apple’s 2FA would be completely fake :) But it’s not — it works exactly as described in Apple KB article.

  4. Buster Blocker says:

    A few omissions of fact from this article need to be addressed :

    1. What happens when a user has an encrypted iOS backup? Since there is no mention of an attempt to download and install an encrypted backup, it is entirely reasonable to assume your ‘hack’ fails. If this is true, then it necessarily means this is a biased article written to frame a predetermined conclusion. While it is true many users do not avail themselves of all the security available to them, it is quite misleading for you to omit details of security that are available and if those options would make a user more secure instead of less.

    2. You make no mention that Google’s two-factor system also puts the code on the iPhone lock screen. This is an important material fact, yet you make a willful choice to omit it. This adds to the evidence this is a biased article crafted to fit a pre-determined conclusion and not any kind of scholarship.

    3. No mention is made how you are – in all probability – violating many Federal and State wiretapping laws were you to do this in the wild. This is also an important material fact as it speaks directly to the risk/reward ratio factoring into the decision of whether or not a ‘hacker’ would even attempt such a thing in the first place. I daresay no ‘hacker’ is going to run the risk of ‘hacking’ Walt the postman’s iPhone unless the profit from such actions is great. In short, you have not addressed the fact that while your system is possible, why would one want to do so?

    4. Declaring that Apple’s two-factor authentication is not as secure as it could be, without revealing all the facts, is reaching a dubious conclusion at best. After reading this article it is readily apparent this is what you want to happen, but not necessarily what is. Unless and until you report what happens when the iOS backup is encrypted you have not told the entire story, nor presented all possible facts.

    5. Apple has made no secret of the fact they make choices about their products to make iOS and Mac OS X easy to use for the vast majority of not-so-tech-savvy users. You do not mention this fact, either. After all, how many of us are walking around with national security secrets on our iPhones, or the nuclear launch codes on our iPads? Missing from your analysis is the simple fact that the level of security on iOS really is good enough for the vast majority of the users. As I have mentioned earlier, there are additional measures that are available should one choose to use them, if what one has is truly worth protecting. My 10:00 appointment at the vet? Not so much.

    Once all the facts are in and impartially reported this has the makings of being a fair critique of the way Apple is approaching security. As it sits, it is sloppy scholarship, trite, and horribly biased.

  5. Buster Blocker, thanks for your comments.

    Please note that only local iOS backups are encrypted (protected with a password). Backups stored in iCloud are NOT encrypted. Oh well, they are. But the encryption key is stored along with the backup data, and can be easily extracted, and that’s what our Elcomsoft Phone Password does: it decrypts the backup on the fly right when downloading.

    Next, I have not covered any legal aspects, right. And I was not going to :) That’s another topic. This article is only about security.

    Finally, I should confess that I love Apple products. I am using iPhone for years — since iPhone 3GS; I also have about a dozen of other Apple devices: iPad, iPad Mini, TimeCapsule, Mac Mini, MacBook Air, MacBook Pro, Apple TV etc (not counting all the accessories). And in general, I am quite happy with the level of security iOS and MacOS X provide. That does not mean that I don’t want them to become even better ;)

  6. Kevin says:

    From what I understand, if someone has your username and password then you’re in big trouble.

    Let’s observe some scenarios both within technology and the real world that follow this dilemma:

    credit card and pin, goodbye money
    email address and password, goodbye emails and privacy
    home or car lock and keys, goodbye belongings

    I believe that was your approach to this whole thing. If someone has your Apple ID and password then you’re in trouble. Of course you’d be. Two-step verification isn’t the issue at this point. It’s that you’ve given them the two items that even you need to access personal and private information.

  7. Kevin, I [partially] agree with you.

    Of course you’re in trouble if your ID (any one, not just Apple’s) and password is leaked. But that’s where 2FA should help, and that’s why bacause most of the services are implementing it nowadays. We just wanted to note that Apple’s implementation is not perfect.

  8. Michael says:

    Has there been any recent activity with Apple, in securing icloud with 2 step? Kind of makes me nervous. I have a difficult password, but who knows who might hack it. I keep confidential legal files in icloud. The whole security key thing is bizarre; that I have to keep it written down in a safe place. Google does this so much more efficiently. I sort of think Apple can’t be trusted with preserving or securing my data. When they switched over from MobileMe I didn’t retrieve my data in time and lost everything.

  9. Michael,

    Unfortunately, we have not heard about any updates on that. Apple has much better authentication for “iCloud keychain” (introduced with iOS 7 and Mac OS X 10.8), but that’s the only good news. The document stored in the iCloud are still protected with Apple ID only (and not encrypted; well, they do, but the encryption key(s) are stored along with the files).

  10. Clippingimages says:

    You have a done a fantastic job. I am impressed of your work. Keep it up.

  11. Awais Ali says:

    Is there any software or any solution for cracking icloud id ???
    I mean if i forgot y id password then how can i get my phone to the menu ???
    Bcoz itune is asking for Apple id and Pasword
    So if anyone knows it plz reply

  12. Awais Ali — sorry, no way. You can, however, reset your password to Apple ID:

    http://iforgot.apple.com

  13. Global says:

    Hi Vladimir,
    i want to know if i purchase the Elcomsoft Phone Password Breaker
    i have the apple id and password
    after i download the backup form i cloud i can…..

    1) i can view all the picture in my pc??
    2) view all whatsapp backup in my pc?

    all i want to know is made sure i pay for this breaker i can get what i want.

  14. Global,

    If iCloud backup is available for specific accont — then yes, you can download all pictures, as well as WhatsApp conversations.

  15. sylvie says:

    It is a nice Tool to recover MS Office password but you can also apply office password recovery which is a powerful office recovery Tool to retrieve forget and lost password from the System. It is very effective and fast retrieval Tool which gives easy solution to the user.

Leave a Reply