Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams

One of the common bits of advice you’ll see people giving you around this celebrity picture hack is to enable two-factor authentication on your accounts — including Apple’s. That’s good advice, but it wouldn’t have protected any of these celebrities and it doesn’t protect the other accounts that are compromised by hackers that are able to obtain an Apple ID email and password.

While Apple has offered two-factor authentication on accounts for some time now, there is an omission in that system that hackers are taking advantage of. iCloud backups are not protected by two-factor authentication, and can be installed on new devices with only an Apple ID and password.

Of course, that’s still a very big ‘only’. Your email and password are as much protection as almost any service on earth offers you by default — and once a hacker obtains those you’re probably in trouble in any case. The early evidence, and Apple’s statement on the matter, indicates that hackers obtained passwords through guessing security questions, social engineering, phishing or other ‘targeted’ attacks — rather than a leak of the password data itself by Apple. Notably, access to iPhone backups can also be accessed using an authentication token (a file created by iTunes) which can be obtained using malware or phishing — and which does not require a password at all.

But two-factor is billed by Apple and many security experts as a way to protect yourself from simple password theft. It requires that you have a code sent to your physical device to confirm that yes, it is you logging in to your Apple account.

However, Apple’s two-factor solution is actually incomplete. It does not cover many other iCloud services, including backups.

In fact, the only three things two-factor secures in iCloud are the following:

  • Signing in to My Apple ID to manage their Apple account
  • Making iTunes, App Store, or iBookstore purchases from a new device
  • Receiving Apple ID-related support from Apple

It does not, however, make you enter a verification code if you restore a new device from an iCloud backup. And that’s the design ‘feature’ that hackers are taking advantage of here.

Once they gain access to an Apple account, some are using the login and password to ‘restore’ an iCloud backup using an application by Elcomsoft called the Phone Password Breaker — exporting data including photos and more to a folder which they can then sift through.

Even if the hackers do not actually download the entire backup — or if there is no backup on the account — they still have access to a user’s Photo Stream at this point, which is also not protected by two-factor authentication.

So, even if all of the people who have had their photos compromised had two-factor enabled, their iCloud backups and Photo Streams would still be accessible.

If you thought this was a vulnerability that was fresh and new for Apple — that it wasn’t aware of this loophole — you’d be incorrect. The fact that Apple’s iCloud backups are not protected by two-factor authentication has been known for over a year.

Security researcher Vladimir Katalov (who works at Elcomsoft, imagine that) presented his findings on the iCloud protocol, including what portions of iCloud are protected by two-factor authentication, at the Hack In The Box security conference late last year — and posted about the issues as early as May of last year. Not to mention coverage by Ars Technica, ZDnet and again today by TUAW.

Screen Shot 2014-09-02 at 3.20.56 PM

The best thing that Apple could do right now is expand its two-factor security to cover all iCloud services, not just account resets and purchases from new devices. Asking someone to enter another form of identification on a restore or when logging into an account from a new device or location would be good next steps. It’s important to note that there have been rumors of Apple increasing the scope of two-factor to include other iCloud services, but those have not yet been implemented.

On the user front, all of the standard pieces of advice still apply. Use a complex password, do not share it with anyone, use a private email if at all possible for your ID — one you also don’t share with anyone. Don’t click on links in emails if at all possible, don’t share personal information over social networks if at all possible and use completely incorrect or random answers to password reset questions.

For users that don’t have two-factor enabled at all, doing that will definitely add a layer of security to your account if you don’t have it already — but if thieves are able to obtain your password then that will not protect your backups at this time. In its statement about the hacking incidents, Apple recommended two-factor authentication to increase account security.

Apple did not respond to a request for information about expanding its two-factor authentication.