Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
ElcomSoft's Phone Forensics Software Offers Near Real-Time Access to iCloud Backups
- Thread starter MacRumors
- Start date
- Sort by reaction score
Apple should be sending the backups encrypted as if it was in iTunes. It's not enabled by default, but it should be if iCloud is being used. But knowing Apple, they wanted it to be easy and painless for the customer to restore an iCloud backup. Apple will need to address this and they're probably going to make you use your iTunes ID username and password + a different encryption key/password to retrieve and unlock the data. More work, but better security.
The funny thing is that this software needs access to the iTunes ID username/password. IF not, they don't have access. And they say it's trivial to get it the iTunes ID. All they need is the unencrypted local backups in iTunes. Again, they need to get into your machine to get that data. How they get local backups is beyond me, but if they have local access to a computer, then how is it Apple's fault? I agree Apple needs to send the backups encrypted. But that's all they can do. Weak iTunes passwords and backing up your iPhone on trojan infected machines doesn't make Apple at fault. And when law enforcement has physical access to your computer, all bets are off. Any computer with any OS without full disk encryption can have the data siphoned easily.
The funny thing is that this software needs access to the iTunes ID username/password. IF not, they don't have access. And they say it's trivial to get it the iTunes ID. All they need is the unencrypted local backups in iTunes. Again, they need to get into your machine to get that data. How they get local backups is beyond me, but if they have local access to a computer, then how is it Apple's fault? I agree Apple needs to send the backups encrypted. But that's all they can do. Weak iTunes passwords and backing up your iPhone on trojan infected machines doesn't make Apple at fault. And when law enforcement has physical access to your computer, all bets are off. Any computer with any OS without full disk encryption can have the data siphoned easily.
So someone has to have your password to get into your iCloud account, which is how iCloud works in the first place.
Someone can theoretically get your password out of an iTunes backup. If someone has access to your Mac's filesystem, you've got bigger problems, and they probably already have access to all the information you had in iCloud anyway.
Someone can theoretically get your password out of an iTunes backup. If someone has access to your Mac's filesystem, you've got bigger problems, and they probably already have access to all the information you had in iCloud anyway.
Mattie Num Nums
macrumors 68030
Why aren't you mad at Apple for having such security flaws. This is Apples MO after all. Ignore all security issues until the media blows it up, then point the finger for 2 months, then quietly release a security fix with no explanation.
anjinha
macrumors 604
What security flaws? If someone has my iCloud password they can simply restore an iPhone with my iCloud backup. And if they have physical access to my iTunes backup it means they have my computer which has all the data in iCloud anyway!
Yeah, but remember, they have to know your username & password. It all comes down to that. If somone knows your username/password, then by design, they can get anything.
For example: If I knew your iCloud username & password, I could get any iphone, wipe it, then restore it with YOUR data from the iCloud backup, no Russian forensic software required.
Edit: would you look at that, the person who posted 2 minutes before me said the same thing.
koolmagicguy
macrumors 6502
It's not a security bug. Logging in with the right user ID and password isn't a flaw.
----------
Yes, but a subpoena should be required. No one should have to wonder or fear if they're being spied upon.
yeah cause from the respected institutions of the U.S. come products from apple that put the collective data of millions of people at risk from security attacks...🙄 I would think that a bunch of hackers exposing the security flows of network software are more benign than a multibillion dollar per quarter corporation who isn't putting due diligence in their products and services to protect their users.
Why the hell are they paying $50 million to some sales guy from dixons who up until recently had problems locating a barbershop and not dropping a few couple of hundred to get said jailbirds to be to protect their users paying them their hard earned cash to enjoy a service that won't put their personal data at risk?
We 've heard everything than assignment of responsibility to apple in these thread: corrupt russians, internet privacy laws, the inherent lack of security of cloud services... cloud services are secure unless of course you eff it up as apple have apparently done, and they are repeat offenders after mobileme. I don't see any outrage though from most people towards apple as their private data is right now exposed to anyone who knows their way around hacking. Guess it's all a ok then. 600,000 macs with flashback and doors wide open to icloud storage. No problemo.
There is no issue here, they require you user and password. Even if apple encrypted the backups with the same user I'd and password they could just restore it to a different device.
The issue is look after you I'd and password and it's not a problem.
The only way to prevent this all together is limiting iCloud restores to the original device I'd only. Then you would have to perform a tethered restore to a new device.
The simple fact is if someone really wants your data your not really going to stop them.
The issue is look after you I'd and password and it's not a problem.
The only way to prevent this all together is limiting iCloud restores to the original device I'd only. Then you would have to perform a tethered restore to a new device.
The simple fact is if someone really wants your data your not really going to stop them.
Calm down everyone.
This requires PHYSICAL ACCESS to your computer. If they have that it's basically game over anyway.
If you're around they can just hit you with a $2 wrench until you'll tell them your passwords anyway.
This requires PHYSICAL ACCESS to your computer. If they have that it's basically game over anyway.
If you're around they can just hit you with a $2 wrench until you'll tell them your passwords anyway.
Illegal? You don't like that because you do not control it. Typical american reaction to ban/declare as axis of evil/etc if something important is not playing their rules.
----------
Reading too much of XKCD, fella 😀 Me too 😀
there's flashback for that. 🙂 And who knows what other malware that have not become widespread. You think these guys and other hackers or law enforcement can't get to your mac and get your apple id password? Lol, think again. OS X security is a joke in the industry. It's that most people wouldn't want or care enough to get your apple id anyway.
roadbloc
macrumors G3
Either way, I'm sure it'll be easily found on torrent sites soon enough. If you know what you're looking for, anything is easily found on sites such as TPB.
lol, the ns of a is spying on pretty much all of humanity 24/7 but as long as a few russian hackers put up a piece of security software, made possible by the rubbish security holes of apple it's the axis of evil that's the problem.
Wake up and smell the coffee: Apple is sending their backup unencrypted, this is not a security bug, this NO consideration for basic encryption security.
Aetles
macrumors regular
Since having access to your Apple ID is the way to restore from cloud backup, then it seems quite logical that anyone with access to your Apple ID could access your backup.
But still, it's a good thing in general that people are concerned.
No, I can't imagine hackers or other bad guys could get a hold of those kind of tools, or developing them themselves.
For now maybe. But what if they push for a warrantless access?
The classic argument for any increased surveillance and control. But what if they claim your doing wrong when you're actually not? Like, use your smartphone to record video.
But still, it's a good thing in general that people are concerned.
No, I can't imagine hackers or other bad guys could get a hold of those kind of tools, or developing them themselves.
For now maybe. But what if they push for a warrantless access?
The classic argument for any increased surveillance and control. But what if they claim your doing wrong when you're actually not? Like, use your smartphone to record video.
If Apple ruined "secure" cloud services with iCloud, then services like Dropbox, Google Drive, etc should be added to the list. None offer encryption locally. If someone has a Google username/password they can see a persons data easily so therefore it's Google's fault for not protecting their users, right?
It's Apple's fault for not allowing encryption, I agree with that. But it's no ones fault but the user for having weak passwords, uploading unencrypted sensitive files to the cloud, and working on unpatched and unencrypted operating systems whether it's Windows, Linux, OS X or whatever you use.
Again I do agree that Apple needs to step their security game up, but it's not as bad as you make it seem.
Peace
Cancelled
Having access to someone's username AND password is something that happens almost never. And this software doesn't and can't get your password remotely over the Internet.
Actually I don't fully understand the purpose of this software other than to hack a users cloud/ cellphone to get other potential passwords. You need a password for this software to even work. It's what happens after you have physical access to a users computer/cellphone that this software is ever useful.
And after walking through what this actually does I find the software to be almost vapor ware and sensationalist bordering on MR spam.
I repeat . This software does not sniff Internet packets.
As far as I understand apple don't offer encrypted transfers in icloud though, and last time I heard:
Points well taken for the rest of what you are saying. 🙂 There's also a element of fault from the users perceptive.
My problem is that like I said before apple isn't operating out of Steve's garage anymore, they have a vast, vast user database and thus responsibility. If they want to treat security issues the way they have done before, as another user pointed out that is, being exposed by a third party, staying silently or denying or misattributing the issue, then silently fixing it after a few months, if at all, then now is not the time to do what with the way their user base has grown and the added risk of cloud storage.
And you know what else, apple currently have tons, ********s of money, they could probably singlehandedly put Europe out of recession, that's the amount of money they have, what they shouldn't have, or rather shouldn't be allowed to have right now is any more excuses.
And in other news if someone has your:
ATM card and PIN they can steal money from your account!
Gmail email address and password they can read your mail!
Wak by your mailbox and open the lid they can steal your snail mail!
Wifi access point password they can steal your Internet services or worse!
😱 😱 😱
ATM card and PIN they can steal money from your account!
Gmail email address and password they can read your mail!
Wak by your mailbox and open the lid they can steal your snail mail!
Wifi access point password they can steal your Internet services or worse!
😱 😱 😱
Peace
Cancelled
Exactly.
If you have a username and password to any iCloud account you can do the exact same thing this software does without the software.
Unless youre walking around with a tshirt with your apple id and password on it i honestly doubt youll have a problem [tinfoil] but you'd better check your window just in case a dark van with 'ELCOMSOFT' is waiting to break into your home!? Also id be very suspicious of that local russian family that moved in next door, theyre probably sniffing your packets as you read this. QUICK! MICROWAVE YOUR HDD! [/tinfoil]