Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ElcomSoft's Phone Forensics Software Offers Near Real-Time Access to iCloud Backups

tranceme said:
But, don't you need the username and password?

"While the Apple ID and password must be known in order to access the iCloud data"

If you got that, why does it matter? Or is that you just can't delete the backups completely? That part would stink regardless of this silly software. A subpoena would force Apple to hand this over anyway, right?
Click to expand...

Right, and if I had a username and password why would I need their crappy software? Plus, why would anyone trust a company who sold software designed to steal "other people's" information (quotes used cuz you are also one of the others they are probably exfiltrating data from).

Trust no one.
 
Why are some people claiming iCloud doesn't encrypt information before sending it?

According to Apple iCloud information is fully encrypted when sent over the internet, I can confirm this as according to little snitch all my iCloud connections are done through TCP port 443 (https).
 
gertruded said:
Assume that if you have data on a computer connected to the internet that the data are not secure.
Click to expand...

This is why you buy an external hard drive and keep your sensitive data unplugged and only access it when disconnected from the net, or on a machine that's always disconnected from the net.

Assume anything online is not private. That's why I use iCloud for syncing only, and do not back up all my data there.
 
Hmm. I don't get it. One billion people reveal far to much about themselves on Facebook. And 30 people in here care about their sensitive data. So please tell me. Did you discover the cure for cancer, the meaning of life or have you just written the next best seller? What is it that is so secret about your life that you absolutely need it of line? And that takes a lot of storage space?
 
hundleton1 said:
.


The only way to prevent this all together is limiting iCloud restores to the original device I'd only. Then you would have to perform a tethered restore to a new device.

.
Click to expand...

Trouble is that if you are using iCloud backups, iTunes doesn't automatically do backups when you sync. And given that 99% of users either never sync or wouldnt know how to manually o a backup, your method is basically saying they better never change devices

----------
OldSchoolMacGuy said:
How is it Apple's fault that 60k people were idiots and gave the trojan their admin password? .
Click to expand...

No one has found a payoff for Flashback other than hijacking web ads to send the referral money to the creators, so having Flashback could be moot on this matter.
 
I am a huge fan of apple. They are innovative, unique and run a great business.

Now for the truth.

I absolutely HATE the fact that Apple is leading the way with killing physical media. I am SO tired of having to download software, movies, and music to my device from a distant location. Steve jobs played a major part in this when he refused to put a BD player in mac products.

I am tired of not having control of the things that I either Pay for to use, or OWN.

Oh, and I am a HIFI audio enthusiast. You will not sell me on downloading a movie from apple tv or directv. the sound/picture quality is about 65% of the BD discs I collect.
 
marcusj0015 said:
How about requiring authentication that an iOS device is the one requesting the data?

You can use UDIDs to verify it's an iOS device, maybe even MAC Address. and pair those with a specific, unknown User Agent string. bam.
Click to expand...

That doesn't work if its new hardware. The number one reason for backing up is to protect yourself in the case of hardware failure.
 
I think people are missing the point here a bit. The problem is that, once someone has acquired your Apple ID and password through whatever means (be it physical access to your device, phishing, or exploiting some security flaw), they can continually track the data on your phone remotely without you knowing about it. For example, they can track your phone calls from the "recent" list, downloaded emails from non-Apple mail services, non-iCloud calendar data etc. And all that is conveniently delivered from the cloud in unencrypted incremental updates ...
 
nickn said:
I have been saying these cloud storage services are not secure since day one, but no one agreed with me...
Click to expand...

You and me both. I don't allow any of our machines to use iCloud or anything like it.

----------
Silver Box said:
Unless youre walking around with a tshirt with your apple id and password on it i honestly doubt youll have a problem [tinfoil] but you'd better check your window just in case a dark van with 'ELCOMSOFT' is waiting to break into your home!? Also id be very suspicious of that local russian family that moved in next door, theyre probably sniffing your packets as you read this. QUICK! MICROWAVE YOUR HDD! [/tinfoil]
Click to expand...

I have my secret mountain fortress surrounded by 300 ninja fighting pigs to project me from things like this...

(he-he, you think I joke...!)
 
Portaluk said:
Why are some people claiming iCloud doesn't encrypt information before sending it?

According to Apple iCloud information is fully encrypted when sent over the internet, I can confirm this as according to little snitch all my iCloud connections are done through TCP port 443 (https).
Click to expand...

I didn't have a forum account, but after reading this post I had to create one. Yes, while you data is encrypted in transit to Apple's servers via SSL, please don't interpret this as your data as being encrypted at both end points. The SSL tunnel wraps around the data in order to prevent it being captured in transit. If the data is unencrypted on your computer/iPad it is sent unencrypted inside this SSL tunnel. Apple does encrypt this data on their storage servers, but only with your username and password, which in the majority of the cases is weak to the point of non-existent. Easily brute forced and fully accessible to Apple whom own the encryption keys. This is a false sense of any real security.

I've seen others in this thread state if you are stupid enough to allow someone access to your computer then you deserve to have data accessed. But how many people bring their devices to the Genius Bar or say Best Buy for computer service. One of the questions they ask is for your password to your computer, which is valid in most cases. If these people rely on iTunes backups, which do not require encryption unless there is a configuration profile on the device, very few will select to encrypt it. With that being said, all you need is a shady employee and they have access to your data. Not only that, Apples products are just as susceptible to viruses and worms as Windows machines. As craft fully written attack can easily capture keys typed and transmit data that looks like an Apple ID and password. A lot of people don't have the common sense to know what not to do to prevent these acts, it's just the facts of life. Apple could do things to tighten down security, but don't in the name of simplicity. That is irresponsible. I'm all for simplicity, but not at the cost of security.

This is why I do not trust ANY cloud service unless I can pre-encrypt the data myself before transfer to the internet.
 
Last edited:
Is this worse than your ISP knowing every website you visit?
Is it worse than google reading every single search query you execute?
Is it worse than google reading every email that involves gmail?
Is it worse than your phone company keeping a list of every phone call you make?
Is it worse than your phone company keeping a list of every text message you send?

And nothing says that what you sync with iCloud isn't encrypted as you send it. But it's probably not stored on Apple's servers as encrypted data. But even if it was stored encrypted, you can by a device from Apple that could decrypt it: an iPhone/iPad.

The point of iCloud is that I can use any device to access all of my data. I only have to login (I can even use the iCloud website).

Since the description says they require your apple id and password, it sounds like all they're doing is logging in AS YOU and looking at everything you sync.

If 'they' have your username and password, then the game is over. You lose.
 
tranceme said:
A subpoena would force Apple to hand this over anyway, right?
Click to expand...

Most companies don't require a court order or warrant to hand over info. They do it to "cooperate" with "authorities". Just mention national security, terrorism, homeland security, etc, and they roll over. AT&T has routinely handed over user records with no court order. Not sure what Apple does, but don't assume that companies are safeguarding your data. Read the TOS - they reserve the right to share data with law enforcement at will.
 
minifridge1138 said:
Is this worse than your ISP knowing every website you visit?
Is it worse than google reading every single search query you execute?
Is it worse than google reading every email that involves gmail?
Is it worse than your phone company keeping a list of every phone call you make?
Is it worse than your phone company keeping a list of every text message you send?
Click to expand...
It most definitely is. Most of this information (with the exception of email messages) is not accessible to everyone who manages to steal your password and buys an $80 piece of software from Elcomsoft. Besides, you would reasonably expect that a communications company can access your communication data. But do most people expect that almost everything on their device, including data they have never consciously uploaded anywhere, can be accessed remotely if they use iCloud Backup?

Why does Apple not offer people who are concerned about this the option to encrypt the data on the device before it is uploaded, using a separate key or password? This is possible with iTunes Sync, why not with iCloud Backup?
 
Though I agree with the spirit of what you're saying...

Peace said:
One more reason to question internet laws.
Click to expand...

Law punishes crime. If it was such a great deterrent, no one would speed. Law isn't the only thing that needs to change. People need to take responsibility for the resources they use, including the way they use them.

----------
Rigby said:
But do most people expect that almost everything on their device, including data they have never consciously uploaded anywhere, can be accessed remotely if they use iCloud Backup?
Click to expand...

So they have never uploaded their data, but they have uploaded their data to iCloud backup?

You just demonstrated the education problem. People think devices are made of magic. They don't understand that uploading to iCloud, is uploading, even if it's a backup.

----------
orfeas0 said:
Dude, they need to know the username+password in order to get in!!

That software seems pretty pointless to me tbh...
And also, shouldn't it be illegal?

The article says "more and more people use that kind of software to acquire user information" etc etc, isn't that illegal..?
Click to expand...

Actually if you get the professional version it will attempt passwords for you (using the processors in the graphics card even).

Take a look for yourself.
 
kd5jos said:
So they have never uploaded their data, but they have uploaded their data to iCloud backup?

You just demonstrated the education problem. People think devices are made of magic. They don't understand that uploading to iCloud, is uploading, even if it's a backup.
Click to expand...
Yes, it is in part an education problem. Not everybody has (or wants to have) an understanding of the technical background. But there is also a certain lack of transparency even for technologically savvy users. We don't know exactly what is included in the backup and what isn't. And it may change too. For example, when it came out last year that Apple was caching a year's worth of location information on the device that could be used to track a user's movement, they changed the backup procedure to exclude that information from the backup.
 
charlituna said:
Sure they do. But unless you are going to limit access to only the original UDID what's to stop me from grabbing any old device and signing in to restore that back up. Plus perhaps your purchase lists etc
Click to expand...

You'd have to have each specific UDID, limiting it to only criminals with vast amounts of money and a massive botnet, or legit customers.
 
FishTender27 said:
I didn't have a forum account, but after reading this post I had to create one. Yes, while you data is encrypted in transit to Apple's servers via SSL, please don't interpret this as your data as being encrypted at both end points.

[....]

I'm all for simplicity, but not at the cost of security.

This is why I do not trust ANY cloud service unless I can pre-encrypt the data myself before transfer to the internet.
Click to expand...

Great first post, I completely agree. It's like you can use a secure courier to deliver a parcel, but that doesn't stop it being stolen if the sender or recipient leave it lying around before or after it's in transit.
 
marcusj0015 said:
You'd have to have each specific UDID, limiting it to only criminals with vast amounts of money and a massive botnet, or legit customers.
Click to expand...

I need exactly ONE UDID. Yeah, vast amounts of money required to get that...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back