Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

No security system is foolproof.
On most of today's internet security systems, if someone knows your account name and the correct answers to three security questions plus the birth date you set, they can change your password and get full access to your account. That is unless you enable extra security such as 2-step verification.
 
:eek::eek::eek:

So if they downloaded the backup that means they downloaded everything on the phone such as contacts, passwords, locations etc?!?!?! .......
 
Tumbleweed666 said:
For a while, if you wanted to backup your contacts, you had no option but to use iCloud because Apple removed local sync to iTunes.
Click to expand...
There were and are more ways to use, import/export, and backup contacts than iCloud or iTunes.
 
pdqgp said:
You're right, we design around what "could" and in this case, these celebrities were typical sheeple who live in lala land thinking the systems they use should be fool-proof (pun intended) instead of thinking about what "could" happen to the information they left less than fully protected
Click to expand...

So we should all wear tin foil hats and assume NOTHING is protected.
 
bozzykid said:
Simply not true. You can download iCloud backups if you have the email and password. That is the problem. The whole point of 2-factor authentication is if someone gets your username and password, they still couldn't access your information. In this case, Apple doesn't require 2-factor authentication which seems to be a huge problem since what you can access without it is your entire iCloud backup.
Click to expand...

bozzykid said:
Again, having 2 factor authentication on does not matter. You can access iCloud backups without a need to authenticate other than with a username/password. This is the whole problem. Apple 2-factor authentication has serious loopholes because they don't always require it.

----------



Again, not true. As has been reported in many places, some of Apple's servers allowed brute force password attacks and did not lock you out. So all a hacker really needed as a username and they could run a script to figure out the password.
Click to expand...


The way I understand it is:
2-factor authentication is only to grant access and modify credentials for appleID/icloud services.

Setting up your appleID on a new device, changing your password or asking for a new password will need the 2-factor authentication (the only exception is Find My Phone).

Making and retrieving backups (with or without iTunes), buying apps or using or modifying your keychain, once the access to your appleID is granted on that device, will not need the 2-factor authentication. It will need tour login/password 'tho.
 
bozzykid said:
Actually, it has been reported that they were brute forcing passwords because Apple's Find My Phone servers didn't lock out multiple brute force attempts. Apple recently closed that loophole so clearly they were aware of it (it was reported to them over a year ago).

----------



Google solves this problem by giving you multiple one time use codes that you can keep offline. They also allow you to make a computer a trusted device. I don't see why Apple can't do something similar.
Click to expand...
Again, seems like other methods were used in these particular cases, not all of which even involved iCloud/Apple.
 
C DM said:
Again, seems like other methods were used in these particular cases, not all of which even involved iCloud/Apple.
Click to expand...

I'm sure more than one method was used. It is doubtful there was one singular method used. But these photos range from recent to several years ago. These hackers used all of the exploits available to them surely. But the Find My Phone server exploit has been proven to have been real and was used by hackers. How many hackers used it we do not know. Apple has since closed the hole in the Find My Phone servers thankfully.

----------
morespce54 said:
The way I understand it is:
2-factor authentication is only to grant access and modify credentials for appleID/icloud services.
Click to expand...
This is what makes Apple's use of 2-factor authentication so easy to circumvent since it isn't used but in a few places. I'm guessing Apple is working 24/7 at this point to change this really quickly.
 
bozzykid said:
I'm sure more than one method was used. It is doubtful there was one singular method used. But these photos range from recent to several years ago. These hackers used all of the exploits available to them surely. But the Find My Phone server exploit has been proven to have been real and was used by hackers. How many hackers used it we do not know. Apple has since closed the hole in the Find My Phone servers thankfully.

----------


This is what makes Apple's use of 2-factor authentication so easy to circumvent since it isn't used but in a few places. I'm guessing Apple is working 24/7 at this point to change this really quickly.
Click to expand...
How does that make it so easy to circumvent?
 
So the hackers need your username/email address and password before they can use the EPPB software to access your iCloud backup.

I'm reading that 2vf doesn't secure the backup. But it does - if like me you have an exclusive 25-character meatware-only highly complex password for iCloud (hardly brute-forcable, though Apple should make that impossible anyway), since then, the only way to get a username and password would have been to guess the answers to the security questions, but with 2fv you don't get the security questions - instead you get asked for the recovery key on a trusted device. So surely 2vf will secure against this hacking?
 
Lets not forget this means more than just photos...

An iCloud Backup could be anything from 3 years ago.. including personal info, CC, addresses etc...

In addition to simple passwords, or even complex (depends how strong), I would bet these same credentials were used on multiple sites as well. hence, the hack.
 
Don't know if anyone is still following this, but I do have to say someone here posted this exact theory and its the only one that made sense. Glad there are such intelligent people still on here, it helps justify reading despite the trolls.

http://finance.yahoo.com/news/originalguy-full-story-icloud-hacker-081044692.html

Apart from the devaluation in "OriginalGuy"s trove, I'm pretty sure this guy plays the stock market and probably shorted the stock right before releasing this on a quiet Labor Day news circuit.
 
C DM said:
How does that make it so easy to circumvent?
Click to expand...

Because things like Find My Phone and iCloud backups don't even use 2-factor authentication whether you enabled it on your account or not. 2-factor authentication is suppose to prevent hackers from accessing your account if your password is compromised. In this case, Apple has been prioritizing ease of use over security and not requiring 2-factor auth. However, despite their claims that nothing was done wrong on their end, I'm guessing they will be beefing up their security really quickly.
 
bozzykid said:
Because things like Find My Phone and iCloud backups don't even use 2-factor authentication whether you enabled it on your account or not. 2-factor authentication is suppose to prevent hackers from accessing your account if your password is compromised. In this case, Apple has been prioritizing ease of use over security and not requiring 2-factor auth. However, despite their claims that nothing was done wrong on their end, I'm guessing they will be beefing up their security really quickly.
Click to expand...
But if 2-factor authorization is in place then the account can't be "hacked". If someone already obtained the password elsewhere then that's really the main issue, which is different and unrelated to Apple then.
 
C DM said:
But if 2-factor authorization is in place then the account can't be "hacked". If someone already obtained the password elsewhere then that's really the main issue, which is different and unrelated to Apple then.
Click to expand...

Sure, it can be hacked. Find My Phone servers allowed brute force attacks for at least the past year until patched recently. And since all they needed was the password, 2-factor authentication didn't even come into play. The whole point of 2-factor authentication is even if someone has your password, there is nothing they can do to access your account. But we know that isn't true today because of Apple's implementation.
 
gotluck said:
Hope you don't use iCloud backups.

If you do, I hope you consider everything on your phone public domain :)

Essentially you are saying it is incredibly stupid to use iCloud backups

Somehow I feel like apples intention isn't for iCloud backups to be public domain, otherwise i need to be changing my settings..and telling everyone I know too..
Click to expand...

You are SUCH a genius! AND you need to start hanging with a group of more tech-savvy friends.

notocloud.png


Beware of Trojans bearing [free iCloud] gifts. No, REAL Trojans.

:rolleyes:
:apple:
 
bawbac said:
So we should all wear tin foil hats and assume NOTHING is protected.
Click to expand...

After those Russians broke the SSL encription I think it is a FACT that "NOTHING is protected".

Not to mention that even a janitor at a NSA building can access every cell phone around the world.
 
Indeed a violation on privacy, but not taking nudes in the first place could've defiantly helped. :rolleyes:
 
Carlanga said:
I have to lol at your comment, apple can't give/have evidence to the bruteforce method because it's not possible since there was no way to block this method in the first place so no counts would be stored.
Click to expand...

Not very familiar with technology are you?

I hate to tell you this, but even if a count isn't being specifically stored somewhere and checked, you can still check *logs* to see if something has been happening. The only way to prevent the log from being created is to *not* take the action that triggers the log entry.

So, it's *quite* possible (likely to the point of near certainty) that Apple *can* have evidence about whether the brute force method was used.
 
tbrinkma said:
Not very familiar with technology are you?

I hate to tell you this, but even if a count isn't being specifically stored somewhere and checked, you can still check *logs* to see if something has been happening. The only way to prevent the log from being created is to *not* take the action that triggers the log entry.

So, it's *quite* possible (likely to the point of near certainty) that Apple *can* have evidence about whether the brute force method was used.
Click to expand...
do you work with :apple:? do you know this as a fact? if a count is not stored then a log is not stored on tries. You can see in logs where an IP entered the account, but looking at the fail attempts will *quite* possibly not appear on the 'logs' you say.
 
Carlanga said:
do you work with :apple:? do you know this as a fact? if a count is not stored then a log is not stored on tries. You can see in logs where an IP entered the account, but looking at the fail attempts will *quite* possibly not appear on the 'logs' you say.
Click to expand...

You apparently know nothing about how web servers work. Bravo.

Most web servers will log *every* hit to a page, or service, *including* login attempts. It's a default configuration that has to be turned *off* on every major web server including IIS and Apache. From those logs, you can tell every IP address that made contact with your server, and what pages or services they called *regardless* of whether you store a counter in a database somewhere.

But continue to be belligerently wrong. It suits you. :rolleyes:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back