NUDE SELFIE CLOUD PERV menace: Apple 2FA? Sweet FA, more like

Fact is, full 2FA would be a nightmare if you ever lost your phone

TechCrunch did a good job in summarising the issue here but the security shortcomings on Apple's approach to two factor authentication have been noted before.

Third party security experts told El Reg that Apple had yet to update its technology to address the security weakness in iCloud backups. Michael Sutton, VP of security research at cloud security firm Zscaler, explained:

"Apple's two factor authentication (what they refer to as 'Two Step Verification') applies only to a specific set of tasks related to managing your Apple ID account and making purchases.

"Two Step Verification does not apply to syncing data from iCloud. Therefore, if you have the username and password for an account, you could set up iCloud syncing on another device and receive all stored iCloud content (pictures, email messages, contacts, etc.) without being required to use Two Step Verification,” he added.

Apple's FAQ on how its two-step verification for Apple ID works confirms Sutton's comments that the technology doesn't cover restore from backup.

The absence of 2FA on Find My Phone makes sense but is harder to understand, except as a way of favouring convenience over security, when it comes to restoring from backup.

"I have read widely that apple only have two factor authentication on specific endpoints so (for example) not on backups or find my phone," said Dave Chismon, senior researcher at MWR InfoSecurity. "Find my phone is an interesting one as two factor auth is normally sent to the phone, but if they are using find my phone they are likely not to have access to the phone. It would require apple to be a bit more creative to do two factor auth on this."

A defence of Apple's design decision came from the perhaps surprising source of ElcomSoft boss Vladimir Katalov.

"As of this writing, 2FA still does not protect iCloud backups, Find My Phone or other documents," Katalov told El Reg on Wednesday lunchtime.

"It is really hard to predict whether Apple is going to change that or not. Once upon a time 2FA was *temporary* (for just a few hours) implemented for the iCloud, but only for documents: when you log on to www.icloud.com, you are being asked for the security code (sent to the trusted device); if you do not enter it, only Find My iPhone service is available (but no access to contacts, calendar, reminder, notes and iWork documents)."

2FA for iCloud backups would be a bad move, according to Katalov.

"Implementing 2FA to iCloud backups (if it will ever happen) is a bad idea," he explained. "Most people have one device only (iPhone or iPad). If they lose it (or it is broken), you are not able to restore the new device from backup, because there is no trusted device anymore. The only workaround will be to log in into 'My Apple ID’ service using the 'recovery code', disable 2FA, then restore the device. You should, however, have your 'recovery code' saved somewhere. Obviously not on the same device."   If users want to completely (and safely) protect from iCloud data leaks, there are only two ways, according to Katalov. These are "have a strong password and take all measures that it will not be stolen" or "do not use iCloud backups at all".

Only the latter would seem foolproof.

Celebrity pictures privacy flap not just an issue for Apple

As the story unfolds it's becoming increasingly likely that the the recent leak of celebrity photographs is not the result of a single compromise nor single hacker.

"It appears that the images have been stolen over a number of years by several people and then traded or sold between collectors," Andrew Conway, a research analyst at messaging security firm Cloudmark explained. "Similar to how a scammer wishing to join a 'carder' forum must provide stolen credit card details to administrators, there is a requirement to provide new content in order to join the inner circle of celebrity nude collectors. As a result, quite a lot of the photographs being distributed are fakes, either photoshopped or lookalikes, though some may be genuine."

Conway argues that Apple appears to be getting unfairly singled out for blame over the celebrity pictures privacy flap.

"Whilst iCloud is receiving bad publicity over this, it’s unlikely to be the sole source of these images as one of the collections contains a Dropbox how-to file and others may have come from compromised desktop machines," Conway added. "It is more likely that the images have been acquired though spear phishing attacks or social engineering, which exposed a username and password."

“At Cloudmark, we have seen Apple ID’s phished in similar fashion via SMS and email. The more services provided by a single company such as Apple or Google, the more useful login credentials are to a hacker," he added. ®

Bootnote

Use of two factor authentication (2FA) means that when users try to log into a service they are either prompted to enter a code from a hardware token or a number or alphanumerical string sent as a text message sent to a pre-registered phone. The 2FA means that you need both a password (something you know) and a something you have (token or phone) to access a service. Many online and cloud services such as Google, Apple iCloud and Microsoft Live offer 2FA which is normally far from bulletproof but much better than relying on a password alone.