{"id":44566,"date":"2014-09-04T06:52:31","date_gmt":"2014-09-04T06:52:31","guid":{"rendered":"http:\/\/4cd.e16.myftpupload.com\/?p=44566"},"modified":"2014-09-04T06:52:31","modified_gmt":"2014-09-04T06:52:31","slug":"fundamental-flaw-in-apple-icloud","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/?p=44566","title":{"rendered":"&#8216;Fundamental flaw&#8217; in Apple iCloud"},"content":{"rendered":"<p id=\"story_continues_1\">Apple&#8217;s iCloud facility, which stores iPhone and iPad users&#8217; photos and personal data, has a &#8220;fundamental security flaw&#8221;, an expert has warned.<\/p>\n<p>The online service is under scrutiny after intimate images of celebrities were stolen and leaked.<\/p>\n<p>It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups.<\/p>\n<p><strong>Apple declined to comment.<\/strong><\/p>\n<p>The program still requires hackers to know the user&#8217;s email address and password, and there is no clear evidence that it was used in the recent breaches.<\/p>\n<p id=\"story_continues_2\">Two-step verification &#8211; which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account &#8211; is supposed to offer an extra level of protection.<\/p>\n<p>On Tuesday, Apple suggested its customers &#8220;always use a strong password and enable two-step verification&#8221; after it acknowledged that some of its accounts had been compromised by a &#8220;very targeted attack&#8221;.<\/p>\n<p>But one expert said Apple had given people &#8220;a false sense of security&#8221;.<\/p>\n<p><a href=\"http:\/\/www.wired.com\/2014\/09\/eppb-icloud\/\">Technology magazine Wired first reported<\/a>\u00a0that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts.<\/p>\n<p>The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned.<\/p>\n<p>It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data.<\/p>\n<p>It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others.<\/p>\n<p>But Mr Katalov told the BBC that, although he could not be &#8220;100% sure&#8221;, he believed the software was used in the recent celebrity hacks, as ElcomSoft&#8217;s program is &#8220;the only one able to do that&#8221;.<\/p>\n<p>He added that while his company &#8220;didn&#8217;t like it much&#8221; when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities.<\/p>\n<p>Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple&#8217;s two-step verification system, which he believed was &#8220;implemented only to protect your credit card&#8221;.<\/p>\n<p id=\"story_continues_3\">&#8220;It doesn&#8217;t require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up,&#8221; he said.<\/p>\n<p>Using ElcomSoft&#8217;s program, he added: &#8220;I can use my computer to extract files from your online back-up &#8211; something you can&#8217;t do yourself&#8221;.<\/p>\n<p>Indeed,\u00a0<a href=\"http:\/\/support.apple.com\/kb\/ht5570\">Apple&#8217;s own page on two-step verification<\/a>\u00a0explains that it protects:<\/p>\n<ul>\n<li>The My Apple ID webpage, where users can manage their iCloud account<\/li>\n<li>App Store, iTunes or iBooks Store purchases from a new device<\/li>\n<li>Getting Apple ID-related support<\/li>\n<\/ul>\n<p>It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud.<\/p>\n<div><img loading=\"lazy\" decoding=\"async\" alt=\"Apple\" src=\"http:\/\/news.bbcimg.co.uk\/media\/images\/77357000\/jpg\/_77357868_e540bdc9-3a6d-4084-aadd-509d2511ddbf.jpg\" width=\"624\" height=\"220\" \/><\/div>\n<div>Apple&#8217;s two-step verification tool makes it difficult for hackers to reset users&#8217; passwords<\/div>\n<p>However, the BBC understands that it does protect against hackers trying to use the &#8220;forgotten password&#8221; facility on Apple&#8217;s website.<\/p>\n<p>Usually, people who have forgotten their login details can regain access to their accounts by entering the answers to some personal questions &#8211; and this process cannot be exploited when two-step verification is enabled.<\/p>\n<p>But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about.<\/p>\n<p>&#8220;For many users they would rather have their credit card numbers stolen than their private photos,&#8221; he said.<\/p>\n<p><strong>&#8216;Chinks in armour&#8217;<\/strong><\/p>\n<p>Other security experts said Apple&#8217;s advice about two-step verification was possibly misleading.<\/p>\n<p>&#8220;There is a danger in suggesting that two-step verification is an umbrella that will protect, because obviously that is not the case,&#8221; said David Emm, of Kaspersky.<\/p>\n<div><img loading=\"lazy\" decoding=\"async\" alt=\"BBC\" src=\"http:\/\/news.bbcimg.co.uk\/media\/images\/77357000\/jpg\/_77357866_f82e1db9-3cae-4326-9d8b-3be1abb1d8fd.jpg\" width=\"624\" height=\"351\" \/><\/div>\n<div>At a 2013 conference in Vienna, Mr Katalov showed how he could access iCloud back-ups<\/div>\n<p>&#8220;There are chinks in the armour which could potentially be exploited.&#8221;<\/p>\n<p>Mr Emm added that he was concerned by the fact that ElcomSoft&#8217;s software has been around since 2012.<\/p>\n<p>&#8220;I think [the vulnerability] has probably been raised several times,&#8221; he said, and the fact that Apple had not beefed up its two-step verification system was &#8220;a surprise&#8221;.<\/p>\n<p>However, he emphasised that overall: &#8220;It&#8217;s clear that Apple does take security seriously.&#8221;<\/p>\n<p>Prof Alan Woodward, a computer security expert at the University of Surrey, said the holes in Apple&#8217;s two-step verification system amounted to a &#8220;fundamental security flaw&#8221; and that it was &#8220;like double locking your front door and leaving the window open&#8221;.<\/p>\n<p>He added that the advice given by Apple &#8220;gives people a false sense of security&#8221;.<\/p>\n<p>But Mikko Hypponen said that iCloud was not the only service to have vulnerabilities.<\/p>\n<p>&#8220;We don&#8217;t really know if this is the only way in,&#8221; he said.<\/p>\n<p>&#8220;It&#8217;s also highly likely that users not using Apple products were also targeted.&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p>Source: BBC<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apple&#8217;s iCloud facility, which stores iPhone and iPad users&#8217; photos and personal data, has a &#8220;fundamental security flaw&#8221;, an expert has warned. The online service is under scrutiny after intimate images of celebrities were stolen and leaked. It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":44569,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jnews-multi-image_gallery":[],"jnews_single_post":[],"jnews_primary_category":[],"jnews_social_meta":[],"jnews_override_counter":[],"footnotes":""},"categories":[],"tags":[18],"class_list":["post-44566","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-dr-akwasi-osei"],"_links":{"self":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/44566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=44566"}],"version-history":[{"count":0,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/44566\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/media\/44569"}],"wp:attachment":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=44566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=44566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=44566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}