Think iCloud's two-factor authentication protects your privacy? It doesn't
As the forensic analysis of the weekend's celebrity intimate photo leak continues, plenty of attention is being focused on iCloud's photo storage as a likely vector for the criminal theft of the images. Proof of concept code for a brute-force attack on iCloud passwords (via the Find My iPhone API) was revealed late last week, and subsequently blocked off by Apple in a fix to the FMI service.
Update 2:53 pm ET 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods.
Of course, there are plenty of other ways to break into an account, including using easily-discoverable personal information to socially engineer tech support reps and get a password reset done on the fly. To combat this and other bad behaviors, Apple (along with other online giants like Google, Dropbox etc.) has built out an optional two-factor authentication scheme (2FA) for iCloud. Simply turn it on, register your iOS devices, and you'll be shielded from hacks and phishing attempts.
Unfortunately, Apple's 2FA protection doesn't go as far as you might think. I noticed yesterday that our friend and former colleague Christina Warren's post at Mashable gave extra credit to 2FA:
If [two-factor auth is] enabled, this means that before a new computer or device can gain access to your iCloud data, you must approve that device with a four-digit authentication code (sent to your phone via SMS) or grant access from another enabled machine.
It's true that if you want to register a new "trusted" iOS device, you'll need 2FA. If you're not doing that, however, 2FA on iCloud is only triggered by a short list of interactions: getting Apple ID support from Apple; signing into the My Apple ID management console; or making an iTunes, App Store or iBooks purchase from a new device. [Update: At the end of June 2014, several outlets including Mashable, Cult of Mac and, well, TUAW all reiterated this AppleInsider report about iCloud.com testing 2FA challenges for webmail, calendar, contacts and other services. As you can easily confirm yourself by walking over to the nearest unfamiliar computer and logging into iCloud.com, this security feature has not been rolled out to all iCloud users as of September 2014.]
If you're not doing one of these specific things, you are not required to enter the confirmation code from your known device to clear 2FA. It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, 2FA doesn't get involved in guarding your privacy as far as I can tell. [Both security research firm Elcomsoft and the estimable Ars Technica made a similar set of points about iCloud/Apple ID 2FA back in 2013. --MR]
In theory, [adding an iCloud account to a new Mac or PC] should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert.
It turns out that I was also being more generous than wise in assuming that iCloud would proactively send an email alert when photos or bookmarks were synced to an unknown computer. I decided to test that assumption, using a fresh (spun up and installed from scratch) Windows 8 virtual machine running on Parallels 10.
After installing the iCloud Control Panel for Windows (as seen above), I logged in with my iCloud credentials and checked off the options to synchronize bookmarks and photos with my new, never-before-seen PC. Within a few minutes, my photo stream photos downloaded neatly into the appropriate folders and my bookmarks showed up in my Windows-side browser, and nary a 2FA alert to be seen. I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived.
A moment's consideration of the consequences of having either your iCloud Photo Stream or your Safari bookmarks available to anyone who has uncovered your iCloud password should be enough to realize that this is a strange and potentially troubling omission from iCloud's security and notification regimen. Sure, it would be aggravating to get an email notification every time you access iCloud webmail from a new computer (although there should be some fraud catching algorithm in place to note that I'm probably not logging in simultaneously in New York and New Caledonia, for instance); but the act of adding a new computer to sync photos and bookmarks should be relatively infrequent and almost certainly merits a quick heads-up to the user.
If indeed the iCloud photo stream was the hack vector for this high-profile series of thefts, the lack of any alert when a new computer syncs with Photo Stream might have made it a lot easier for the criminals to operate undetected for so long.
Subscribe to Newsletter
Software Updatesmore updates
- Dropbox adds file/folder renaming and Office document editing to iOS app
- Vizzywig 8xHD price tag now a very affordable $49.99
- Automatic targets teen drivers with License+ service
- Dropbox adds support for TouchID
- YouTube for iOS gets updated with full support for iPhone 6 and 6 Plus
- iOS 8.0.1 update now available (Updated -- Don't update!)