This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-29045789
The article has changed 3 times. There is an RSS feed of changes available.
Version 1 | Version 2 |
---|---|
Apple iCloud security exploit is a concern, experts say | Apple iCloud security exploit is a concern, experts say |
(about 21 hours later) | |
Apple's iCloud facility, which stores iPhone and iPad users' photos and personal data, has a "fundamental security flaw", an expert has warned. | Apple's iCloud facility, which stores iPhone and iPad users' photos and personal data, has a "fundamental security flaw", an expert has warned. |
The online service is under scrutiny after intimate images of celebrities were stolen and leaked. | The online service is under scrutiny after intimate images of celebrities were stolen and leaked. |
It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups. | It has emerged that a security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups. |
Apple declined to comment. | Apple declined to comment. |
The program still requires hackers to know the user's email address and password, and there is no clear evidence that it was used in the recent breaches. | The program still requires hackers to know the user's email address and password, and there is no clear evidence that it was used in the recent breaches. |
Two-step verification - which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account - is supposed to offer an extra level of protection. | Two-step verification - which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account - is supposed to offer an extra level of protection. |
On Tuesday, Apple suggested its customers "always use a strong password and enable two-step verification" after it acknowledged that some of its accounts had been compromised by a "very targeted attack". | On Tuesday, Apple suggested its customers "always use a strong password and enable two-step verification" after it acknowledged that some of its accounts had been compromised by a "very targeted attack". |
But one expert said Apple had given people "a false sense of security". | But one expert said Apple had given people "a false sense of security". |
Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts. | Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts. |
The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned. | The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned. |
It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data. | It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data. |
It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others. | It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others. |
But Mr Katalov told the BBC that, although he could not be "100% sure", he believed the software was used in the recent celebrity hacks, as ElcomSoft's program is "the only one able to do that". | But Mr Katalov told the BBC that, although he could not be "100% sure", he believed the software was used in the recent celebrity hacks, as ElcomSoft's program is "the only one able to do that". |
He added that while his company "didn't like it much" when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities. | He added that while his company "didn't like it much" when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities. |
Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple's two-step verification system, which he believed was "implemented only to protect your credit card". | Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple's two-step verification system, which he believed was "implemented only to protect your credit card". |
"It doesn't require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up," he said. | "It doesn't require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up," he said. |
Using ElcomSoft's program, he added: "I can use my computer to extract files from your online back-up - something you can't do yourself". | Using ElcomSoft's program, he added: "I can use my computer to extract files from your online back-up - something you can't do yourself". |
Indeed, Apple's own page on two-step verification explains that it protects: | Indeed, Apple's own page on two-step verification explains that it protects: |
It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud. | It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud. |
However, the BBC understands that it does protect against hackers trying to use the "forgotten password" facility on Apple's website. | However, the BBC understands that it does protect against hackers trying to use the "forgotten password" facility on Apple's website. |
Usually, people who have forgotten their login details can regain access to their accounts by entering the answers to some personal questions - and this process cannot be exploited when two-step verification is enabled. | Usually, people who have forgotten their login details can regain access to their accounts by entering the answers to some personal questions - and this process cannot be exploited when two-step verification is enabled. |
But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about. | But Mr Hypponen said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about. |
"For many users they would rather have their credit card numbers stolen than their private photos," he said. | "For many users they would rather have their credit card numbers stolen than their private photos," he said. |
'Chinks in armour' | 'Chinks in armour' |
Other security experts said Apple's advice about two-step verification was possibly misleading. | Other security experts said Apple's advice about two-step verification was possibly misleading. |
"There is a danger in suggesting that two-step verification is an umbrella that will protect, because obviously that is not the case," said David Emm, a senior analyst at Kaspersky Lab. | |
"There are chinks in the armour which could potentially be exploited." | "There are chinks in the armour which could potentially be exploited." |
Mr Emm added that he was concerned by the fact that ElcomSoft's software has been around since 2012. | Mr Emm added that he was concerned by the fact that ElcomSoft's software has been around since 2012. |
"I think [the vulnerability] has probably been raised several times," he said, and the fact that Apple had not beefed up its two-step verification system was "a surprise". | "I think [the vulnerability] has probably been raised several times," he said, and the fact that Apple had not beefed up its two-step verification system was "a surprise". |
However, he emphasised that overall: "It's clear that Apple does take security seriously." | However, he emphasised that overall: "It's clear that Apple does take security seriously." |
Prof Alan Woodward, a computer security expert at the University of Surrey, said the holes in Apple's two-step verification system amounted to a "fundamental security flaw" and that it was "like double locking your front door and leaving the window open". | Prof Alan Woodward, a computer security expert at the University of Surrey, said the holes in Apple's two-step verification system amounted to a "fundamental security flaw" and that it was "like double locking your front door and leaving the window open". |
He added that the advice given by Apple "gives people a false sense of security". | He added that the advice given by Apple "gives people a false sense of security". |
But Mikko Hypponen said that iCloud was not the only service to have vulnerabilities. | But Mikko Hypponen said that iCloud was not the only service to have vulnerabilities. |
"We don't really know if this is the only way in," he said. | "We don't really know if this is the only way in," he said. |
"It's also highly likely that users not using Apple products were also targeted." | "It's also highly likely that users not using Apple products were also targeted." |