Hacking iCloud Backups [Link]

September 04, 2014 by Gabe | [mmd] | ℳ↫

From Christina Warren:

For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.

These kinds of hacks don't concern me all that much. If someone wants a specific person's data, they are likely to get it with enough effort and time. Especially if they can get access to their computer.

What does concern me is this bit:

As we've mentioned before, Apple's two-factor implementation does not protect your data, it only protects your payment information. Yes, if you have two-factor authentication enabled, the password reset process for an account can be greatly impeded (you need to provide a special one-off key before you can reset a password), but assuming someone can get your password anyway using any number of phishing or remote-access methods, two-factor verification is absolutely not required for accessing an iCloud backup.

So, 2-Factor authentication is intended to protect access to your payment method, not your data.

Yay! Everything is terrible.