Apple iCloud is a popular service providing Apple users the much needed backup storage space. Using the iCloud is so simple and unobtrusive that more than 190 million customers (as of November, 2012) are using the service on regular basis.
Little do they know. The service opens governments a back door for spying on iOS users without them even knowing. ElcomSoft researchers discovered that information stored in the iCloud can be retrieved by anyone without having access to a physical device, provided that the original Apple ID and password are known. The company even built the technology for accessing this information in one of its mobile forensic products, Elcomsoft Phone Password Breaker, allowing investigators accessing backup copies of the phone’s content via iCloud services.
The newly discovered backdoor allows anyone having the money to buy Elcomsoft Phone Password Breaker and having a way to discover the original Apple ID and password of the user accessing information from all iOS devices belonging to a user with that particular Apple ID. The user will never know that their data has been accessed as no access to the physical device is required. At this time, information about recent iCloud activities is not reported to the owner of the device, so it will be impossible to learn about someone accessing information in the iCloud. Information from the iCloud can be transferred to any remote computer with an Internet connection.
Interestingly, unlike offline backups that feature a rather strong protection making ElcomSoft’s own recovery tools spend hours guessing the original password, data stored in the iCloud is stored unprotected. Other than the combination of a unique Apple ID and password, nothing protects the data on its way to an intruder except some encryption (which could not be easier to circumvent because the decryption key is available along with the data).
There are so many ways to retrieve information from mobile devices that yet another backdoor may not seem like a big deal. However, there is something making this one different.
In order to obtain information from a phone backup, investigators need access to a PC that has those backups. Acquiring information from an iOS device requires physical access to that device. Either way, a corresponding warrant must be issued in order to seize the computer and/or the iOS device in question.
Employing Apple iCloud for spying on users of iOS devices are not restricted with such pesky obstacles. After September 11th, “warrantless wiretapping” of Internet communications, as well as many other intrusions into personal privacy have become a fact of life. US National Security Agency (NSA) gained powers to access American telephone, cable and satellite networks. Since then, pretty much all providers of digital communications are legally obligated to provide the ability to deliver their customer’s personal information to special services regardless of what’s written in their end-user service agreements and privacy policies.
One example. Recently, Skype was included as part of Windows 8. Skype made agreements with special services of many countries to provide wiretapping access to users’ communications without a legal warrant. Apple iCloud does not have a similar clause in its end-user agreement. However, based on legislations introduced after September 11th, the intelligence can gain access to information about a user based in a given country without a warrant – if such access is deemed to the interests of national security.
This leads to a very important conclusion. End-user service agreements, privacy policies and legislations are no longer the determining factor of the privacy or personal information. Instead, the leading role in determining whether or not personal information is protected is now given to intelligence and homeland security agencies. Privacy advocates can spend hours (literally) just citing examples of how extremely broad these “interests of national security” can be, how far stretched and how excessively executed they can become.
What exactly can become a matter of national security? Well, if you follow the news, you can recall how an Apple director handed an iPhone to Dmitry Medvedev, who served as a president of Russia at the time. After just a little while, the official Kremlin reported that some “spyware” was discovered in that device. While that “spyware” could be anything, we have no doubts it was the iCloud service transferring phone’s usage information to a certain online cloud service coincidentally based in the US. Apparently, the Russian intelligence did not like the idea.
Want another example? The IBM Corporation was quick to ban the use of iCloud on their employees’ iPhones soon after ElcomSoft whitepaper on breaking iCloud was released. If IBM employees want to bring in their devices to work, they must first hand them to IBM’s IT department to remove what they believe can invite a trouble – like Apple iCloud.
Another one of bad news just came at the time of this writing. There are reports in Norwegian newspapers of teenagers hacking Apple accounts by exploiting the “lost password” function. Apparently, they were hacking into accounts of their classmate teenage girls, recovering their passwords by supplying Apple their correct names and birthdates. And then they were on their way to illegally downloading and extracting their victims’ photos and videos, then offering them for sale online.
Cases like this will continue happening. There is little to no protection available for data stored in the iCloud. Even choosing a long and secure password (which would be unlikely when teenage girls are concerned) would not help much, if at all.
As demonstrated in this article, your data is no longer protected by privacy laws, regardless of what’s said in privacy policies or end-user agreements. Apple devices collect information about their usage, and have the ability to upload that information into the cloud the very moment the device registers onto a Wi-Fi network. Moreover, iOS devices are equipped with the ability to track geolocation coordinates, saving the data into a log file.
If you do care about the privacy of your data, make sure you are not using the iCloud.