REcon 2013: Breaking Apple iCloud

July 3rd, 2013 by Oleg Afonin

I’ve just returned from REcon 2013 held in Montreal, where I talked about breaking iCloud services (everyone: the slides from that presentation are available right here, and the organizers promised a video soon). I spoke about WHY breaking the iCloud, HOW we did it and WHO can use it. I can briefly stop here, and elaborate the points.

Apparently, more than half of REcon participants are using iPhones (I asked). Some of them are even making backups. And some of those who make backups do them over the iCloud. Now that’s a good reason to want to break in, isn’t it? 🙂


So then I talked a little about how we did it. We used the classic man-in-the-middle attack, intruding into the private domain of a doomed electronic device bought in the nearest iStore on a cold Russian night… Well, except for the “night” part, it was exactly like that.

And then we discussed a little about who can use our tools. “Is it legal?” I expected that question. Always asked, even at underground hackers’ meetings. Well, it’s certainly legal in Russia, and none of our US customers complained either. I mean, we have US Secret Services, the FBI, Army and Navy and multiple police departments all over the US and Canada as our valued customers, and they never suggested we’re doing something wrong, so it must be legal. Right?


Montreal is a beautiful city. Loved it! The old town, the pier, the underground city… it’s vivid and relaxed, old and modern at the same time. It so happened they hosted a French music festival right at the doorsteps of our hotel (the 25th FrancoFolies), so I enjoyed a beautiful city during the day and relaxed to wonderful music at night. I’ll be sure to put Montreal onto a shortlist when planning my next trip!

Tags: , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

3 Comments on "REcon 2013: Breaking Apple iCloud"

Notify of

Hey Oleg, I was playing around a bit with iCloud based on your findings. Is getting the list backup id’s still correct like the way you have it on the slides? While I get both tokens just fine I get a 400 when trying to get the list of backups.

Vladimir Katalov
Vladimir Katalov


Sorry, do you mean that you get errors when running your own code (to obtain the list of backups)?


Hey Oleg. Amazing can download files from iCloud by EPPB, and I follow the steps on your slides, but I have the same problem as Torsten, which I cannt get the list of backup IDs. I can get the two tokens by the first two URLs. Could you give some advices? Thank you!