Apple iCloud Security Breach

Apple’s iCloud facility, which stores iPhone and iPad users’ photos and personal data, has a “fundamental security flaw”, an expert has warned.

Apple’s iCloud security is under scrutiny after intimate images of celebrities were stolen and leaked.

It has emerged that a iCloud security measure called two-step verification, which is recommended by Apple, can be bypassed using easily available software that allows access to iCloud back-ups.

The program still requires hackers to know the user’s email address and password, and there is no clear evidence that it was used in the recent breaches.

Two-step verification – which requires a user to type in a short code sent by Apple to their phone or tablet in order to access their account – is supposed to offer an extra level of protection.

On Tuesday, Apple suggested its customers “always use a strong password and enable two-step verification” after it acknowledged that some of its accounts had been compromised by a “very targeted attack”.

But one expert said Apple had given people “a false sense of security”.

Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts.

The program, marketed to law enforcement agencies, claims to offer access to iCloud content without the operator needing to be in possession of the iPhone or iPad concerned.

It uses a system devised by Moscow-based computer programmer Vladimir Katalov, which downloads copies of iCloud data.

It is not known whether the facility was utilised by those who stole naked images of Jennifer Lawrence and others.

But Mr Katalov told the BBC that, although he could not be “100% sure”, he believed the software was used in the recent celebrity hacks, as ElcomSoft’s program is “the only one able to do that”.

He added that while his company “didn’t like it much” when the software was used for illegal purposes, it had sold the system to individuals, as well as authorities.

Security expert Mikko Hypponen told the BBC the issue lay in the design of Apple’s two-step verification system, which he believed was “implemented only to protect your credit card”.

“It doesn’t require two-factor authentication when you just want to access the photo roll, or if you want to restore the back-up,” he said.

Using ElcomSoft’s program, he added: “I can use my computer to extract files from your online back-up – something you can’t do yourself”.

Indeed, Apple’s own page on two-step verification explains that it protects:

• The My Apple ID webpage, where users can manage their iCloud account
• App Store, iTunes or iBooks Store purchases from a new device
• Getting Apple ID-related support

It does not mention any protection for photos, contacts or calendar entries, which are all backed up to iCloud.