Is Apple’s new 2FA Really Secure? (Answer: It’s Pretty Solid)

I’ve recently updated my TL;DR regarding the recent celebrity iCloud hacks. I now summarize Apple’s latest changes to improve their 2-factor authentication (2FA) . Apple has implemented not just a band-aid, but a very good security solution to protect iCloud accounts, by completely reinventing their own 2-step validation (sorry, I couldn’t resist). As a result, users who have activated this feature will need to provide a one-time validation code in order to access their iCloud account from a web browser, or to provision iCloud from an iOS device. As my TL;DR suggests, this new technical measure would have prevented the celebrity iCloud hacks. So are Apple’s new techniques really secure, even in light of the very technically un-savvy users who fall victim to iCloud phishing attacks?

While Apple has done their part to improve the security of iCloud, less than savvy users can still screw it up. First of all, by not having the feature turned on in the first place. Apple’s two-step validation process is opt-in, and therefore it’s important to make sure that users know about and understand the benefits to enabling this feature. In my opinion, Apple should force users to have this feature on if they enable Photo Stream or iCloud Backups, as they are likely to keep sensitive content in the cloud without necessarily knowing it.

So you’re more savvy than that. You’ve already activated the new 2FA on your iCloud account. Are you truly safe from future phishing attacks?

Phishing of the Future

Phishing a 2FA-protected iCloud account probably isn’t feasible today, because Apple now has the upper hand technologically, but lets take a look at what would be needed in the future, after scammers have had enough time to re-tool. Apple’s new technical measures have essentially “broken” today’s iCloud forensics tools, such as Elcomsoft’s PPB, which was probably used by scammers to rip data from iCloud. At least this is the case when 2FA is turned on. The new measures have also broken the traditional username and password model for phishing, since you can’t get anywhere without having a one-time validation code in addition to a password. So in order for a scammer to steal your iCloud data, they’d need to account for two important things: their forensics tools won’t work with 2FA enabled, and they’ll need a website capable of phishing the most recent, unused validation code. Neither of these are as easy as you might think, and would require a more sophisticated attack.

Apple’s system sends a new code any time the user attempts to authenticate. This means that even if I were to get you to send me the code you’ve just received from Apple, it would be useless to me, since Apple would send a brand new code when I try to log in from my own browser, or from my iOS device. Codes also expire after a few minutes, so if I was to attack you later on – as most scammers do – your validation code would be useless. In order for an attack like this to work, an attacker would have to pull this off in real-time – and either dump your data immediately, or disable your account’s 2-step validation while you’re still sitting at the keyboard – both of which require a significant amount of know-how, and also would notify you by email.

As far as dumping the data goes, using Elcomsoft’s forensics tools to dump your iCloud account is probably no longer an option, at least while 2FA is enabled on the account. Even when they update their software to support validation codes, their tool isn’t going to operate as a phishing scam. It will try and log into an iCloud on its own to dump the data, meaning a new validation code will get sent, which will invalidate the one the victim just sent the scammer. So short of reverse engineering the iCloud protocol themselves, a scammer is going to take the path of least resistance, and try to disable the 2FA on your account so they could continue to use existing forensics tools. This, as I said, will trigger a notification to you – so unless you’re daft enough to ignore it, you’ll be able to do something about it before your data is stolen.

Now the most low-tech approach that could possibly succeed with today’s tools would be for scammers to convince unsuspecting users that they must disable 2-step validation themselves, perhaps due to an account limitation, or some other lame excuse. There’s no way for Apple to account for the analog hole of an un-savvy user doing dumb things with their account, perhaps with the exception of warning them prior to disabling it. Given how ineffective that attack would be, lets examine two more sophisticated attacks that wouldn’t necessarily alarm users.

To fully appreciate the added security Apple has provided, what the scammer would have to do in order to steal your iCloud data, when you have 2-step validation set up.

Scenario 1: Disable 2-Step Validation Themselves

The scammer writes a web site phishing scam that:

  1. Prompts you for your Apple ID and password
  2. Emulates a web browser and logs itself into “Manage My Apple ID” on Apple’s website
  3. Reads and parses the list of available devices to send a code to and lets you choose (in real-time).
  4. Relays your selection to Apple and waits for you to receive your validation code
  5. Phishes your validation code (in real-time).
  6. Disables 2-step validation on your account, or adds the scammer’s phone number to the account (this should generate an email notification to you).
  7. Alert the scammer so that they can manually use an iCloud forensics scraping tool (e.g. existing Elcomsoft tools) to dump your data from iCloud before you realize what happened

This is by far the easiest scenario for a scammer to follow, and it is still extraordinarily complex. The scammer will have to write software that actually pretends it’s you clicking through Apple’s website. It also still requires the scammer to manually dump your iCloud data, counting on the victim to either ignore or be slow to act on the notifications you’ve received about changes to your iCloud account.

The next scenario, which is even more complicated, and more ridiculous, is the only way the scammer could dump your data in real-time, before you realized you were phished.

Scenario 2: Dumping iCloud Data Real-Time

The scammer reverse engineer’s Apple’s iCloud protocol for restoring a device backup (or photo stream) over iCloud.

The scammer writes a web site phishing scam that:

  1. Prompts you for your Apple ID and password.
  2. Emulates a device performing a restore from iCloud (as Elcomsoft does).
  3. Reads and parses the list of available devices to send a code to and lets you choose (in real-time).
  4. Relays your selection to Apple and waits for you to receive your validation code
  5. Phishes your validation code (in real-time).
  6. Rips your iCloud backups or photo stream using their own forensics software that they’ve built from reverse engineering the iCloud protocols.

Are both scenarios technically possible? Yes, but lets be honest here. If you have the skillset to craft either of these attacks, you are more likely to be working for a company like Apple than hacking them. You’d have to have some serious financial reward (or in iCloud’s case, some serious perversion for stolen nude photos) to go to this kind of trouble. Most people don’t keep anything of great financial value in the iCloud – at least nothing that doesn’t have its own anti-fraud policies. So there’s little motivation to put in this much work without a strong payoff. This type of attack is much more likely against financial institutions’ banking systems. This could become an issue for Apple after Apple Pay rolls out, depending on how well they secure the rest of the system.

While some scammers are savvy, most are not (based on examining their payloads) savvy enough to stage this type of real-time attack, reversing a number of private APIs in the process. It is more the likely that the “phish of the future” will simply try and convince victims that they should disable 2-step validation “for security purposes”. These types of “low tech” attacks are where educating the consumer about such threats and risks is a public service that Apple can easily provide by means of a popup window before allowing the user to do anything stupid.

So is Apple’s new 2FA really secure? It’s pretty solid. Is it perfect? Of course not. “Security” isn’t a black and white argument about whether or not a breach is impossible. “Security” is more a measurement between the amount of time and complexity required on the attacker’s part to successfully breach a system. In this case, Apple has greatly upped the game in terms of the amount of time needed to perform this type of attack, as well as the sheer complexity and skill required in order to craft this type of phish to attack an account protected with 2FA. If anything, Apple should follow up on this new technology by helping to educate the consumer about the risks of turning it off – or even more serious, the risks of not having it turned on in the first place.