Two-factor authentication for iCloud now protects user backups

Many of the compromising photos from the cache of celebrity photos leaked last month were obtained by hackers spoofing a target’s iCloud account to download an unencrypted backup of the target’s phone.

Despite being the standard advice offered by both Apple and the media, turning on iCloud two-factor authentication (or “two step verification,” as [company]Apple[/company] calls it) actually did nothing protect to users from this specific attack vector. CEO Tim Cook promised change in the Wall Street Journal and, true to his word, Apple turned on two-factor back on earlier today. According to Ars Technica, it now covers the backups that most of the leaked nudes came from.

The problem with Apple’s implementation was that two-factor didn’t cover iCloud device backups or Find My iPhone. So while photos or emails may have been protected under two-factor authentication, hackers using tools like Elcomsoft Phone Password Breaker could download complete phone backups and steal sensitive data — like private photos — from the backup. Apple had previously turned off two-factor authentication while it fixed the issue, and the improved version started rolling out today.

While Apple’s new two-factor implementation is certainly an improvement, it doesn’t solve every security issue an iPhone user faces. For a hacker to steal a backup using Elcomsoft Phone Password Breaker, he or she needs to know an iCloud user’s login email and password — so users still need to be careful and aware of phishing and social engineering attacks.

The new two-factor authentication does stymie an Elcomsoft attack even if a hacker knows the target’s username and password, but someone without it turned on is still vulnerable. So if you’ve got something on your phone you don’t want to get out, you should probably turn it on.