This is an overview of a presentation by Andrey Belenko and Dmitry Sklyarov at the ZeroNights conference on 11/22. Dmitry is a Lead analyst with Positive Technologies and Andrey is a Sr. Security Engineer with viaForensics.

“If you think that your backups are stored [in] Apple’s datacenter you’re sooooo mistaken”.

In early 2012, Andrey Belenko and Dmitry Sklyarov researched the security (or lack thereof) of data backed up to iCloud. iCloud, Apple’s successor to MobileMe, is a cloud service for Apple devices that allows users to backup and share critical data, such as contacts, calendars, application files, photos, and more. When enabled, the process is automated from a device to the iCloud. Backups can be as frequent as once or more per day, ensuring that the data resting in the iCloud is extremely current. Andrey stated this about their research:

iCloud does not store actual backup data. The iCloud protocol is designed to use virtually any storage provider that can be accessed over HTTP(S). Depending on the Apple ID, we’ve seen iCloud backups stored in the Amazon cloud or Microsoft cloud. iCloud still stores all the metadata, and data from the Amazon/ Microsoft clouds is essentially useless without the iCloud metadata.”

“Also, there is effectively no encryption of iCloud backups. When backing up to iTunes there is an option to encrypt the backup, but if you backup to iCloud, the backup is effectively not encrypted. We say “effectively” because actual file parts stored in Amazon or Microsoft clouds are encrypted but the encryption keys are managed and provided by Apple. Basically, when you request a file from your iCloud backup, Apple servers respond with URL to the encrypted file in Amazon or Microsoft cloud AND associated encryption key.

For more information, and to see the full presentation, see the slides below.

iCloud (In)Security
iCloud (In)Security_01
iCloud (In)Security_02
iCloud (In)Security_03
iCloud (In)Security_04
iCloud (In)Security_05
iCloud (In)Security_06
iCloud (In)Security_07
iCloud (In)Security_08
iCloud (In)Security_09
iCloud (In)Security_10
iCloud (In)Security_11
iCloud (In)Security_12
iCloud (In)Security_13
iCloud (In)Security_14
iCloud (In)Security_15
iCloud (In)Security_16
iCloud (In)Security_17
iCloud (In)Security_18
iCloud (In)Security_19
iCloud (In)Security_20
iCloud (In)Security_21
iCloud (In)Security_22
iCloud (In)Security_23
iCloud (In)Security_24
iCloud (In)Security_25
iCloud (In)Security_26
iCloud (In)Security_27
iCloud (In)Security_28
iCloud (In)Security_29
iCloud (In)Security_30
iCloud (In)Security_31
iCloud (In)Security_32
iCloud (In)Security_33
iCloud (In)Security_34
iCloud (In)Security_35
iCloud (In)Security_36
iCloud (In)Security_37
iCloud (In)Security_38
iCloud (In)Security_39
iCloud (In)Security_20

iCloud (In)Security

iCloud (In)Security_01

iCloud (In)Security_02

iCloud (In)Security_03

iCloud (In)Security_04

iCloud (In)Security_05

iCloud (In)Security_06

iCloud (In)Security_07

iCloud (In)Security_08

iCloud (In)Security_09

iCloud (In)Security_10

iCloud (In)Security_11

iCloud (In)Security_12

iCloud (In)Security_13

iCloud (In)Security_14

iCloud (In)Security_15

iCloud (In)Security_16

iCloud (In)Security_17

iCloud (In)Security_18

iCloud (In)Security_19

iCloud (In)Security_20

iCloud (In)Security_21

iCloud (In)Security_22

iCloud (In)Security_23

iCloud (In)Security_24

iCloud (In)Security_25

iCloud (In)Security_26

iCloud (In)Security_27

iCloud (In)Security_28

iCloud (In)Security_29

iCloud (In)Security_30

iCloud (In)Security_31

iCloud (In)Security_32

iCloud (In)Security_33

iCloud (In)Security_34

iCloud (In)Security_35

iCloud (In)Security_36

iCloud (In)Security_37

iCloud (In)Security_38

iCloud (In)Security_39

iCloud (In)Security_20