Moscow-based Elcomsoft, which produces a mobile forensic tool used by law enforcement around the world to gain access to a suspect’s iOS devices, has updated its Phone Breaker application which now makes it easier to bypass Apple’s two-step verification for Apple ID accounts in order to access underlying iCloud data, Engadget reported Thursday.
Not only does this include iWork documents stored in iCloud, but also data in third-party apps such as WhatsApp communications, 1Password password databases — even user dictionaries that may contain secret words and phrases — provided a user has enabled the app in question to sync data with iCloud.
Although hackers still need both your Apple ID username/password and a two-factor code sent to your trusted device (or a digital token stolen from your computer), once they do gain access to your account Phone Breaker can then create a digital token granting them permanent access to iCloud data, no two-step verification code needed — until you change your Apple ID password, that is.
According to Elcomsoft, the refreshed tool now has support for iOS 8.0.x and iOS 8.1 devices and can provide full access to all types of information stored in the user’s iCloud, including:
- iWork documents including Pages, Numbers, Keynote (if configured to be stored in the cloud)
- Documents stored by third-party apps (e.g. game backups, 1Password password databases, WhatsApp communications, etc.)
- Certain system files such as user dictionaries, which may contain words and phrases typed by the user that are not part of a common dictionary.
That doesn’t mean anyone can download a free trial of Phone Breaker to gain access to your iCloud stuff.
As stated above, attackers would first need to obtain your Apple ID credentials and get hold of one of your trusted devices to which Apple’s two-step verification system sends a confirmation code. To prevent someone from hijacking your Apple ID password, don’t click on links in phishing emails pretending to be from Apple and never type in your Apple ID on any website unless it’s on the apple.com domain.
If you enable two-step verification for your Apple ID, you’ll need the code pushed to a trusted device of your choice whenever you sign in to My Apple ID to manage your account, sign in to iCloud on a new device or at iCloud.com, make an iTunes, iBooks or App Store purchase from a new device and get Apple ID related support from Apple.
If you haven’t already, you’re wholeheartedly recommended to add another layer of security to your Apple ID by enabling Apple’s vaunted two-step verification and we have a handy guide which explains how to do that in layman’s terms.
Enabling two-step verification generates a unique Recovery Key, a 14-character Recovery Key to regain control of your account should you ever lose access to your trusted devices or forget your password. Keep in mind that you’re solely responsible for keeping your Recovery Key stored in a safe place.
Losing it can lock you permanently out of your Apple ID and there’s nothing Apple can, or will, do in order to help you regain access to your account without it. If your Recovery Key gets lost or stolen, log in to My Apple ID and create a new one ASAP.
As The Next Web learned the hard way, without a Recovery Key you won’t be able to regain access to your Apple ID if it gets locked after someone has tried to guess your password and entered it incorrectly too many times.
Approximately one-third of respondents who voted in our poll said they had enabled two-step verification for their Apple ID, with four out of each ten respondents planning to enable the future at some point in the future.
According to an Apple support document, two-step verification is currently available in 59 countries.