Vulnerability in Apple iCloud puts billion users at risk

Vulnerability in Apple iCloud

Security of over a billion iPhone owners and users of popular instant messengers is at risk due to a vulnerability in Apple iCloud.

As the Forbes reports, private messages sent via iMessage and WhatsApp on iPhone are not secure when using factory settings.

While encrypted apps like iMessage and WhatsApp keep messages on the device completely safe, a vulnerability in Apple’s iCloud backup system puts them at risk, and unauthorized people can access messages. This is possible as Apple stores message encryption keys in iCloud backups, which undermines the main security features that protect iMessage.

Apple states in its security policies: “End-to-end encryption protects iMessage conversations on all your devices, so Apple cannot read your messages as they are transfered between devices.”
This means that while messages are completely secured in transit between phones, they don’t have to be secured on the device or in the cloud.

iMessage is secured by end-to-end encryption, the idea being that the keys to decrypt messages between you and those you message are only shared between you. That stops anyone intercepting your content. But in a bizarre twist, Apple stores a copy of those encryption keys in that iCloud backup, which it can access. That means the end-to-end encryption is actually fairly pointless.information security specialist and Forbes columnist Zak Doffman writes.

Apple has come under a lot of pressure recently after an internal FBI document was released proving that the bureau regularly accesses messages on nine secure messengers, including iMessage and WhatsApp.

If the target is using an iPhone and iCloud backup is enabled, the data returned by iCloud may contain WhatsApp data to include the content of the message.the FBI document says.

To keep their messages safe, users can turn off iCloud backups.

Apple also urgently needs to change its approach to iCloud to stop storing encryption keys and avoid backing up encrypted data.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.