Apple is back to dumb idea of locking iCloud accounts our software download backups from. And now it is f*cking insane (1/X)
Some time ago, they just forced to change account password. And that was not effective (neither it was secure).
Just think of the second factor: if you have it (trusted phone number or device), you can do virtually everything. And without it, you cannot download backups.
Now they have “softer” lock: account itself keeps working, but you cannot download backups anymore. The problem is that legitimate restore (to the real device) does not work either.
But when/if restore works (it make take several tries), then... cloud backups can be downloaded by the software again. For next 24 hours.
We do not know what their security engineers are smoking, but current implementation (1) does not add a bit of security and privacy, and (2) stop LEA from working.
In fact there is more. For example, Safari browsing history is now end-to-end encrypted in the cloud. But first, it is not really “e2e” - we can still decrypt it (like we did for keychain, Health and more).
...and second, history syncing just stopped working for many (though not all) devices and accounts. That’s probably the best protection, right! :)
Congrats, Apple. You spend so much resources for nothing. Better fight GrayKey may be? :)
You can follow @ElcomSoft.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: