Apple has had its fair share of privacy and security controversies in the last few years. There was ‘Celebgate’, in which celebrities had their iCloud accounts hacked, causing Apple to hurriedly revamp its authentication process. It has endured a spat with the FBI over iPhone password access, while also admitting that it keeps the keys to your data if you synchronize it to iCloud.

Moscow-based Elcomsoft, which specializes in analyzing cloud services, has made some startling discoveries about Apple’s iCloud service over the last year. In August 2016, it discovered that Apple was keeping photos in the iCloud Photo Library for several years after users had deleted them. In February, it found that iCloud retains deleted Safari browsing history indefinitely, and in May, it revealed that iCloud also keeps deleted Notes.

To its credit, Apple changed some things after Elcom notified it, no longer storing deleted photos or notes in iCloud. However, there was one thing that it doesn’t appear to have changed.

“Several months ago we discovered that call logs from Apple devices are being synced, although there is absolutely no mention of that in the Apple documents,” says Elcomsoft CEO Vladimir Katalov. Apple mentions Facetime call invitations in guidelines detailing data that it can provide to law enforcement, but not telephone call logs.

There is no way to delete that synchronization on your iPhone without disabling the iCloud service, he adds.

Katalov was at SecTor 2015 to talk about Google’s data tracking activities. This year, he will be back for a behind-the-scenes discussion about how Apple’s iCloud works, along with some techniques for bypassing the two-factor authentication (2FA) that it uses..

From passwords to cloud

Elcomsoft cut its teeth selling software to crack passwords. It started out in 1990, taking a password recovery tool that it had developed for itself and converting it for sale to others. Its line of password cracking products grew, and it now sells to customers including law enforcement agencies and other government departments.

The password cracking business took a turn in 2008, when graphics card vendor NVIDIA released CUDA. That is a programming tool that lets software developers use its graphical processing units (GPUs) for general purpose computing.

The beauty of GPUs lies in their double precision floating point mathematics, which makes them well-suited to a range of tasks including artificial intelligence training, mining cryptocurrency – and cracking passwords.

The GPU effect made it dramatically easier to crack passwords. Elcomsoft later released a tool enabling customers to crack WiFi passwords using NVIDIA chips.

Password cracking is getting harder these days though, says Katalov. Companies use the same long-established cryptographic hashing algorithms to encrypt their data using passwords, but they have changed they way that they implemented them.

“They are making the process to check the password longer. To check one password, we would only need a millisecond several years ago,” Katalov says. “Now with the fastest processors available, we can only check a few passwords per second, even with the best optimization.”

Companies have also learned to use ‘salting’, a technique which adds a secret code known only to the company when hashing the password. This makes it difficult to use some tools of the trade, such as rainbow tables, which pre-create hashes for commonly-used passwords using common hashing algorithms.

Cloud forensics

While the company still sells password cracking software, it has expanded into cloud forensics. “Almost everything that is stored on the phone is also stored in the cloud,” Katalov points out. So, Elcomsoft began exploring the protocols and authentication mechanisms that the cloud vendors were using to synchronize with their phones.

It has analyzed cloud storage techniques across various vendors. Elcomsoft publishes a complete list of the known information that Microsoft, Google and Apple store in their clouds here.

At SecTor, he will be talking about Apple’s 2FA technology. The company introduced it with iOS 9 as a way to better protect its accounts.

Using 2FA, people shouldn’t be able to access your account by simply guessing your password or harvesting it via a phishing attack, as they did in Celebgate. Instead, Apple sends a verification code that you can use to show it that you trust the device. It then stores an authentication token on the device that it checks along with your username and password.

It is nevertheless possible to recover that authentication token from a Mac OS or Windows PC that a user has set up as a trusted device. With the key and an associated email and password, an attacker can access an iCloud account and see synchronized data and backup files, in addition to the iCloud keychain.

He will discuss more about how Apple iCloud stores its data, and the techniques for gaining access to it, in his talk at SecTor this year. SecTor takes place November 13-15 at the Metro Toronto Convention Centre in downtown Toronto. Register here for access.