Lack of two-factor authentication allows remote iCloud data download
Russian security researcher Vladimir Katalov analyzed Apple's secretive iCloud and Find My Phone protocols to discover that neither are protected by two-factor authentication, and iCloud data can be downloaded remotely without a user ever knowing.
In "Cracking and Analyzing Apple’s iCloud Protocols," presented to a crowded room at Hack In The Box security conference last Thursday in Kuala Lumpr, Malaysia, Vladimir Katalov revealed that user information and data is not as inaccessible as Apple is telling the public.
Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access. A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices. He explained that there is no way for a user to encrypt their iCloud backups.