Apple, Blackberry & Windows backups hacked

Smartphones can literally store your life – your photos, videos, contact information, location data, messages, email and even financial information. The problem is they aren't smart enough when it comes to protecting the data entrusted to them.

Smart devices can reveal a lot to prying eyes; But — for the first time — hackers can access every last byte of backup data byusing a single password. And cloud storage, by enabling them to download the data off the internet, is their accomplice.

The compromise of an email account, which lead to the resetting of one's password, has now become a major cause for concern. Vladimir Katalov, the CEO, co-founder and co-owner of ElcomSoft CoLtd, explained at Nullcon 2014 how this works in the case of three of the four most popular mobile devices:

Apple iCloud: Apple's cloud storage service, iCloud, suggests backing up your iPhone data to Apple servers which are, in fact, Amazon or Microsoft servers. By design, the only one way to access the backup data is by restoring the backup directly onto the device, and thus, only via a Wi-Fi connection. The truth, however, is everything can be downloaded onto a PC, provided theApple ID and password is there. Apart from backups, iCloud can store iTunes content, photo stream, contacts, iWork documents, application files and more, which can be accessed either from devices signed up to the account or from theicloud.com web site. It is possible to access and download all information stored there, by sending specific requests to iCloud.

BlackBerry: The device backups created with BlackBerry Desktop Software were easy enough to dissect. The password protection proved relatively easy to crack. For Blackberry 10 devices, there is a new software: BlackBerry Link. Though there is no device password for the phones, backup data is encrypted using the BlackBerry ID (and password), as well as device-specific data, and moreover some specific data that should be obtained from BlackBerry servers (Olympia Service). By design, it is not possible to restore BlackBerry backups to another device, but it's now possible to hack backups made with BlackBerry Link, provided one has the ID, password and access to the aforementioned service.

Note: BlackBerry itself can do this regardless of the backup security settings one might have.

Windows Phone 8: Not all the data from the device is stored in Microsoft OneDrive, the Windows cloud storage service. What you can get is a list of apps installed, call history, accounts set up, IE favourites, media files (photos and videos), and all settings. Again, by design, one can only restore the backup to the smartphone. However, there is a way to pull all of this information by fooling the Microsoft servers using the same trickery hackers would perform on the iCloud service.