Katalov's findings appear to support his emphatic statement that Apple can access data it claims to not be able to access.
A malicious attacker only needs an Apple ID and password to perform remote iCloud backups — and do not need the user's linked devices.
He explained that there is no way for a user to encrypt their iCloud backups.
The data is encrypted, he explained, but the keys are stored with the data. Katalov added that Apple holds the encryption keys.
Katalov told ZDNet he was shocked to discover that in addition to all of these security chain issues, Apple's iCloud data is stored on Microsoft and Amazon servers.
[...]
When asked if he had presented his discoveries to Apple, he explained that his findings were the results of protocol analysis — and are not a vulnerability.
Put another way, the iCloud security hole falls into the "it's a feature, not a bug" category.
