Obtain Device Cloud Backups

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud [1]. Elcomsoft also describes [2] obtaining WhatsApp communication histories from backups stored in iCloud.

ID: T1470
Sub-techniques:  No sub-techniques
Tactic Type: Without Adversary Device Access
Platforms: Android, iOS
MTC ID: ECO-0, ECO-1
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Mitigations

ID Mitigation Description
M1011 User Guidance

Encourage users to protect their account credentials and to enable available multi-factor authentication options.

Detection

Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.

References