{
    "type": "bundle",
    "id": "bundle--1d7b0740-0d62-4d60-b8af-d501c7348fe2",
    "spec_version": "2.0",
    "objects": [
        {
            "x_mitre_platforms": [
                "Android",
                "iOS"
            ],
            "x_mitre_domains": [
                "mobile-attack"
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
            "created": "2017-10-25T14:48:18.237Z",
            "x_mitre_version": "1.0",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "external_id": "T1470",
                    "url": "https://attack.mitre.org/techniques/T1470"
                },
                {
                    "source_name": "Elcomsoft-EPPB",
                    "url": "https://www.elcomsoft.com/eppb.html",
                    "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016."
                },
                {
                    "source_name": "Elcomsoft-WhatsApp",
                    "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/",
                    "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018."
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "ECO-0"
                },
                {
                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
                    "source_name": "NIST Mobile Threat Catalogue",
                    "external_id": "ECO-1"
                }
            ],
            "x_mitre_deprecated": true,
            "revoked": false,
            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
            "modified": "2022-04-06T15:54:11.189Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Obtain Device Cloud Backups",
            "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-mobile-attack",
                    "phase_name": "remote-service-effects"
                }
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_tactic_type": [
                "Without Adversary Device Access"
            ],
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}