Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/
iCloud Flaw Not Source of Celebrity Photo Leak
Rich Mogull
Over the weekend, [1]disturbing news broke that criminals pilfered the
private photos of certain celebrities, posted some online, and offered
more up to the highest bidder. It is one of the deepest, most
disturbing violations of privacy possible, and while this incident
focused on the famous, the crime is certainly neither new nor limited
to those living public lives. As speculation swirled around the
source(s) of the photos, [2]reports emerged on Twitter of the existence
of a public tool to brute force iCloud passwords, which may have been
involved in the crime.
[3]Apple denies that the iBrute tool was used in the celebrity attacks:
... After more than 40 hours of investigation, we have discovered
that certain celebrity accounts were compromised by a very targeted
attack on user names, passwords and security questions, a practice
that has become all too common on the Internet. None of the cases we
have investigated has resulted from any breach in any of Apple's
systems including iCloud® or Find my iPhone. We are continuing to
work with law enforcement to help identify the criminals involved.
As is nearly always the case in a big security story, it takes time for
the facts to emerge. Apple likely didn't know for sure if iCloud was
involved at all, and only after intense investigation was able to
better understand the attack.
Thus, despite even my own suspicions, it appears that some celebrities
were deliberately targeted and had their iCloud accounts compromised '
not due to the recently patched flaw, but rather by guessing passwords
or answers to security questions.
Passwords at the Root -- Based on Apple's statement and similar
previous incidents, the criminals appear to have individually
compromised a set of targeted accounts. A variety of techniques could
have been used, including using one compromised account to attack other
celebrities with a relationship to the victim.
At this point, speculating as to the exact nature of the attack is
little more than guessing, and Apple may still hold some
responsibility. For example, although Apple supports two-factor
authentication, it doesn't directly restrict the ability to set up a
new device with access to your iCloud account (I suspect this will be
changed quickly). That doesn't make Apple responsible (though the
company doesn't make [4]two-factor authentication easy to set up,
either), but two-factor authentication is one of the only viable
options to protect accounts in a world where passwords are increasingly
difficult to manage.
Even if Apple didn't do anything intentionally wrong, as seems to be
the case, that doesn't mean we shouldn't hold them (and all cloud
providers) to a higher standard as we place more and more trust into
our devices and the cloud.
iBrute Limited -- On 30 August 2014, someone using the name 'hackapper'
[5]released a tool called iBrute on the GitHub software code sharing
service. The tool attacked an account by iterating through the 500 most
common passwords (obtained from a big repository of stolen passwords)
that met Apple's password requirements. It did this via a direct
connection to iCloud over an Application Programming Interface (API)
for Find My IPhone, allowing it to blast through all 500 passwords
relatively quickly.
This is known in security circles as a brute force attack, since it
doesn't bypass the password, but merely tries as many passwords as it
can until it hits the right one.
Normally, these attacks are thwarted by limiting the number of times
you can try a password before being locked out of the account. In this
case, Apple seemed to allow a higher number of password attempts (some
claim there is no limit, but I've been given conflicting information,
and can't test now that the flaw is fixed).
[6]Apple did patch the vulnerability on 1 September, limiting the
damage, although we don't know how long the vulnerability existed and
how widespread abuse may have been before the tool was released.
But based on Apple's statement, the iBrute tool or some other direct
attack on iCloud or Find My iPhone was not the source of the celebrity
photo theft. That statement, however, was carefully constructed in case
conflicting information later emerges in the investigation.
This is a terrible situation, and possibly one that started with
criminal attacks months or years ago. The only ones to blame are the
criminals who stole the photos, and those that support them by looking
at or even purchasing the photos.
But Apple, like all major cloud providers, needs to step up its game,
especially since it wants to store our photos, biometric information
(medical, not fingerprints), and possibly even payment information in
the cloud. These kinds of attacks are only going to increase, and
online services need to make it easier for users to implement a higher
level of security, without destroying the user experience. It's the
kind of challenge well-suited to Apple's strengths, now it's time for
them to move up to the next level.
In the meantime, it may not be a terrible idea to follow Glenn
Fleishman's directions for setting up two-factor authentication with
your Apple ID, as outlined in '[7]Apple Implements Two-Factor
Authentication for Apple IDs,' (21 March 2013).
References
1. http://www.huffingtonpost.com/2014/08/31/jennifer-lawrence-nude-photos_n_5745260.html
2. https://twitter.com/PenLlawen/status/506418359039459328
3. http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
4. http://www.dailydot.com/technology/apple-icloud-two-step-verification/
5. https://github.com/hackappcom/ibrute
6. http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/
7. http://tidbits.com/article/13654