Apple said Monday it was “actively investigating” the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.
Users on Twitter were able to use the tool from GitHub — which was published for two days before being shared to Hacker News — to access their own accounts before it seems Apple patched the hole today. The owner of the tool noticed it was patched at 3:20am PT.
The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.
So was Apple’s Find My iPhone vulnerability to blame for the iCloud hack? The speech that outlined the vulnerability took place at the Def Con conference in Russia on Aug. 30, leaving potential hackers only a small period of time to exploit the vulnerability, unless they were already aware of the brute force exploit. Evidence suggests that the leaked celebrity photos were gathered over a period of weeks, or even years, instead of a quick one-day attack, meaning that there may be a completely different vulnerability in iCloud that has yet to be discovered.
These days, an Apple ID is the key to a lot more than just photos.
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.
It sounds like the Find My iPhone bug was real, just not used for this particular incident. It’s not clear whether the passwords were guessed or whether the accounts were compromised via Apple’s support staff through security questions or social engineering.
What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).
In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned. This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing – it appears that such techniques were not necessary or never discovered.
Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. […] It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups.
Apple did patch the vulnerability on 1 September, limiting the damage, although we don’t know how long the vulnerability existed and how widespread abuse may have been before the tool was released.
But based on Apple’s statement, the iBrute tool or some other direct attack on iCloud or Find My iPhone was not the source of the celebrity photo theft. That statement, however, was carefully constructed in case conflicting information later emerges in the investigation.
Update (2014-09-03): Russell Ivanovic:
I could write entire blog posts about how that level of blame deflection is beyond patronising.
Strong passwords and two-step verification. Makes perfect sense right? Except Apple forgets to mention that there’s no such thing as two-step authentication for your iCloud photos, or even access to your iCloud account.
Update (2014-09-05): Christina Warren:
For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.
Apple’s two-factor implementation does not protect your data, it only protects your payment information.
What makes this even worse is that Apple is encouraging users to use “strong passwords and two-step verification.” That’s all well and good, but in this case, two-step verification wouldn’t have mattered. If someone can get physical or remote access to a computer that uses iCloud or successfully convince a user to click on a phishing email for iTunes and get a password, an iCloud backup can be downloaded remotely, two-factor verification or not.
If Apple won’t encrypt iCloud backups (which it should), at the very least, it should make the authentication token stored on Windows or OS X encrypted — or at least not stored in plaintext. I can give Apple a pass on a lot of aspects of security, but this is just amateur hour.
It looks like that’s not correct; the authentication token is stored in the keychain.
Update (2014-09-06): Daisuke Wakabayashi:
In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords.
Update (2014-09-08): Eric Slivka:
As noted by Letem světem Applem and confirmed by MacRumors, Apple has already begun sending out alert emails when iCloud accounts are accessed via web browsers. The alerts are being sent out even if the specific browser has been used previously to access iCloud, but this is presumably a one-time measure that will not be repeated for future logins with that combination of browser and machine.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.