Apple iCloud Security Incident

Published: 2014-09-02
Last Updated: 2014-09-02 11:57:52 UTC
by Rob VandenBrink (Version: 1)
8 comment(s)

There's lots of interest in the recent iCloud incident, where apparently several "celebrity" accounts were compromised.

Sorry to say, it's not a rumour.  It's also something that could and should have been prevented.  It turns out that the API for the "Find My iPhone" app did not have protections against brute force attacks.

This, combined with the first couple hundred lines of a common password dictionary (often downloaded as the filename  "500 worst passwords") resulted in some targeted accounts being compromised.  And of course once an account password is successfully guessed, all iCloud data for that account is available to the attackers.  So no rocket science, no uber hacking skills.  Just one exposed attack surface, basic coding skills and some persistence.

Having gone through that password file, you really wonder how much folks using any of those passwords valued their data in the first place.

Apple quickly fixed the vulnerability, so it is no longer in play (unless your account was compromised prior to the mitigation and you haven't changed your password).  The code is on github if you are interested.

This just reinforces the common theme that - to put it mildly - trusting personal data to simple passwords is not recommended.  If you can't use complex passwords (for me, that's greater than 15 characters) or don't have a second factor, then don't use the service.

===============
Rob VandenBrink
Metafore

Keywords:
8 comment(s)

Comments

Here's the bottom line about this hack: had the victims had iCloud photo synching and iCloud backups turned off, the damage would have been significantly less. Perhaps a few pictures in emails, etc. but most of the hacked pictures are from iCloud photo and iCloud backups, from what I've read.

And this takes me to one of my pet peeves: almost anything IT (computers, tablets, smartphones, clouds, etc.) have almost all of the miscellaneous options, features (e.g. iCloud backups) turned on by default. If I were designing something, I would have everything turned off by default, except for the bare minimum required to run the (fill in the black). And then let the users decide what they need or what they don't need. Then at least it's a conscious decision when they turn something ON.

I guess companies, developers, etc. do the opposite and turn everything on because they want to showcase all of their features. Or perhaps it's because users and consumers can't be trusted to know what they want or what they need (sarcastic) - so it's easier to just turn everything on. But the bottom line is that many people are running around with technology that they don't fully understand - and that is nothing short of dangerous. And enabling every little feature/option/service by default is simply adding fuel to the fire.
I couldn't agree more, Jack! How many of these wonderful "features" prove to have security flaws that cause users to lose identity or other important personal data? I'd love to see some security benchmarks for OS vendors and manufacturers to follow.
Correct me if I'm wrong, but my understanding is that all iCloud data is encrypted at rest with 128-bit AES, except Mail and Notes. Ignoring for a moment the fact that some people store confidential information in email and/or Notes, the fact that the attacker was able to decrypt the photos also implies that all other data backed up by iCloud has been decrypted by the attacker. (Yeah, I know there are a few people out there using the iCloud Keychain which uses 256-bit AES.)
My question is this: What does Apple use to generate the key? If the key is easily guessed or brute-forced offline, then isn't it reasonable to assume that all iCloud users' data is at risk? Personally, I'm assuming that my iCloud account has been compromised.
The hackers were able to brute-force the celeb accounts through a weakness in the www.icloud.com portal. The weakness is that Apple did not enforce a lockout mechanism when authenticating through icloud.com (e.g. lockout account after 5 bad attempts). This allowed the hackers to hammer away at the targeted accounts without repercussion or detection (by Apple). Once the hackers acquired the celeb account password, this provided access to all of their data stored in icloud (as account + password = decrypted data).

So, with the information that Apple has made available as of today, this was not a broader breach of icloud data. So, unless you were specifically targeted by the hackers, your data was not hacked and should still be safe.

I believe Apple fixed the authentication weakness on the icloud portal yesterday, so hackers can no longer brute force icloud accounts through icloud.com.

The problem was not Apple's encryption (or implementation of encryption) but instead a combination of weak passwords and the icloud.com portal not having an account lockout mechanism to protect against brute-force attacks.
How does Apple know that only these individuals were targeted?
I read that Apple was able to identify which accounts were targeted by reviewing two things: (1) failed access attempt logs on icloud.com and (2) geo-location information for the source IPs that were making those attempts. The targeted accounts had a high number (I'm assuming in the tens or hundreds of thousands) of failed access attempts from Russian IP addresses, indicative of a brute-force attack. I suppose other accounts could have been targeted, but I would imagine that Apple would have gotten in touch with the owners of those accounts as well - as they did for the celebs.

But you raise a valid point. Without Apple letting you know, there is no way for you to know for sure whether or not your account was compromised. If you're worried, the best countermeasure is to change your password.
Here is what happened to me this weekend, and this might also be the way the celebreties accounts were compromised:

I am running OS Yosemite with filevault encryption and firewall (no incoming traffic). I have also Little Snitch installed.

I have noticed lately that i got many requests for contacts in skype. Suddenly a pop-up screen appeared like an address card:

User: doughboy04690. It disappeared but was there long enough for me to note it down. I restarted computer and came to login as me or guest. I had never made a test account, so this was a sure sign somebody had got access.

I almost panicked - changed passes all around, and was ready to format and reinstall. In the end i relaxed and looked for changes. I saw that they had changed my icloud settings to transfer iphoto to icloud. A setting i had not made. I then looked at Skype and saw a lot incoming requests from different IP's to get access. I blocked all with Little Snitch and everything has been quiet since then.

This can very well be the method they used for celebreties also. If you don't have a software firewall as little snitch you would not know. After getting photos on icloud i guess they brute force hack password there.
Apple has a kind of arrogance that she can't be hacked or fooled. Now there is a tool to bypass iCloud. That seemed impossible for a long time. However, in May 2014, the perfect way to bypass iCloud was discovered by two Dutch hackers. Apple believed it wasn’t possible to bypass their security, because is was high-end. But the DoulCi team was able to circumvent the security measures by using a man in the middle scenario. More than 400 million users worldwide are using Apples storage device, known as iCloud. Tens of thousands of users were able to unlock their iPhone in the first couple of days.

Not only iPhones, but also iPods and iPads are vulnerable to this sophisticated ‘hack’. Look at this website:

http://www.doulci-icloud-bypass.com/

Diary Archives