On 31 August 2014, disturbing news broke that criminals had pilfered the private photos of certain celebrities, posted some online, and offered more up to the highest bidder. It is one of the deepest, most disturbing violations of privacy possible, and while this incident focused on the famous, the crime is neither new nor limited to those living public lives. As speculation swirled around the source(s) of the photos, reports emerged on Twitter of the existence of a public tool to brute force iCloud passwords, which may have been involved in the crime.
Apple denies that the iBrute tool was used in the celebrity attacks:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
As is nearly always the case in a big security story, it takes time for the facts to emerge. Apple likely didn’t know for sure if iCloud was involved at all, and only after intense investigation was able to better understand the attack.
Thus, despite even my own suspicions that iCloud must have been involved, it appears that some celebrities were deliberately targeted and had their iCloud accounts compromised — not due to the recently patched flaw, but rather by the attackers guessing passwords and/or answers to security questions.
Passwords at the Root -- Based on Apple’s statement and similar previous incidents, the criminals appear to have individually compromised a set of targeted accounts. A variety of techniques could have been used, including using one compromised account to attack other celebrities with a relationship to the victim.
At this point, speculation about the exact nature of the attack is just that, and Apple may still hold some responsibility. For example, although Apple supports two-factor authentication, it doesn’t directly restrict the ability to set up a new device with access to your iCloud account (I suspect this will be changed quickly). That doesn’t make Apple responsible (though the company doesn’t make two-factor authentication easy to set up, either), but two-factor authentication is one of the only viable options to protect accounts in a world where passwords are increasingly difficult to manage.
Even if Apple didn’t make any significant security mistakes, as seems to be the case, that doesn’t mean we shouldn’t hold them (and all cloud service providers) to a higher standard as we place more and more trust into our devices and the cloud.
iBrute Limited -- On 30 August 2014, someone using the name “hackapper” released a tool called iBrute on the GitHub code sharing service. The tool attacked an account by iterating through the 500 most common passwords (obtained from a large repository of stolen passwords) that met Apple’s password requirements. It did this via a direct connection to iCloud over an application programming interface (API) for Find My iPhone, enabling it to blast through all 500 passwords relatively quickly.
This is known in security circles as a brute force attack, since it doesn’t bypass the password, but merely tries as many passwords as it can until it hits the right one.
Normally, these attacks are thwarted by limiting the number of times passwords can be tried before the user is locked out of the account. In this case, Apple seemed to allow a higher number of password attempts (some claim there is no limit, but I’ve been given conflicting information, and can’t test now that the flaw is fixed).
Apple patched this vulnerability on 1 September 2014, limiting the damage, although we don’t know how long the vulnerability existed or how widespread abuse may have been before the tool was released.
But based on Apple’s statement, the iBrute tool or some other direct attack on iCloud or Find My iPhone in general was not the source of the celebrity photo theft. That statement, however, was carefully constructed in case conflicting information later emerges in the investigation.
This is a terrible situation, and possibly one that started with criminal attacks months or years ago. The only ones to blame are the criminals who stole the photos, and those that support them by looking at or even purchasing the photos.
But Apple, like all major cloud providers, needs to step up its game, especially since it wants to store (or is already storing) our email, chats, photos, medical data, and payment information in the cloud. These kinds of attacks are only going to increase, and cloud services need to make it easier for users to implement higher levels of security, without destroying the user experience. It’s the kind of challenge well suited to Apple’s strengths; now it’s time for the company to apply its vaunted design and user interface chops to the problem.
In the meantime, I recommend following Glenn Fleishman’s directions for setting up two-factor authentication with your Apple ID, as outlined in “Apple Implements Two-Factor Authentication for Apple IDs,” (21 March 2013).