Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

iCloud Flaw Not Source of Celebrity Photo Theft

On 31 August 2014, disturbing news broke that criminals had pilfered the private photos of certain celebrities, posted some online, and offered more up to the highest bidder. It is one of the deepest, most disturbing violations of privacy possible, and while this incident focused on the famous, the crime is neither new nor limited to those living public lives. As speculation swirled around the source(s) of the photos, reports emerged on Twitter of the existence of a public tool to brute force iCloud passwords, which may have been involved in the crime.

Apple denies that the iBrute tool was used in the celebrity attacks:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

As is nearly always the case in a big security story, it takes time for the facts to emerge. Apple likely didn’t know for sure if iCloud was involved at all, and only after intense investigation was able to better understand the attack.

Thus, despite even my own suspicions that iCloud must have been involved, it appears that some celebrities were deliberately targeted and had their iCloud accounts compromised — not due to the recently patched flaw, but rather by the attackers guessing passwords and/or answers to security questions.

Passwords at the Root -- Based on Apple’s statement and similar previous incidents, the criminals appear to have individually compromised a set of targeted accounts. A variety of techniques could have been used, including using one compromised account to attack other celebrities with a relationship to the victim.

At this point, speculation about the exact nature of the attack is just that, and Apple may still hold some responsibility. For example, although Apple supports two-factor authentication, it doesn’t directly restrict the ability to set up a new device with access to your iCloud account (I suspect this will be changed quickly). That doesn’t make Apple responsible (though the company doesn’t make two-factor authentication easy to set up, either), but two-factor authentication is one of the only viable options to protect accounts in a world where passwords are increasingly difficult to manage.

Even if Apple didn’t make any significant security mistakes, as seems to be the case, that doesn’t mean we shouldn’t hold them (and all cloud service providers) to a higher standard as we place more and more trust into our devices and the cloud.

iBrute Limited -- On 30 August 2014, someone using the name “hackapper” released a tool called iBrute on the GitHub code sharing service. The tool attacked an account by iterating through the 500 most common passwords (obtained from a large repository of stolen passwords) that met Apple’s password requirements. It did this via a direct connection to iCloud over an application programming interface (API) for Find My iPhone, enabling it to blast through all 500 passwords relatively quickly.

This is known in security circles as a brute force attack, since it doesn’t bypass the password, but merely tries as many passwords as it can until it hits the right one.

Normally, these attacks are thwarted by limiting the number of times passwords can be tried before the user is locked out of the account. In this case, Apple seemed to allow a higher number of password attempts (some claim there is no limit, but I’ve been given conflicting information, and can’t test now that the flaw is fixed).

Apple patched this vulnerability on 1 September 2014, limiting the damage, although we don’t know how long the vulnerability existed or how widespread abuse may have been before the tool was released.

But based on Apple’s statement, the iBrute tool or some other direct attack on iCloud or Find My iPhone in general was not the source of the celebrity photo theft. That statement, however, was carefully constructed in case conflicting information later emerges in the investigation.

This is a terrible situation, and possibly one that started with criminal attacks months or years ago. The only ones to blame are the criminals who stole the photos, and those that support them by looking at or even purchasing the photos.

But Apple, like all major cloud providers, needs to step up its game, especially since it wants to store (or is already storing) our email, chats, photos, medical data, and payment information in the cloud. These kinds of attacks are only going to increase, and cloud services need to make it easier for users to implement higher levels of security, without destroying the user experience. It’s the kind of challenge well suited to Apple’s strengths; now it’s time for the company to apply its vaunted design and user interface chops to the problem.

In the meantime, I recommend following Glenn Fleishman’s directions for setting up two-factor authentication with your Apple ID, as outlined in “Apple Implements Two-Factor Authentication for Apple IDs,” (21 March 2013).


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about iCloud Flaw Not Source of Celebrity Photo Theft
(Comments are closed.)

Walt French  2014-09-02 16:30
You say that Apple “patched” the flaw, but the supporting link only said, “ When we tested the tool, it locked out our accounts after five attempts.”

At this time, all we have is the word from a potentially financially-motivated person who would be happy to trade in stolen imagery, that he was able to brute-force the attack. I wouldn't think he'd be the most reliable of sources. If you actually knew who he was, you could be cited for contempt if there was evidence he was telling the truth, and you refused to cough him up.

So he is very dishonest, very shady or very stupid.

Let's have a cite that the vulnerability existed, ideally that it was actually ever used successfully.
Instances like this validate and confirm that I made the right choice from the day iCloud was launched to not use it as it would make my personal data vulnerable.
Sadly, in addition to the hacker threat, the draconian American laws (as revealed in the Snowden leaks) mean that no American company can be trusted with anyone's personal information.
Remember: Convenience is NOT compulsory.
no - the data was only compromised due to social engineering. could that fool you? do you have "people" that could be fooled? likely not.
Apple needs to get one of the celebs to publicly admit they were stupid about their security and/or if there is an iwallet – it will only work with two step security setup …
Alan Sanders  2014-09-11 13:58
According to Apple's FAQ on two-factor authentication, this security measure does not protect access to iCloud accounts. Users of this security feature are protected only when (a) signing in to My Apple ID to manage their account, (b) making an iTunes, App Store, or iBooks Store purchase from a new device, or (c) getting Apple ID related support from Apple.

P.S. Someone in another forum pointed out that if two-factor authentication did apply to iCloud accounts, people who own only one Apple device would be screwed if that device should be lost or stolen. They would be unable to log in to their own iCloud accounts from another device without the secret code they would be unable to receive.