Apple iCloud Security Incident
There's lots of interest in the recent iCloud incident, where apparently several "celebrity" accounts were compromised.
Sorry to say, it's not a rumour. It's also something that could and should have been prevented. It turns out that the API for the "Find My iPhone" app did not have protections against brute force attacks.
This, combined with the first couple hundred lines of a common password dictionary (often downloaded as the filename "500 worst passwords") resulted in some targeted accounts being compromised. And of course once an account password is successfully guessed, all iCloud data for that account is available to the attackers. So no rocket science, no uber hacking skills. Just one exposed attack surface, basic coding skills and some persistence.
Having gone through that password file, you really wonder how much folks using any of those passwords valued their data in the first place.
Apple quickly fixed the vulnerability, so it is no longer in play (unless your account was compromised prior to the mitigation and you haven't changed your password). The code is on github if you are interested.
This just reinforces the common theme that - to put it mildly - trusting personal data to simple passwords is not recommended. If you can't use complex passwords (for me, that's greater than 15 characters) or don't have a second factor, then don't use the service.
===============
Rob VandenBrink
Metafore
Comments
And this takes me to one of my pet peeves: almost anything IT (computers, tablets, smartphones, clouds, etc.) have almost all of the miscellaneous options, features (e.g. iCloud backups) turned on by default. If I were designing something, I would have everything turned off by default, except for the bare minimum required to run the (fill in the black). And then let the users decide what they need or what they don't need. Then at least it's a conscious decision when they turn something ON.
I guess companies, developers, etc. do the opposite and turn everything on because they want to showcase all of their features. Or perhaps it's because users and consumers can't be trusted to know what they want or what they need (sarcastic) - so it's easier to just turn everything on. But the bottom line is that many people are running around with technology that they don't fully understand - and that is nothing short of dangerous. And enabling every little feature/option/service by default is simply adding fuel to the fire.
Anonymous
Sep 2nd 2014
1 decade ago
Anonymous
Sep 2nd 2014
1 decade ago
My question is this: What does Apple use to generate the key? If the key is easily guessed or brute-forced offline, then isn't it reasonable to assume that all iCloud users' data is at risk? Personally, I'm assuming that my iCloud account has been compromised.
Anonymous
Sep 3rd 2014
1 decade ago
So, with the information that Apple has made available as of today, this was not a broader breach of icloud data. So, unless you were specifically targeted by the hackers, your data was not hacked and should still be safe.
I believe Apple fixed the authentication weakness on the icloud portal yesterday, so hackers can no longer brute force icloud accounts through icloud.com.
The problem was not Apple's encryption (or implementation of encryption) but instead a combination of weak passwords and the icloud.com portal not having an account lockout mechanism to protect against brute-force attacks.
Anonymous
Sep 3rd 2014
1 decade ago
Anonymous
Sep 4th 2014
1 decade ago
But you raise a valid point. Without Apple letting you know, there is no way for you to know for sure whether or not your account was compromised. If you're worried, the best countermeasure is to change your password.
Anonymous
Sep 4th 2014
1 decade ago
I am running OS Yosemite with filevault encryption and firewall (no incoming traffic). I have also Little Snitch installed.
I have noticed lately that i got many requests for contacts in skype. Suddenly a pop-up screen appeared like an address card:
User: doughboy04690. It disappeared but was there long enough for me to note it down. I restarted computer and came to login as me or guest. I had never made a test account, so this was a sure sign somebody had got access.
I almost panicked - changed passes all around, and was ready to format and reinstall. In the end i relaxed and looked for changes. I saw that they had changed my icloud settings to transfer iphoto to icloud. A setting i had not made. I then looked at Skype and saw a lot incoming requests from different IP's to get access. I blocked all with Little Snitch and everything has been quiet since then.
This can very well be the method they used for celebreties also. If you don't have a software firewall as little snitch you would not know. After getting photos on icloud i guess they brute force hack password there.
Anonymous
Nov 24th 2014
9 years ago
Not only iPhones, but also iPods and iPads are vulnerable to this sophisticated ‘hack’. Look at this website:
http://www.doulci-icloud-bypass.com/
Anonymous
Jan 4th 2016
8 years ago