OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Implications of celebrity photo iCloud hack

Published September 2nd, 2014 at 9:28 AM EDT , modified September 2nd, 2014 at 4:14 PM EDT

If you haven’t seen it in the news yet, I’m sure you will soon: the hackers who obtained and published nude photos of a number of female celebrities allegedly got those photos by hacking the iCloud accounts of those celebs. It’s unclear at this time whether iCloud was actually involved or whether news media have noticed two separate stories and glued them together. In any case, though, an iCloud vulnerability was real, so how concerned do we need to be?

The iCloud vulnerability being blamed for the leak involved a method for attacking the account’s password by brute force. In other words, an automated script could repeatedly try different combinations of letters, numbers and symbols until the user’s password is discovered. Ordinarily, attacking an iCloud account via brute force isn’t practical, because the account gets locked after a certain number of unsuccessful attempts to log in. However, a vulnerability was found in the Find My iPhone feature that is part of iCloud. There was a way to repeatedly attempt logins without any kind of lockout.

Apple has reportedly fixed the issue, but it’s important to understand how this could have been prevented, since attacks and vulnerabilities of this kind are nothing new. The key preventative measure in a case like this is good password security. Even when a vulnerability like this one exists, using this kind of brute force attack to crack the password of an online account can only succeed with very short passwords. Due to the need to communicate with an online server for each login attempt, it would take a prohibitively long time to crack a long password. So, having a decent password on your online accounts is of primary importance!

Let’s look at a concrete example. Let’s say that your password is 8 characters long, and consists of upper- and lower-case letters and numbers. Let’s also assume that the brute force algorithm is extremely simple, simply cycling through all possible passwords in that character set. This means that there are 62 different possibilities for each character in your password. In order to try all possible 8-character passwords, this brute force algorithm would need to try a maximum of more than 218 trillion possibilities!

This seems like a lot, but a modern computer can try that many possible passwords in a very short amount of time… except that testing these passwords with an online server involves some overhead, in the form of the time needed to communicate with the server. If we say that each login attempt takes about half a second, then it would take nearly 3.5 million years to check all possibilities. Even if you could communicate with the server 100 times per second, that still requires nearly 70,000 years. Clearly, that’s not going to happen.

Unfortunately, brute force algorithms aren’t necessarily so simple. There are many brute force techniques that involve analysis of real-world password data (obtained through previous large-scale password leaks) to prioritize the most common passwords and password patterns. This can substantially reduce the amount of time needed to crack the password for a large fraction of the online accounts in existence.

Thus, it’s certain that any accounts that were hacked had very simple or common passwords. This whole incident could have been avoided if people simply used proper passwords in the first place. Using a random sequence of 8 characters selected from the 95 printable ASCII characters would protect adequately against online brute force attacks.

However, 8 characters wouldn’t do you any good if the server’s database of hashed passwords were compromised. Although that didn’t happen in this case, it has happened for numerous other servers in the past, and thus is an important thing to consider. Such a database contains passwords in the form of a hashed value, or a computed value that can be calculated using the password, but cannot be reversed to reveal the password. In such a case, a hash of an 8-character password would be broken in very little time at all by any modern computer, by simply calculating the hashes for all possible 8-character passwords and comparing to the hashes in the database.

For better security, it’s important to remember one rule: size matters! Recent research shows that the only consideration is the length of the password, not its complexity. So, a password like “My dog Rusty has ticks and fleas” is far more secure than one like “ph03n|><“. Using a short phrase is the best option for modern passwords, especially if that phrase is not a common one and cannot be predicted by someone who knows a little bit about you.

Back to the iCloud issue, it’s important to understand that a brute force attack like this must be targeted at a specific user. This was not a large-scale iCloud breach, per so, as it only affected specific accounts, not all iCloud users. iCloud “usernames” are e-mail addresses, and there are far too many possible e-mail addresses for a brute force attack to even attempt to try all of them. So, the fact that a number of celebrities were targeted and had their accounts hacked through this iCloud vulnerability does not necessarily mean that you are at risk. In order for this vulnerability to affect you would require that someone had targeted you specifically, prior to the vulnerability being closed, and would require that you were using a very simple or common password.

If you believe that someone may have had both the motive and the knowledge to attack your iCloud account using this vulnerability, and that your password was not a strong one, then you should change your password right away. In addition, see What to do if your Apple ID has been hacked for more information on how to respond to such a problem.

iCloud pizza crap

Kirsten Dunst criticizes iCloud

Bottom line, there’s no reason for other iCloud users to panic. Some of the celebs who were targeted are upset with Apple (unsurprisingly). There’s been a bit of iCloud name-calling on social media. It’s hard to blame anyone for being angry, but it’s important to realize that the power to avoid this situation was entirely within the hands of the affected celebrities.

If only those celebs had used good passwords, this would have been avoided. In addition, users need to think twice before storing any kind of compromising or sensitive data in any kind of cloud-based system. If the leaked photos hadn’t been stored in unencrypted form in online storage, the hacker(s) responsible would not have been able to cause this kind of embarrassment. Folks who like taking nude photos with their iPhones would be wise to turn off all of their phones’ photo sharing/upload features!

Updates

Tuesday, September 2, 2014 @ 4:10 pm EST: Apple has now released a statement saying that the breach did not actually involve an iCloud security vulnerability at all. The celebrities whose accounts were breached were attacked through mundane, though highly targeted, password and security question attacks, and this could have been prevented easily by the owners of those accounts. The vulnerability that was patched was apparently unrelated.

Thanks to Derrick for bringing this to my attention!

Tags: , ,

17 Comments

  • Derrick says:

    This is just sad…
    I’ve been following your blog since yesterday. Thanks for your dedication towards a secure mac.

  • John Fallon says:

    This is not a situation where you can use 1password. This password is what you use on the app store. It has to be something you can remember and type easily. If you actually buy or upgrade apps, you will use it fairly often. That pretty much precludes the use of real strong passwords. If a script is used, and the attempts don’t get locked out, sooner or later any password will fail. Again, what about using iCloud drive to store health or financial information, or even word documents? People would be well advised to avoid iCloud for anything sensitve. Dropbox, OneDrive etc at least haven’t had as many public failures, but are likely no safer.

    • Thomas says:

      I would strongly disagree. You certainly can use a strong iCloud password, and make it memorable. I do so myself. As suggested in the article, make your password a phrase rather than an overly-complex password. The length is all that matters, and the human brain does a remarkable job of remembering lengthy information that makes sense.

      As for avoiding iCloud for sensitive information, that’s definitely a good idea, but not limited to iCloud. All servers connected to the internet that contain your sensitive information are potentially vulnerable. If you need to store sensitive data in any cloud-based storage, it should be encrypted by you (not by the service) prior to uploading, and your account on the cloud service should have a very strong password.

    • Zak says:

      He already pointed out that this idea of avoiding iCloud, or cloud in general, all together is not necessary. While you can’t use 1Password, you can still have a hard password to crack that is easy to remember. See his passphrase example, one like ThisIsMyPasswordDealWithItHackers! is easy enough to remember, easy to type on mobile, and so long it is hard to brute force attack.

    • john says:

      You can use 1password. I use it on my phones, tablets and Macs. I’ve used this product for over a year and every password I use, outside of 1password’s master one, is retrieved from 1password. I secure all my Apple IDs this way and access my Apple resources via the 1password database. All my passwords have a minimum length of 20, except for some sites that don’t allow that high. In this case, I use the maximum allowed by that site.

      Please explain how 1password could not be used?

      • Thomas says:

        I believe that John’s point is that you cannot use 1Password to enter a complex password in the App Store on an iOS device, which is true. You may be able to open 1Password, unlock it, find and copy your Apple ID password and paste it into the password dialog in the App Store… I don’t know, I haven’t ever tried that. But that’s cumbersome, if it does work… much easier to just make sure it’s a long password that you can easily remember, and that is easy to enter.

        • john says:

          Thats exactly how I do it, as for website logins, 1password has a browser feature that allows you to log directly into a site in iOS similar to how it works on a Mac. It sounds more cumbersome the way you describe it, but its fast enough as far as I am concerned. This way, I only need my master password into 1pasword and thats it. No need to remember others.

          • Thomas says:

            Yes, but the browser feature isn’t relevant to the App Store. That’s a password prompt displayed in a different app, by iOS, and it can’t be conveniently entered using 1Password. I agree that 1Password is useful for logging on to sites on both iOS and Mac OS X, but this is a special case where it’s not so convenient.

  • Derrick says:

    There’s an update… Apple claims it wasn’t iCloud but a very targeted attack at the Celebs accounts using security questions, exact emails and such. They recommended the same thing Thomas suggested.

  • John Fallon says:

    If Apple cares about this, they can require longer passwords. It will discourage app store purchases somewhat. As far as security questions go, I wonder why sites just don’t tell you to make up answers. Most people will take the questions at face value.

    • Thomas says:

      I don’t think longer passwords will discourage App Store purchases. If anyone is really that unwilling to enter a longer password, they’ll just stick with a shorter password… and then complain on social media when they get hacked.

      Of course, I think Apple, as usual, is several steps ahead of everyone with the ability to make App Store purchases with a fingerprint on the iPhone 5s. I would guess that this technology will be on all iOS devices very soon, and will eliminate the need to enter any long passwords.

  • Clayton McCranor says:

    You are assuming that a space is seen as a valid entry in a password field. In some cases it is not eg. my work place.

    ‘My dog Rusty has ticks and fleas’ has 55,788,574,239,882,073,957,414,564,563,571,490,975,386,474,192,852,065,676,734,560 possible combinations and would take some where in the region of 17.74 trillion trillion trillion trillion centuries (assuming 1000 attempts per second) to crack.

    The Password ‘MydogRustyhasticksandfleas’ has 421,230,783,669,503,510,067,386,408,168,086,171,457,750,276 possible combinations and would take an estimated 1.34 hundred million trillion trillion centuries (assuming 1000 attempts per second) to crack.

    Myd0gRustyh4st1cks4ndfle4s has 40,667,341,382,973,472,945,117,556,132,496,178,582,698,289,38 possible combinations and would take an estimated 12.93 billion trillion trillion centuries (assuming 1000 attempts per second) to break. In both cases we are talking an extreme amount of time.

    A simple way to protect the user is to only allow a fixed number of attempts before locking the account for a defined period of time. This would stop a brute force attack in its tracks.

    There is a good password strength predictor at https://www.grc.com/haystack.htm give it a try. Also it explains clearly the misconception of ‘high entropy’ passwords. The info on the 3 passwords above comes from there.

    • Thomas says:

      All very good advice.

      Unfortunately, there are password systems out there that impose restrictions that actually make them less secure, such as restricting characters like spaces. Some will even restrict the password length, only allowing passwords that are shorter than is really wise. I even heard recently of an online system that limited password length to 8 characters!

    • Manfred says:

      The site where you found this info is a very interesting, albeit scary place!

    • Stéphane Moureau says:

      Safe passwords easy to remind can be like this:

      [(Five)=(+8-3)]

      Quite easy to remember, already 1.49 hundred thousand trillion centuries. Enough even for NSA 🙂
      You can also use a “constant string” and add extra-characters based on the site name.
      (1+1)=Two4im
      (1+1)=Two4wn

      im first and last of ibm.com
      wn first and last of washington.us

      Of course these 2 examples are too simple but if you choose a less obvious “computation” based on the site name,
      that makes you safe.

      In most cases, it is bots not humans who will figure out these extra characters.
      Combinations are unlimited, birthday, id, car plate,… without getting comprised because personal digits/numbers/dates are used.

  • Robert.Walter says:

    Last I checked, the dunderheads at Lufthansa and theirMiles-and-More FF program still only required a 5 digit numerical pin like they have since the 1990’s.

This post is more than 90 days old and has been locked. No further comments are allowed.