Implications of celebrity photo iCloud hack
Published September 2nd, 2014 at 9:28 AM EDT , modified September 2nd, 2014 at 4:14 PM EDT
If you haven’t seen it in the news yet, I’m sure you will soon: the hackers who obtained and published nude photos of a number of female celebrities allegedly got those photos by hacking the iCloud accounts of those celebs. It’s unclear at this time whether iCloud was actually involved or whether news media have noticed two separate stories and glued them together. In any case, though, an iCloud vulnerability was real, so how concerned do we need to be?
The iCloud vulnerability being blamed for the leak involved a method for attacking the account’s password by brute force. In other words, an automated script could repeatedly try different combinations of letters, numbers and symbols until the user’s password is discovered. Ordinarily, attacking an iCloud account via brute force isn’t practical, because the account gets locked after a certain number of unsuccessful attempts to log in. However, a vulnerability was found in the Find My iPhone feature that is part of iCloud. There was a way to repeatedly attempt logins without any kind of lockout.
Apple has reportedly fixed the issue, but it’s important to understand how this could have been prevented, since attacks and vulnerabilities of this kind are nothing new. The key preventative measure in a case like this is good password security. Even when a vulnerability like this one exists, using this kind of brute force attack to crack the password of an online account can only succeed with very short passwords. Due to the need to communicate with an online server for each login attempt, it would take a prohibitively long time to crack a long password. So, having a decent password on your online accounts is of primary importance!
Let’s look at a concrete example. Let’s say that your password is 8 characters long, and consists of upper- and lower-case letters and numbers. Let’s also assume that the brute force algorithm is extremely simple, simply cycling through all possible passwords in that character set. This means that there are 62 different possibilities for each character in your password. In order to try all possible 8-character passwords, this brute force algorithm would need to try a maximum of more than 218 trillion possibilities!
This seems like a lot, but a modern computer can try that many possible passwords in a very short amount of time… except that testing these passwords with an online server involves some overhead, in the form of the time needed to communicate with the server. If we say that each login attempt takes about half a second, then it would take nearly 3.5 million years to check all possibilities. Even if you could communicate with the server 100 times per second, that still requires nearly 70,000 years. Clearly, that’s not going to happen.
Unfortunately, brute force algorithms aren’t necessarily so simple. There are many brute force techniques that involve analysis of real-world password data (obtained through previous large-scale password leaks) to prioritize the most common passwords and password patterns. This can substantially reduce the amount of time needed to crack the password for a large fraction of the online accounts in existence.
Thus, it’s certain that any accounts that were hacked had very simple or common passwords. This whole incident could have been avoided if people simply used proper passwords in the first place. Using a random sequence of 8 characters selected from the 95 printable ASCII characters would protect adequately against online brute force attacks.
However, 8 characters wouldn’t do you any good if the server’s database of hashed passwords were compromised. Although that didn’t happen in this case, it has happened for numerous other servers in the past, and thus is an important thing to consider. Such a database contains passwords in the form of a hashed value, or a computed value that can be calculated using the password, but cannot be reversed to reveal the password. In such a case, a hash of an 8-character password would be broken in very little time at all by any modern computer, by simply calculating the hashes for all possible 8-character passwords and comparing to the hashes in the database.
For better security, it’s important to remember one rule: size matters! Recent research shows that the only consideration is the length of the password, not its complexity. So, a password like “My dog Rusty has ticks and fleas” is far more secure than one like “ph03n|><“. Using a short phrase is the best option for modern passwords, especially if that phrase is not a common one and cannot be predicted by someone who knows a little bit about you.
Back to the iCloud issue, it’s important to understand that a brute force attack like this must be targeted at a specific user. This was not a large-scale iCloud breach, per so, as it only affected specific accounts, not all iCloud users. iCloud “usernames” are e-mail addresses, and there are far too many possible e-mail addresses for a brute force attack to even attempt to try all of them. So, the fact that a number of celebrities were targeted and had their accounts hacked through this iCloud vulnerability does not necessarily mean that you are at risk. In order for this vulnerability to affect you would require that someone had targeted you specifically, prior to the vulnerability being closed, and would require that you were using a very simple or common password.
If you believe that someone may have had both the motive and the knowledge to attack your iCloud account using this vulnerability, and that your password was not a strong one, then you should change your password right away. In addition, see What to do if your Apple ID has been hacked for more information on how to respond to such a problem.
Bottom line, there’s no reason for other iCloud users to panic. Some of the celebs who were targeted are upset with Apple (unsurprisingly). There’s been a bit of iCloud name-calling on social media. It’s hard to blame anyone for being angry, but it’s important to realize that the power to avoid this situation was entirely within the hands of the affected celebrities.
If only those celebs had used good passwords, this would have been avoided. In addition, users need to think twice before storing any kind of compromising or sensitive data in any kind of cloud-based system. If the leaked photos hadn’t been stored in unencrypted form in online storage, the hacker(s) responsible would not have been able to cause this kind of embarrassment. Folks who like taking nude photos with their iPhones would be wise to turn off all of their phones’ photo sharing/upload features!
Tuesday, September 2, 2014 @ 4:10 pm EST: Apple has now released a statement saying that the breach did not actually involve an iCloud security vulnerability at all. The celebrities whose accounts were breached were attacked through mundane, though highly targeted, password and security question attacks, and this could have been prevented easily by the owners of those accounts. The vulnerability that was patched was apparently unrelated.
Thanks to Derrick for bringing this to my attention!