September 2, 2014
Apple Probing iCloud Vulnerabilities Following Celebrity Nude Photo Leak
Chuck Bednar for redOrbit.com - Your Universe Online
In the wake of the well-publicized publication of nude photographs of some of Hollywood’s biggest stars earlier this week, Apple is reportedly working to correct the iCloud vulnerabilities that allowed hackers to gain access to those images.
According to Wall Street Journal reporter Daisuke Wakabayashi, a message posted on online-code sharing website GitHub claimed that a user had located a bug in the Find My iPhone app, which monitors the location of missing Apple smartphones and disables the device if it is stolen. The vulnerability allowed hackers to continue trying passwords until identifying the correct one, instead of locking out users after multiple incorrect attempts.
That post was later updated to note that Apple had patched the vulnerability, Wakabayashi added. However, Rich Mogull of security research firm Securosis told the Wall Street Journal that it was “possible” that this particular flaw was exploited by the hackers who stole the photos, but that the two issues might have been unrelated. He added that it was more likely it was the individual accounts of the celebrities, and not Apple itself, that were compromised.
The hack posted on GitHub, identified by Mashable’s Lance Ulanoff and Pete Pachal as iBrute, was shared roughly 36 hours before the first photographs were leaked. Andrey Belenko, senior security engineer for mobile security firm viaForensics, told them that might not have been enough time for a brute force attack on the Find My iPhone software to work.
Belenko, along with Alexey Troshichev of HackApp, discussed iOS7 and iCloud security at the Russian Defcon Group DCG#7812 over the weekend, Ulanoff and Pachal said. In their presentation, they reported discovering two potential weak spots in iCloud security: the lack of a lock-out mechanism on the Find My iPhone app, and the fact that a user’s iCloud security code defaults to just four digits (although users can make it more complex if they want) and could be vulnerable to brute force attacks.
Forbes contributor Dave Lewis said the researchers were upset that their research may have played a role in the theft and publication of the private images, but said that the incident was a reminder that “data from ‘smart’ devices could be accessible from [the] Internet,” which they said can be a “place of anarchy” and the “source of undesirable and unfriendly activity.”
Lewis called it “the law of unintended consequences at its finest,” adding, “while this incident has unfortunate ramifications for the victims it has been a great wake up call for others thanks to the huge amount of press coverage. This is an excellent opportunity for people to clean up their password practices and improve their personal security posture.” He suggests using strong passwords and implementing two-factor authentication for iCloud accounts.
The incident that led to Apple’s investigation into iCloud security saw currently unidentified hackers post photos allegedly depicting Jennifer Lawrence, Kate Upton, Victoria Justice, Mary Elizabeth Winstead, Ariana Grande and other singers and actresses in various states of undress, said McCoy. While some of the victims, including Lawrence, Upton and Winstead, acknowledged the theft of their private photos, others (including Grande and Justice) have claimed that the pictures were fakes, the USA Today reporter added.