Celebrity skin is a hot commodity, as the Apple iCloud hack that led to the leak of explicit private photos of a bevy of celebrities and Hollywood stars has demonstrated. Further analysis shows that the hackers got in using one of the oldest tricks in the book: brute-forcing passwords.
Hackers used a free tool called iBrute, posted to GitHub by its developer, HackApp. The hacker then reportedly used an exploit for the Find My iPhone app to throw the top 500 passwords from the RockYou leak at the iCloud accounts of various celebrities. The implication is that Apple had set no limit on the number of times that account credentials could be tried before locking the user out. In any event, the gambit eventually worked in more than 100 cases.
“I looked at the iBrute code on GitHub also and concluded that this was a garden-variety brute-force attack,” said Andrew Jaquith, CTO and senior vice president of cloud strategy at SilverSky, in a mail to Infosecurity. He added, “This authentication vector was clearly well-known to the broader programming community. It just so happened that some opportunistic hackers realized that it could be used to brute-force account passwords because it didn’t have effective lockout controls.”
Apple has quickly resolved the issue, but the situation obviously shows a clear ongoing lack of privacy awareness when it comes to internet-facing behavior, even in the case of those who would seem to have the most to lose from such a transgression. And in fact, the horror of it all for the likes of Jennifer Lawrence could have been avoided completely had she and the others merely implemented two-factor authentication, which requires a send key (typically sent via text) to unlock accounts.
But, it’s likely that some of these celebrities didn't even realize that their photos were being synced to iCloud, or that photos may have persisted even after being deleted off of the user's phone. So given the lack of awareness of information risk when moving personal information to the cloud, whose responsibility is it to protect the data?
HackApp itself offered an official statement that summed up the conundrum: “For everyone, who was involved in this incident, I want to remind, that today we are living in Brave New Global World, when privacy protection wasn't ever so weak, and you have to consider, that all your data from ‘smart’ devices could be accessible from internet, which is the place of anarchy, and, as a result, could be [the] source of undesirable and unfriendly activity. So, a weak 'dictionary' password (like P@$$w0rd), is not the best way to protect yourself in modern world. But it's not your fault, it's the total problem of modern-being, that people use technology, without understanding all the risks and consequences. Not all users are nerds.”
Some lay the responsibility squarely at vendors’ feet. “This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts,” Vijay Basani, CEO of EiQ Networks, told Infosecurity. “This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since [the] numerical code always changes, it makes it difficult for the hackers to gain access (breach the account) even if they can guess the password.”
Others come down on the side of greater personal responsibility. “People, whether they are celebrities or everyday citizens, need to be fully aware of what they post online and must take responsibility for what they store with a third party since repercussions can be embarrassing to say the least,” said Steve Durbin, managing director at the Information Security Forum, in a comment to Infosecurity.
Others agree. “The recent intrusion of celebrity iCloud accounts represents both a lack of security awareness by these high-profile users and the reality of data proliferation and retention through cloud computing services,” said Mark Stanislav, security evangelist at Duo Security, in an emailed comment. “The underlying reason why these attacks were successful comes down to poor password choices and a lack of two-factor authentication. Sadly, Apple already offers two-factor authentication that could have likely prevented this invasion of privacy had these celebrities enabled that free feature.”
SilverSky recommends that users of all kinds should check their cloud services settings to better understand what types of data are being synced and how long that data may be retained. Further, any private data should be protected by a long, random, and unique password to limit the likelihood of an attacker breaking in by similar means as this attack on iCloud. Last, when services do offer two-factor authentication to users, that feature should be turned on immediately to provide the best security available to their account privacy.