News  Apple
Has Apples iCloud been hacked?

Celebrity photo leaks sparks iCloud hack panic

Apple's CEO, Tim Cook, has announced that Apple will add additional security steps to block hackers from the iCloud following the celebrity photo leak scandal. These new measures include alerting users through email and push messages when a password change is attempted, a restore operation performed or when the network first encounters a new device. Cook also announced further enhancements to the two factor authentication system, which he encourages all users to activate in the new version of iOS.

The concerns focus around the backup feature the iCloud supports - in particular the fact that users were not notified when someone accessed a backup on another device. This is because it's thought that these offline backups were used as the attack vector in the celebrity nude photo hack, and not a direct breach of the iCloud itself.

iCloud passwords compromised

Apple reported that after a 40-hour investigation there had been no direct breach of the iCloud. What had actually happened was a systematic attack on selected celebrity accounts using social media tricks to discover the password. With the password, a silent offline backup could then be taken without the users knowledge. This backup is then open to the hackers to spread whatever files, images and videos it held. Apple has said they are working with law enforcement representatives who are currently investigating this case.

There's even a tool to help: EPPB

256x188-cloudburglarThe Elcomsoft Phone Password Breaker, known also as EPPB, is an app which keeps cropping up when iCloud hacks are discussed due to the ease of which it opens up the backups. The tool allows anyone with the username and password, or an authentication key, to "rip" the backup, which retrieves everything they user has automatically uploaded to the iCloud, including photographs they have since deleted.

In this case, the hackers systematically targeted the celebrities over a period of time and ended up producing a macabre "brochure" showing censored versions of the images. The idea was for either the celebrity themselves or a media representative to pay a ransom preventing the release of the uncensored versions. Here's how that looks:

Exploiting weaknesses

This episide has uncovered real weaknesses in iCloud security. For example, a hacker would need to know if an email address belongs to a valid account or not, and it is trivial for a hacker to write a script to test this since a POST to will return a value indicating if it is or is not. Hackers can fire test email addresses here automatically from software they write, logging the valid ones. Once harvested, these valid ones are then subjected to further hacks. The problem is compounded because Apple doesn't "rate limit" these requests -  a common technique to guard against repeated attacks from the same computer. 

Apple has made an official statement, with immediate advice for users:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.