Celeb photo attack: hackers may have finally awoken a sleeping giant

2 Sep 2014

While iOS is believed to be 10 times more secure than Android, hackers still want in. If anything, the latest hack attacks via iCloud on stars such as Jennifer Lawrence may have finally awoken Apple to the threat.

As the world grapples with questions such as how did the hackers manage to get their hands on photos supposedly securely stored in smartphones and cloud accounts, security experts agree that the entire situation has been a wake-up call for the rest of the world.

Dozens of sexually explicit private photos of stars like Jennifer Lawrence and Kate Upton have been published to boards like Reddit, AnonIB and 4chan.

Apple and the FBI are currently investigating how the breaches happened and social networks like Facebook and Twitter say they will ban anyone found sharing the photos.

Security experts have told Siliconrepublic.com that they believe the attacks were made possible by poor password security.

“Is seems likely that those responsible for this attack utilised a script which had been posted to the popular code sharing site GitHub which implemented a brute force password guessing attach against an iCloud account via the ‘Find my iPhone’ feature,” said Dermot Williams, managing director of ThreatScape.

“This enabled one or more attackers to compromise a series of celebrity-owned accounts and sync with them to download their stored photos etc. My guess is that someone started with (or guessed) just one target users email address, compromised that account, and then obtained not only their stored photos and videos but also their contact list – providing a treasure trove of other celebrity email addresses which they could then target on iCloud to obtain further data (not all email addresses and individuals would lead to further Apple-device owners, or iCloud users but clearly a lot did).”

Two-factor authentication the only winner in this tawdry mess

The tawdry debacle that saw hundreds of nude photos of Hollywood stars such as Jennifer Lawrence leaked online after their iCloud accounts were hacked has only one winner: two or multi-factor authentication.

The attacks are a reminder not only for consumers to consider two-factor authentication but also for companies like Apple to do a better job informing people of how two-factor authentication can be useful to them.

“We examined the evidence that has emerged so far, and said it appears to have been a fairly straightforward attack,” said Tom Keating, general manager, FireEye in Ireland. “That said, it is also one that could have been thwarted had some additional steps to secure the targeted accounts been taken.

“That additional step is known as two-factor authentication. Apple calls it ‘two-step verification,’ although they don’t work very hard to tell people about it, this maybe down to their desire to keep things simple for the users.

“In general Apple has been a little late to the game in offering this kind of protection, and doesn’t advertise it, you have to dig through the support articles to find it.

“When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for attackers to gain access the account, even if they know the password,” Keating said.

Also use pass phrases, not passwords

Europol special advisor, Brian Honan of BH Consulting, said that the breach again highlights how passords can be as a sole security mechanism to protect sensitive information.

He said that despite previous well-known breaches people will continue to use weak passwords.

As more and more data moves to the cloud, the problem is going to get a lot worse, and business owners in particular need to be on their guard.

“Firstly make sure you use a strong passphrase to protect your iCloud services,” Honan recommended. “A passphrase is a phrase that can be easier to remember and harder to guess than a password.

“For example, the passphrase ‘IloveReadingTheSiliconRepublicOnline’ is much more secure than an eight character passwords such as ‘Pa55W0rd’. Do not re-use this passphrase on other services or networks, otherwise should those services be breached and your passphrase is exposed then criminals can access all the services that use that passphrase.

“Many cloud services, such as Outlook.com, Gmail, FaceBook, and Twitter. iCloud have such a service.”

Like Keating, Honan recommended two-factor authentication.

“Having two factor authentication means those attempting to access your accounts need to have access not just to your password but also to the other authentication factor, which is typically your phone.

 “Business users should also look at what data is being stored in the cloud, be that with iCloud or any other provider, and determine how sensitive and valuable it is to the business.

“If it is of a sensitive nature then they should look at ways of providing additional security to that data, such as encrypting it when it is stored in the cloud and providing effective security awareness training to their staff on how to use mobile devices and the cloud securely.”

ThreatScape’s Dermot Williams says that from an IT security perspective the breach of celebrities iCloud and iPhone devices the fault likes partly on the users and partly with Apple.

“There have been suggestions that a dictionary of as few as 500 common passwords may have been employed.

“But Apple are the the more culpalbe since users will make mistakes and security processes and features need to be designed to thwart attackers and protect users, even from themselves.

“Apple’s ‘Find my iPhone’ system permitted attackers to guess an unlimited number of passwords over time without imposing any sort of speed throttling or security lockout to prevent further guesses, and without triggering any security alert or advisory email to the account owner that would have raised a red flag. This flaw has now been fixed and a message on github in the comments to the attack script stated “The end of the fun, Apple has just patched”.  

“I am guessing also that iCloud did not send an email to the owner of a compromised account advising that a new device had been connected to their account and was syncing their data; had this been done then this attack would likely have been detected and blocked sooner,” Williams said.

Apple, we’re no longer in Kansas!

Tom O’Connor of Lan.ie believes that the main culprit enabling the attacks was ‘Find my iPhone’.

If anything, O’Connor believes Apple were aware there were issues with ‘Find my iPhone’ and dropped the ball when it comes to getting it patched.

“Apple are in a new arena now and no longer can they hide behind their comparison of Mac users versus PC users. Hackers today want access to iOS and these attacks will be far more common in the future due to the vast number of iPhone users in the world. The hackers want in. In saying this, however, iOS still is 10 times more secure than Android.”

O’Connor advises that Apple should take similar precautions as Microsoft and other IT security software players have taken and incentivise armies of ethical hackers to assault their systems, find zero day flaws and report them.

“There are a serious number of flaws and RATs (remote access tools) available for jail-broken iPhones.  People with jail-broken iPhones are at the greatest risk,” O’connor concluded.

“Mobile security will cripple users in 2015, mark my words.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years