Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ iCloud Flaw Not Source of Celebrity Photo Leak Rich Mogull Over the weekend, [1]disturbing news broke that criminals pilfered the private photos of certain celebrities, posted some online, and offered more up to the highest bidder. It is one of the deepest, most disturbing violations of privacy possible, and while this incident focused on the famous, the crime is certainly neither new nor limited to those living public lives. As speculation swirled around the source(s) of the photos, [2]reports emerged on Twitter of the existence of a public tool to brute force iCloud passwords, which may have been involved in the crime. [3]Apple denies that the iBrute tool was used in the celebrity attacks: ... After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. As is nearly always the case in a big security story, it takes time for the facts to emerge. Apple likely didn't know for sure if iCloud was involved at all, and only after intense investigation was able to better understand the attack. Thus, despite even my own suspicions, it appears that some celebrities were deliberately targeted and had their iCloud accounts compromised ' not due to the recently patched flaw, but rather by guessing passwords or answers to security questions. Passwords at the Root -- Based on Apple's statement and similar previous incidents, the criminals appear to have individually compromised a set of targeted accounts. A variety of techniques could have been used, including using one compromised account to attack other celebrities with a relationship to the victim. At this point, speculating as to the exact nature of the attack is little more than guessing, and Apple may still hold some responsibility. For example, although Apple supports two-factor authentication, it doesn't directly restrict the ability to set up a new device with access to your iCloud account (I suspect this will be changed quickly). That doesn't make Apple responsible (though the company doesn't make [4]two-factor authentication easy to set up, either), but two-factor authentication is one of the only viable options to protect accounts in a world where passwords are increasingly difficult to manage. Even if Apple didn't do anything intentionally wrong, as seems to be the case, that doesn't mean we shouldn't hold them (and all cloud providers) to a higher standard as we place more and more trust into our devices and the cloud. iBrute Limited -- On 30 August 2014, someone using the name 'hackapper' [5]released a tool called iBrute on the GitHub software code sharing service. The tool attacked an account by iterating through the 500 most common passwords (obtained from a big repository of stolen passwords) that met Apple's password requirements. It did this via a direct connection to iCloud over an Application Programming Interface (API) for Find My IPhone, allowing it to blast through all 500 passwords relatively quickly. This is known in security circles as a brute force attack, since it doesn't bypass the password, but merely tries as many passwords as it can until it hits the right one. Normally, these attacks are thwarted by limiting the number of times you can try a password before being locked out of the account. In this case, Apple seemed to allow a higher number of password attempts (some claim there is no limit, but I've been given conflicting information, and can't test now that the flaw is fixed). [6]Apple did patch the vulnerability on 1 September, limiting the damage, although we don't know how long the vulnerability existed and how widespread abuse may have been before the tool was released. But based on Apple's statement, the iBrute tool or some other direct attack on iCloud or Find My iPhone was not the source of the celebrity photo theft. That statement, however, was carefully constructed in case conflicting information later emerges in the investigation. This is a terrible situation, and possibly one that started with criminal attacks months or years ago. The only ones to blame are the criminals who stole the photos, and those that support them by looking at or even purchasing the photos. But Apple, like all major cloud providers, needs to step up its game, especially since it wants to store our photos, biometric information (medical, not fingerprints), and possibly even payment information in the cloud. These kinds of attacks are only going to increase, and online services need to make it easier for users to implement a higher level of security, without destroying the user experience. It's the kind of challenge well-suited to Apple's strengths, now it's time for them to move up to the next level. In the meantime, it may not be a terrible idea to follow Glenn Fleishman's directions for setting up two-factor authentication with your Apple ID, as outlined in '[7]Apple Implements Two-Factor Authentication for Apple IDs,' (21 March 2013). References 1. http://www.huffingtonpost.com/2014/08/31/jennifer-lawrence-nude-photos_n_5745260.html 2. https://twitter.com/PenLlawen/status/506418359039459328 3. http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html 4. http://www.dailydot.com/technology/apple-icloud-two-step-verification/ 5. https://github.com/hackappcom/ibrute 6. http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/ 7. http://tidbits.com/article/13654 .