Is Apple iCloud Safe?

Defenses Don't Block Backup-Retrieval Attacks, Experts Contend
Is Apple iCloud Safe?

Apple has blamed a "very targeted attack" for the suspected breach of numerous celebrities' iCloud accounts, which resulted in nude photographs and videos being leaked to the 4chan image board. But some security experts have taken issue with Apple's explanation for the attacks. And they contend the company's iCloud service remains vulnerable to similar exploits.

See Also: How to Identify and Mitigate Threats on Your Network by Using a CASB

Security experts say at least a dozen celebrities' personal photographs and videos have recently been publicly released, and the attackers have hinted that there may be more than 100 celebrity victims in total. Attorneys for actress Jennifer Lawrence and model Kate Upton have confirmed their clients were victims of the attacks, which many security experts have suspected resulted from attackers exploiting iCloud vulnerabilities, potentially by launching brute-force password-guessing attacks via the Find my iPhone API, although Apple has now patched that flaw.

But in a media advisory issued Sept. 2, just two days after the trove of celebrity images came to light via the 4chan image board, Apple said some celebrities' accounts - and photos and videos stored therein - "were compromised by a very targeted attack on user names, passwords and security questions."

"None of the cases we have investigated has resulted from any breach in any of Apple's systems, including iCloud or Find my iPhone," Apple said in its advisory.

An FBI investigation is continuing, and Apple says it hopes to pinpoint the identities of those who stole the images. Going forward, Apple has also urged all iCloud users to use strong credentials. "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification," it says.

Questioning Apple's Take

Some commentators have accepted Apple's explanation, saying that if usernames and passwords were compromised, and users failed to activate two-factor authentication, then Apple is blameless. But others have questioned Apple's account. "Apple basically said that iCloud wasn't hacked ... it was iCloud accounts that were hacked. Using iCloud. That's different. I guess," says digital forensics researcher Jonathan Zdziarski via Twitter.

Zdziarski adds that Apple could have done much more to secure accounts, "like not allow infinite brute-force attempts, and verify logins from unknown IPs with a SMS or email code."

Apple didn't immediately respond to a request for comment about whether it planned to add those security features.

If Apple was logging access attempts, then any attackers who attempted to log onto iCloud would have had their IP address recorded, provided attackers weren't actively masking it. "Apple should have logs containing IP addresses of all parties connecting to their services and using this information; they should be able to quickly identify attackers executing large numbers of logon attempts," says Philip Lieberman, CEO of Lieberman Software.

But he says the breach "does beg the question of Apple's incompetence in security operations," since the iPhone manufacturer doesn't appear to have detected the attacks.

Apple Two-Factor: Not For Backups

In the wake of the celebrity image breach, Apple has recommended not only picking strong passwords, but using its two-factor authentication system to make it more difficult for would-be attackers to access a user's iCloud account.

But according to Australian software developer Nik Cubrilovik, Apple's two-factor system won't secure users against the types of cloud-ripping attacks that compromised the celebrity photos and videos, because it only protects "account details and updates," not backups. "Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups," he contends.

Apple didn't immediately respond to a request for comment about that criticism of its iCloud system backup security. In the meantime, Lieberman says users must be aware "that they are using a consumer-grade service with Apple," and that "much more secure systems exist for file storage and should be used for sensitive data."

Hence it's caveat emptor for anyone using a consumer cloud service - especially celebrities and other high-profile targets.

"If you really care about your privacy, do not store any data in the cloud, even if the vendor says it's encrypted," Vladimir Katalov, CEO of Russian data forensics toolmaker ElcomSoft, tells Information Security Media Group. "As we have proven before, though the data in iCloud is encrypted, the encryption keys are stored along with the data, so Apple has full access to it - as do Amazon and Microsoft, who provide hosting services to Apple."

iCloud Backups Persist

One unanswered iCloud breach question has been why images that some victims thought they'd deleted many months ago turned up in the published cache of photographs. As image-hacking victim Mary Winstead says on Twitter: 'Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.'"

A potential answer is that the images may have been stolen some time ago, but only recently published to 4chan.

Another possible explanation, however, is that iCloud stores up to three full backups of a device, each of which persists until replaced by a new, complete backup. That happens only if someone syncs their device with a computer that's plugged into a power source and connected to the Internet. Thus older iCloud backups might linger for some time, especially for someone who travels frequently, such as an actor.

"There could be weeks or even months between each of their three iCloud backup revisions, so photos deleted from the device may still be accessible from one of the earlier backups," says Moti Sagey, head of competitive intelligence for security vendor Check Point.

Thus any attackers who manage to obtain valid iCloud credentials could have access to photographs, videos and other data that was no longer residing on the device itself, by tapping a recovery tool such as Dr.Fone, which is designed to allow an iOS device user to retrieve their iCloud backups, even if the device itself has gone missing. "After a hacker has obtained the appropriate iCloud username and password for a person, they can use tools like Dr.Fone to recover data from the three revisions of iCloud backups - which can include content that the user thought was deleted," Sagey says.

Subculture Targets Celebrities

But that's not the only tool celebrity photo and video thieves - or any other would-be iCloud hackers - might employ.

Cubrilovik says there's an "obsessive subculture of celebrity nudes" driven by "entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," and supported by a complex ecosystem of people in a variety of roles. Those roles include individuals who collect information on targets - for example likely answers to "secret questions," such as the city in which they were born, or the name of their first pet; people whose job it is to retrieve passwords or authentication credentials; users who apply the information to "rip" data from the target's cloud-based accounts, using purpose-built, commercially available tools; and collectors, who typically aggregate stolen messages and images on Dropbox or Google Drive, as well as engage in related buying and selling.

Top cloud targets include iCloud, Cubrilovik says, especially because iOS devices are popular and photo backups are enabled by default, as well as online Android backups and Windows Phone backups.

"There is an insane amount of hacking going on," says Cubrilovik, who's studied months' worth of related forum and image board postings, private emails, and service requests. "On any day there are dozens of forum and image board users offering their services. While many of those offering to rip alone based on being provided a username and password are scammers, they will still steal the data and sell it or trade it."

For ripping information from cloud accounts, Cubrilovik says his research turned up no mention of brute-force techniques being used against the Find My iPhone API, or adoption of the iBrute proof-of-concept tool that was recently released. Instead, many attackers seem to favor using cloud services' password-reset tools, social engineering, phishing attacks that retrieve iCloud credentials, and the ElcomSoft Password Recovery Bundle. That bundle, designed to be used by law enforcement agencies and authorized digital forensic experts, can be used to retrieve complete iCloud backups, including some deleted images.

Elcomsoft says it restricts the sale of the software to law enforcement agencies, as well as digital forensics firms, who use it, for example, to recover users' data when they lose a device. The software retails for $2,300 or more and includes a license that requires the user to attest that they're only using it in a legal manner. But Cubrilovik says the software appears to be "heavily pirated."

ElcomSoft Defends Forensic Tool

ElcomSoft CEO Katalov says his company's Phone Password Breaker tool doesn't exploit any Apple iCloud vulnerabilities. Furthermore, aside from the now-fixed Find My iPhone flaw, he says the company isn't aware of any vulnerabilities in iCloud.

Instead, the tool just automates what anyone can do, provided they possess valid Apple credentials. "Once you have an Apple ID and password, you can set up a new device and ask to restore it from the iCloud backup, using these credentials," he says. "The only difference is that with EPPB you will get the backup much faster - we optimized it - and more conveniently, because there's no need to restore into a new device and use iTunes to extract data."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network