Apple Promises Security ImprovementsChanges Coming in Aftermath of iCloud Backup Attacks
Apple plans to add safeguards to help address security vulnerabilities exploited by celebrity-photo hackers. But some security experts have criticized Apple's forthcoming changes as not going far enough, contending that they won't block related attacks.
See Also: Rethinking Endpoint Security
Apple's move comes after attackers released online hundreds images stolen from more than 25 celebrities, which hackers obtained - at least in part - by accessing iCloud backups of the celebrities' iOS devices.
Attackers gained access to the iCloud backups by guessing users' security questions, thus allowing them to change targets' passwords to one of their own choosing; or by using phishing attacks to steal users' legitimate user IDs and passwords, Apple CEO Tim Cook tells The Wall Street Journal.
While Apple issued a Sept. 2 statement saying it was investigating "a very targeted attack on user names, passwords and security questions," Cook's interview represents the first time Apple has confirmed that stolen images were obtained from users' iCloud accounts.
Apple Previews Changes
In response to the celebrity photo hacking incident, Cook says Apple plans to make several security changes, including alerting users - using both e-mails and push notifications to devices - every time someone:
- Changes an account password;
- Uses a new device to log into an account;
- Restores an iCloud backup to a new device.
After receiving a related alert, the user can immediately change their account password, or file a report of a suspected security breach with Apple. The company has yet to detail how exactly it will respond to those reports.
Previously, Apple sent an alert if an unknown device was used to change a password or log into an account for the first time. But it had no alerts in place for iCloud backups. Cook says the new changes are due to take effect within the next two weeks.
Apple has faced ongoing criticism for not having defenses in place that would have blocked attackers from stealing celebrities' nude photos.
U.S. Sen. John D. Rockefeller, D-W.V., who chairs the Senate Committee on Commerce, Science, and Transportation, has requested that Apple detail "security protocols in place for its cloud databases" to his staff. "Apple is expected to introduce a new version of its iPhone that will enable, if not encourage, users to store more information with its cloud services, and I want to learn whether these focused, targeted attacks are symptomatic of wider, systemic vulnerabilities," he says.
Haroon Meer says that he was part of a group of security researchers who highlighted the password-reset vulnerability against iCloud - then dubbed iDisk - in a presentation at the Def Con conference in 2009. "We also used universal XSS in iTunes/iCloud sync for a web based rootkit (that was fixed)," Meer says.
But in his Wall Street Journal interview, Cook attempted to deflect security criticism of Apple, in part by noting that the iPhone 5s features a biometric fingerprint sensor - although that does nothing to secure iCloud - and promising that iOS 8 will allow individuals to use two-factor authentication to restrict access to iCloud from a mobile device.
Cook also says Apple will better publicize its two-factor authentication system, which he admits few people now use. If the feature is activated, anyone who wants to access an iCloud account must input two of the following checks: a password, a four-digit one-time code, or a longer recovery key that gets generated the first time a user activates the two-factor authentication feature.
Security experts, however, have questioned whether Apple's latest changes go far enough. Independent security and privacy expert Ashkan Soltani tells The Wall Street Journal that sending account notifications to iOS users "will do little to actually protect consumers' information since it only alerts you after the fact."
Answer to 'could Apple have done more?' is still yes: - require strong passwords - rate limit - stop using security reset Q's - promote 2FAï¿½ ashkan soltani (@ashk4n) September 2, 2014
"It seems that even if users have 2FA enabled, it doesn't actually protect their iCloud backups - which seem to be the source of these images," Soltani tells Information Security Media Group. "That means if attackers successfully brute-force the password or guess the password-reset questions, they can download a full image of the phone."
Apple declined to respond to multiple requests for comment on the new security features, as well as why it hasn't added additional safeguards to restrict access to iCloud backups.
As documented by Lookout Security researcher Marc Rogers, many of the celebrity image stalkers have been using pirated copies of Elcomsoft's Phone Password Breaker tool, which is designed to allow law enforcement agencies, digital forensic investigators, and device-recovery firms to retrieve iCloud backups.
EPPB allows anyone who possesses a valid Apple account ID and password to download any iOS device backup associated with that iCloud account. Apple doesn't restrict access to those backups using two-factor authentication, nor has it said it plans to do so.
ElcomSoft tells Information Security Media Group that the security changes previewed by Apple will have no effect on its tool. "Apple does not change anything except for adding more alerts. But alerts do not affect EPPB," ElcomSoft spokeswoman Olga Koksharova says. "Even though the program pretends to be a new device in order to download the data, it does not send any feedback when 'restore' is completed," she adds, meaning that an EPPB user wouldn't be distinguishable from anyone else who might possess valid credentials, including device owners or hackers.