Biz & IT —

Update: What Jennifer Lawrence can teach you about cloud security

Posting of celeb pics exposes the weakest links in cloud services, smartphones.

Update: What Jennifer Lawrence can teach you about cloud security

By now, you have probably heard about the digital exposure, so to speak, of nude photos of as many as 100 celebrities, allegedly taken from their Apple iCloud backups (and, it appears, based on the image analysis done by some, from other cloud services). Some of the images were posted to the “b” forum on 4Chan. Over the last day, an alleged perpetrator has been exposed by redditors, although the man has declared his innocence. The mainstream media have leapt on the story and have gotten reactions from affected celebrities including Oscar winner Jennifer Lawrence and model Kate Upton.

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple "b-tards" claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach appears different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two-factor authentication would not have helped, if the attack was the one now being investigated.

Update: Apple has acknowledged the attack, but an Apple spokesperson claims that it was a "very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." Apple is encouraging users to use its two-factor authentication to prevent security-question based attacks on their accounts.

Because Apple and other devices automatically upload so much to the cloud, by default—including full phone backups, which, if an account is compromised, could be downloaded by an attacker onto another device—these personal cloud services are particularly dangerous. Their usability in terms of content management is poor at best—does anybody really know what's sitting in Apple's or Google's data stores from their phones? This, combined with ongoing threats like carefully-crafted phishing attacks and large-volume password cracking, makes it especially hard to protect mobile data in a world where everything on your phone is already on the Internet, protected only by your login credentials.

iBrute iForce iHack

Initial reports suggested that the breach of the celebrities’ iCloud accounts was made possible by a vulnerability in Apple’s Find My iPhone application programming interface. Proof-of-concept code for the exploit, called iBrute, allowed for brute-force password cracking of accounts. It was uploaded to GitHub on August 30, just a day before the breach occurred, as ZDNet’s Adrian Kingsley-Hughes noted. Apple patched the vulnerability early on September 1.

All the brute force attack did was test combinations of e-mail addresses and passwords from two separate “dictionary” files. It required knowledge (or good guesses) of the targets’ iCloud account e-mail addresses and a huge list of potential passwords. Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts—so the attacker was able to keep hammering away at targeted accounts until access was granted. Once successful, the attacker could then connect to iCloud and retrieve iPhone backups, images from the iOS Camera Roll, and other data.

But Apple claims that no flaw in its service was used for the attack. Instead, it was a much more low-tech attack—similar to previous celebrity cloud account hacks over the past few years, relying on either "phishing" account data through targeted, fake e-mails, or simply using public information to try to guess the password or security answer questions of a celebrity. This is an old 4Chan standby—the hack of Sarah Palin's Yahoo e-mail account, which was posted to 4Chan's "b" forum in 2008, also used public information on the target to obtain the password to the account.

Cloud abuse

Apple’s iCloud security (and that of other mobile cloud services) has been bruised and broken before, though most of the past attacks have been based on social engineering and use of publicly available information about the victims. Christina Aguilera, Scarlett Johansson, and other celebrities were hacked in 2011 by a Florida man who essentially guessed passwords or recovered them using personal details. He then set up forwarding addresses in their e-mail accounts to an account he controlled—allowing him to answer security confirmation e-mails and take control of their devices.

And then there’s the story of what happened to Wired’s Mat Honan in 2012: a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Caveat Selfor

Given how much of what is on smartphones is now automatically backed up to the cloud, anyone should take pause before disrobing before their smartphone camera—regardless of the phone operating system or how that image will be delivered to its intended audience.  The security of all of these services is only as secure as the obscurity of the mother’s maiden name of the person you sent that picture to—or of the next zero-day flaw. And while two-factor authentication—which uses a code sent to your device, or a secret recovery key if the device is lost—will prevent an attacker from attempting to bluff through your security questions, it won't prevent an attacker who uses other means to obtain your password from gaining access to your cloud data, as Dan Goodin reported last year.

Apple’s iOS backs up your photos to iCloud by default if you configure an account. Android’s backup does the same, and Google Plus, Yahoo Flickr, and many other services offer to automatically sync your images to the cloud. Even if you don’t set one of these up for syncing, you never know what the person you send the picture to will do with them. Even “ephemeral” messaging applications like SnapChat, Glimpse, Wickr and the like don’t block people taking screen captures of the image—and if image recipients are using an iPhone, those might automatically get synced to their cloud.

If it’s in the cloud—a public, free cloud service, especially—then chances are good that eventually it will find its way to the Internet. Cloud services are leaky by their nature; things that are supposed to be private get stored alongside things that are shared, and anything from user error to a previously undiscovered vulnerability can make even strong passwords pointless, while exposing all of those things to the world.

And what happens when a cloud store gets breached? If the one doing the breaching is never caught, the answer is “not much”—because the cloud providers are generally covered from the victims’ wrath by terms of service.

In a conversation I had on Twitter this morning with Tal Klein, the vice president of strategy for the cloud security firm Adallom, Klein said there were two things to take away from this latest breach: “1. Don't take pictures of your junk; it will end up on the Internet somehow at some point. 2. Not all security is equal. And all vendors are mostly indemnified. So use the cloud because it's great, but be cognizant of accountability.”

Ricky Gervais tweeted (and then deleted): “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude pics of yourself on your computer.”  But it's a much more fundamental problem than that. It's not that it's celebrities' fault for being hacked; it's just that they should arm themselves with the knowledge that the cloud is fundamentally insecure in the future. And mobile device manufacturers and cloud providers need to make security much more transparent to users and give them more control about what stays in the cloud.

This story has been updated based on additional information emerging on the attacks, from Apple's statement, and on feedback from peers and readers for clarity.

Channel Ars Technica