iCloud hole closed following brute force attack

A hole in iCloud's security allowed attackers to access any iCloud account via a brute force attack that side-stepped blocks - but it is now reported to have been patched.

More celebrity pictures revealed: Apple and FBI investigating
More celebrity pictures revealed: Apple and FBI investigating

2015 began, predictably, with a major hack of a global service provider, when on New Year's Day a tool to hack all accounts on Apple's iCloud was announced – via a vulnerability reported today to have been fixed.

The tool, iDict, (see iDict's GitHub page) uses an exploit in Apple's security in a "100 percemt working iCloud Apple ID dictionary attack that bypasses account lockout restrictions and secondary authentication on any account, “ according to a 2nd January report in Business Insider (BI).

The tool was able to avoid Apple's blocks on brute force attacks using a hole in its security to allow it to repeatedly guess at user passwords, including running through the most commonly used passwords, so in time any account could be hacked.

The hacker, Pr0x13, said that there was a "painfully obvious" flaw in Apple's iCloud which could be used to bypass security systems like passwords, security questions, and even two-factor authentication

Apple did respond quickly and it was reported on 2nd January that people trying to use the service were causing iCloud accounts to be locked for security, preventing hackers from gaining access.

The tool did require its users to know the email address associated with an iCloud account before it tried to hack into it.

Michele Borovac, VP at HyTrust (www.hytrust.com), the cloud control company commented to the press: “Dictionary attacks have been around for a long time. The reality is that passwords can be broken given enough time and compute power. This makes the practice of using two-factor authentication even more critical for any account that holds sensitive data. Two-factor authentication combines something you know - like a password- with something you have - a token, or similar.

“As these types if attacks proliferate, we will see companies introduce two-factor authentication methods as a baseline part of their security offerings.”

Patrick Thomas, security consultant at Neohapsis (www.neohapsis.com), a security and risk management consulting company specialising in mobile and cloud security services, adds: “If valid, this is an attack technique and vulnerability almost identical to the weakness in the ‘Find my iPhone' used in the iCloud breach which compromised celebrity photos in August.

“Remote password brute force attacks are a slow and noisy attack, but can be effective against users who chose poor passwords. Best practice is for service providers to limit the number of password guesses allowed and enforce multi-factor authentication at every possible entry point, but in complex applications developers will often ‘lock the front door' but forget about less obvious interfaces.

“This attack targets the loginDelegates functionality, which is the sort of side-door functionality that can easily receive less scrutiny.

“The lesson for service providers is to put in place strong, consistent standards across entire development organisations and to proactively think about alternate authentications processes that might slip under the security radar.”

Nathaniel Couper-Noles, senior security consultant at Neohapsis (www.neohapsis.com), suggests the problem is the inherent weakness of passwords and concludes there is no ideal solution:  “In economics, this problem is addressed in classical principal-agent theory. Passwords are hard to work with, and by design there is an inherent information asymmetry. Users will be prone to exercise ‘economy of effort' (eg, selecting weak passwords or reusing passwords).

“Principal-agent theory suggests alternatives, none of which is a perfect fit:

1.       Reducing the information asymmetry. For example:

·         Forcing users to disclose their passwords to external sites and auditing compliance. In addition to the obvious ethical problems, this is illegal in some jurisdictions.

·         Merely asking users whether they reuse their passwords and engaging collaboratively with them to understand and address the problem. This relies on users to self-report, but a collaborative approach may yield better results than empty threats.

2.       Forcing users to select complex passwords and rotate them periodically. This turns the users' economy of effort against them because now they will have to update external sites if they are hell-bent on reusing passwords. But in so doing, it increases the total effort of maintaining complex passwords. This happens to be a standard recommendation in information security circles.

3.       Automating processes and creating separate machine or process accounts for internal systems wherever feasible (essentially cutting users out of the loop and minimising access). Process automation necessitates capital investment, which is potentially cost prohibitive, but may proceed at its own rate as technology advances.

4.       Restricting user access to outside (eg, social media) sites, such as by blocking access while at work. This doesn't prevent users from re-using passwords on prohibited sites while they are not at work or while they are using personal devices. Plus it's not entirely practical - many legitimate business processes across industries will involve external sites (e.g., vendor, supplier, and regulatory systems).

5.       Eschewing passwords for enterprise use. It is not practical for most enterprises to eliminate passwords entirely, but single-sign-on, key management, alternative authentication and centralised password systems can at least reduce the difficulty of remembering many passwords.

·         Alternative authentication schemes, such as certificates, two-factor authentication systems, biometrics and identity card (smart card) systems all have their own drawbacks, but many have seen limited adoption.

6.       Deferred compensation - incentivising users somehow, perhaps by linking part of compensation or other awards, benefits or incentives to whether the users' password was breached in a third party website. This might mean checking lists of breached sites and accounts, which itself may involve accessing shady parts of the internet.

As you can see, none of these is a perfect solution.”