iCloud hack reviewed


As Apple's reputation is battered, experts explain how to keep your cloud data securely

As the dust settles on the widely-reported `nude celebrity' hacked photos from iCloud this week, two things are becoming apparent: firstly that the methodologies used by the hackers to obtain the images are almost certainly multi-faceted, and secondly, that Apple took its time before announcing on Tuesday - four days after the saga started developing - that its security had not been compromised.

Even though the story started brewing on Saturday it took Apple almost four days to respond to media enquiries as to what happened. With a new generation of iPhones and other devices scheduled for launch next Tuesday, most experts agree that - rightly or wrongly - the saga has overshadowed that launch, as witnessed by volatility in Apple's share price.

Apple claims that iCloud is defended by a two-factor authentication (2FA) process, but as reported by SCMagazineUK back in May, the iCloud activation lock was cracked.

According to Marc Rogers, a principal analyst with Lookout Mobile Security, whilst some of the celebrity photos are from existing sources or have been faked, a "significant percentage of them appear to be exactly what the original leaker claimed - intimate photos stolen from celebrities."

In his analysis, Rogers says that the attackers used several tools - ranging from commercial password recovery tools such as Elcomsoft's `Phone Password Breaker' to well known hacking tools such as `Jack the Ripper' on hardware built specifically to accelerate the cracking process.The Lookout analyst also points out that the 2FA protection is only required in three distinct situations: when logging into the `My Apple ID' Web site; making a purchase from a new device; and when getting Apple ID related help from Apple.

"Signing into iCloud in order to access say, your backed up or photos, does not require 2FA. In this case, enabling two-factor authentication would not have helped anyone involved in this latest leak," he said.

"This is an oversight on Apple's part, consequently we have reached out to them suggesting that it would be a better, safer, experience for users if they extended two-factor authentication to any service that exposes sensitive user data," he added.

Staying safe

Rogers goes on to say that there is no indication that the hackers used anything other than brute force attacks against the celebrity iCloud accounts, but advises that - to secure their own iCloud account - users should have an eight character or better mixed alpha/numeric password, enable 2FA and have good IT security software installed.

Mike Janke, the co-founder of Silent Circle, the company behind the Blackphone secure handset, meanwhile, says that we - as an IT industry -  need to encourage young people to become more involved in computer science and open-source software development communities.

This will, he says, allows us to develop more innovative and secure products that allow users to communicate both privately and effectively without speculation.

Technology and telecommunication companies, meanwhile, he adds, need to be more transparent about what and how they are protecting user data, whilst individuals need to understand the limitations of their communication providers and have the ability to explore alternatives that provide more intrinsically secure options.

Janke's comments were echoed by Yiannis Chrysanthou, a security researcher in KPMG's cyber security team, who said that multi-factor authentication may also be needed to secure cloud-stored data,  

Organisations, he explained, seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, then they are relatively safe.

"The reality is that we hear of password breaches time and time and again, and this needs to change," he said, adding that multi-factor authentication is best as it combines multiple forms of identification data.

"By adding an additional factor such as a smartcard (something a user has) or a fingerprint (something the user is), credential theft and impersonation becomes harder. Multi-factor authentication will block traditional attacks relying on guessing or stealing a user's password because the password itself will no longer be sufficient," he said.

"Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews