iCloud Hack: What Happened and How to Protect Yourself
Over the weekend, countless nude images reportedly of A-list celebrities were allegedly stolen from iCloud accounts and distributed across the Internet. So how was someone able to gain access to the accounts on Apple’s cloud storage service, and what can you do to protect your own files from a similar breach?
The Wall Street Journal’s Daisuke Wakabayashi reports that Apple is “actively investigating” reports that iCloud vulnerabilities were exploited to hack several celebrities’ accounts. Nude photos and videos, some authentic and some possibly fake, were reportedly stolen from the iCloud accounts of celebrities including actress Jennifer Lawrence and model Kate Upton and posted to image sharing community 4chan. From there, they have spread to Twitter, Reddit, Imgur, and other sites, many of which have shut down the threads and accounts where the images were posted.
Apple’s iCloud enables users to store music, photos, documents, and other files in the iCloud, and access them from a variety of devices. In a post on GitHub, a user detailed a bug discovered in Apple’s Find My iPhone service — an iCloud feature that enables users to figure out the location of a missing iPhone — which allowed a hacker to make an unlimited number of guesses at an iCloud password until identifying the right one. The GitHub post also included a Python script called “ibrute” that enabled users to carry out so-called “brute force” attacks to gain access to accounts on iCloud via the Find My iPhone vulnerability.
Brute-force attacks use a script to repeatedly guess the password of an account, and once the password has been discovered, the hacker can use it access other iCloud functionality. The ibrute tool relies on a list of 500 common passwords (and so depends on iCloud account holders using easy-to-guess passwords).
The Next Web reports that Twitter users were able to use the tool, which had been published for two days before being shared to HackerNews, to access their own accounts. The GitHub post was updated on Monday with the message: “The end of fun, Apple have just patched.” When testing the tool, The Next Web found that Apple locked the account after five attempts, meaning that the Python script does try to attack the service but Apple has indeed patched the vulnerability.
The Find My iPhone vulnerability that allowed unlimited guesses represents a departure from most services’ policies, which lock an account after a number of incorrect password attempts. Staff of The Next Web talked with the Python script’s creator, known as “Hackapp,” via Twitter. (Re/Code reports that iBrute was created by Russian security researchers as a proof of concept and demonstrated at a security conference this summer.) The Next Web asked whether the tool could have been used in the hacking of celebrities’ accounts. Whoever is behind the Hackapp Twitter account responded, “I’ve not seen any evidence yet, but I admit that someone could use this tool.”
While Apple hasn’t said anything about how the hacking of the celebrities’ accounts was carried out, Securosis analyst and chief executive Rich Mogull told The Wall Street Journal that it’s possible that the hacking and the vulnerability exposed on GitHub were related. He also says that it’s much more likely that hackers broke into the individual accounts of celebrities rather than hacking the iCloud system. Mogull said that, “I would be shocked Apple itself was hacked.”
Regardless of whether the iBrute script was used in the leak, researchers from security firm FireEye told Re/Code’s Arik Hesseldahl that the hacking appears to have been a straightforward attack that could have been prevented. Specifically, the hacking might have been prevented if the celebrities affected had enabled a security feature called two-factor authentication on their iCloud accounts.
Two-factor authentication, or “two-step verification,” as Apple calls its version, requires two steps to verify the identity of a user trying to access a computer or a service, even when that user knows the account password. In the case of iCloud, turning on two-step verification will require a user to enter a numerical code sent to their phone or to another device to verify their identity in addition to entering their regular password. Since the code constantly changes, enabling two-step verification makes it significantly more difficult for a hacker to gain access to an account.
While Apple “doesn’t work very hard,” as Re/Code puts it, to inform users of the availability of security features like two-step verification, a page on its support website explains the process of enabling the feature for an Apple ID. To enable two-step verification, follow these steps:
- Go to My Apple ID.
- Select “Manage your Apple ID” and sign in.
- Select “Password and Security.”
- Under “Two-Step Verification,” select “Get Started” and follow the instructions.
When setting up two-step verification, users register one or more devices on which they can receive four-digit verification codes via SMS messages or the Find My iPhone service. (Apple requires users to provide at least one SMS-capable phone number.) After enabling the feature, users will be asked to verify their identity any time they sign in to manage their Apple ID, or make an iTunes, App Store, or iBooks Store purchase from a new device, by entering their password and a four-digit verification code. Without both the password and the verification code, users won’t be able to access their accounts.
It’s worth noting that while taking advantage of available security features to protect your files and accounts is always a good idea, the hack is also a cautionary tale about using bad passwords. If the hack was carried out using the ibrute Python script, each of the celebrities whose accounts were exposed was using one of the 500 common, easy-to-guess passwords that the tool tries. (So if your password is “password” or “123456,” here’s yet another case for choosing something that will be harder for a computer to figure out.) Even if someone is able to guess your password, enabling two-step verification will keep your account and files safer, since a hacker won’t be able to access your emails or text messages.
The upshot is that it’s important to protect your data with a strong, secure password that won’t be easy for a script to guess, and that if you’re using a cloud service to store valuable files, it’s in your best interest to use two-step authentication to keep your account as secure as possible. It’s also smart to enable passcodes and passwords on your phone and your computer, and of course to make sure that all of your software is updated. Each of those measures will keep your accounts safer, and give you a little more peace of mind that whatever files you upload to iCloud will be secure from prying eyes.