What Jennifer Lawrence Can Teach You About Cloud Security Breaches

What Jennifer Lawrence Can Teach You About Cloud Security BreachesMuch ink has been spilled over the recent leak of about one hundred celebrities’ rather exposing photos recently, with discussion ranging from the horrible morality behind the hack to why you shouldn’t support the hackers by viewing the photos. Sean Gallagher at Ars Technica takes a different approach, focusing on the vulnerability of cloud storage to breach by digital barbarians. Specifically, Gallagher takes aim at the interface between iCloud, Apple’s cloud storage system, and iPhones and their apps.

First, Gallagher notes that this attack is different from most other data breaches, where attackers use “social engineering” or “low-tech research” to gain control of victims’ accounts. Instead, the hackers used a zero-day vulnerability to exploit the Apple iCloud/iPhone interface and in Gallagher’s words, “bash in the front door” of Apple’s cloud data storage system without Apple finding out until the pictures were already all over the interwebz. Because of this approach, Gallagher writes that Apple’s two-factor authentication process would be of no help, and that the only way to defend against this attack “was never to put photos in Apple’s cloud in the first place.”

Part of the problem, though, is that Apple devices automatically upload so much user data to the cloud by default. Because users don’t really know what’s been uploaded, along with the highly sophisticated attack methods that predators use to to hunt down and catch your data, it is extremely difficult to protect your mobile data from being stolen and used against you, especially when it’s already in the cloud and protected only by a password.

Gallagher lays out how the attackers carried out the hack according to initial reports next. The key vulnerability lay in Apple’s Find My iPhone app. An exploit called iBrute was released on August 30, a day before the hack, and consisted of a brute-force password cracking program that tested combinations of email addresses and passwords from two separate “dictionary” files. While the program required some knowledge or good guesses of the email addresses, Find My iPhone did not lock out access after several failed attempts… allowing the program to hammer away until the account was cracked, at which point the hackers could access iCloud storage and download anything they desired. Apple patched the vulnerability on September 1, but by then it was too late.

To be fair, Gallagher notes that Apple claims that the hack of so many accounts did come from traditional, lower-tech hacking methods, such as phishing and guessing of login credentials through public information. If this is true, Apple’s service couldn’t be blamed. In my opinion, that sounds very convenient for Apple. It also sounds like a horrendously large, time consuming project for a couple of 4Chan B-tards to phish all those celeb personal accounts and/or guess all their login creds from public info. While possible, it sounds unlikely to me. The much simpler explanation is that the B-tards got hold of iBrute… and were able to use it in a day or two to breach Apple’s exploitable iCloud, which would be all the time they would need if Apple’s system was really as vulnerable as Gallagher claims. Occam’s Razor says that the simplest explanation that still fits all the facts is usually the correct one. Sorry Apple, you just got razor burn.

Anyways, Gallagher gives further evidence of iCloud’s unsecured nature by highlighting past successful attacks on other celebs, such as in 2011 with Christina Aguilera and Scarlett Johansen, as well as Wired’s Matt Honan, who saw his Apple account and device hacked as part of having his life stolen.

It might be tempting as a result of reading much of the above by simply shouting “don’t store your naked photos on the cloud/your computer!” Remember, however, that Apple, and certainly many other companies, automatically sets devices to upload all device data without the user even knowing. Apple uploads your photos specifically whenever you configure your account. Even if you are able to shut that off, if you are sending your photos to other people, you have no way of stopping their phones from automatically “syncing” with the iCloud.

To wrap up, here are some bottom lines from Gallagher about this whole situation.

Bottom line from Gallagher on the cloud:

If it’s in the cloud—a public, free cloud service, especially—then chances are good that eventually it will find its way to the Internet. Cloud services are leaky by their nature; things that are supposed to be private get stored alongside things that are shared, and anything from user error to a previously undiscovered vulnerability can make even strong passwords pointless, while exposing all of those things to the world.

Gallagher on what you can do after you get hacked (AKA not much):

And what happens when a cloud store gets breached? If the one doing the breaching is never caught, the answer is “not much”—because the cloud providers are generally covered from the victims’ wrath by terms of service.

Polite Gallagher on what Celebs and the rest of us can do to protect ourselves:

It’s not that it’s celebrities’ fault for being hacked; it’s just that they should arm themselves with the knowledge that the cloud is fundamentally insecure in the future. And mobile device manufacturers and cloud providers need to make security much more transparent to users and give them more control about what stays in the cloud.

Not as polite but more honest and specific Gallagher on what Celebs and the rest of us should do while quoting someone else to avoid internet rage:

Don’t take pictures of your junk; it will end up on the Internet somehow at some point.

Words of wisdom to my ears.

For Gallagher’s article at Ars Technica, click here.

Doug Atkinson
Follow Doug