The iCloud Hack Reveals Dark Problems in the Cloud
In the not-too-distant past, a very prominent hack has been covered all over the news. Some highly compromising photos of celebrities have been leaked across the internet as a group of hackers managed to crack their iCloud accounts. The iCloud service, owned and operated by Apple, Inc., is a cloud storage platform that people use to store photos taken from their personal devices. The fact that celebrities got hit left the internet in panic.
While people were busy politicizing the entire fiasco turning it into a boxing ring, we’ve been thinking that it’s about time to talk about something that often gets overlooked by the world at large. There are very dark issues lurking deep within cloud services, and a large proportion of the population (including, as we’ve clearly seen, celebrities) aren’t equipped to deal with them. Every time a compromise of a large scale happens (like millions of people’s credit card details being revealed) very few, if any, of the affected people really pay attention to the big picture. Now, a number of celebrities got affected in a very compromising manner and everyone’s all ears. Instead of taking advantage of the incident to spread a political view, we will use it to demonstrate how the cloud can become a toxic environment if you don’t use it correctly.
What Happened?
To get even the slightest idea of how you should protect yourself from incidents like the iCloud bonanza, you’d have to understand what happened on a technical level. Very little has been pushed in this manner, but one Forbes article has been published that explained what allowed the hackers in quite eloquently.
Put simply, the celebrities in question have become the victims of a brute force attack. This is basically an attack that runs several iterations of character combinations through Apple’s login system until one of them matches a password. In other words, an automated program will keep guessing a password until it gets it correctly. How the hackers got their hands on personal account usernames is another story for another place and another time. Right now, it’s important that we focus on the authentication aspect, which is where Apple’s iCloud service’s fault is revealed.
The Moment iCloud Failed
You see, iCloud did not have a limit on how many times someone can fail to log in before locking the account. This allowed you to guess passwords ad infinitum without any worries. Eventually, someone with a weak password would easily fall victim to such an attack. With a little bit of hardware magic (a CUDA GPU hooked up to an SLI-linked series of video cards), someone could even compromise longer and presumably stronger passwords.
Having no attempted login limit, the cloud storage service just opened itself up to dictionary and brute force attacks without any reservation. The script used to attempt the brute force was unbelievably simple (it appears in the Forbes article we linked to earlier). While it may look like Chinese to some, this is a piece of cake for most programmers. It just shows that you don’t always need a strong pair of brains in your noggin to hack a web service; you only need a reasonably easy security hole to exploit and you’re set for making a name for yourself. The script in question appears to be written in Python, a programming language any middle-schooler can learn proficiently within a few weeks. People who make simple scripts like these are sometimes even referred to as “script kiddies” among hacking circles.
Yes, this is how easy it was to hack iCloud, one of the most prominent cloud storage services in the market.
Why Locking Doesn’t Really Help
Most services (such as Facebook and Gmail) will lock your account after a number of login attempts. You will be notified of this and no longer be able to access your account until you take some steps to reconfirm your identity. It isn’t an ideal solution, but it’s a step in the right direction. As simple and elegant as this solution is, however, it’s still not enough to thwart more advanced hackers.
You’ve read above that a simple Python script was used to hack celebrity accounts on iCloud. This is not necessarily possible with account locking, but there are hackers out there who are ambitious enough to go an extra mile with their coding prowess. Some services with account locking will only count login attempts from each IP individually. To explain what we’re talking about, let’s construct a scenario:
John wants to hack an account of yours on a service. Let’s call that service “Gobbler” (we’re not feeling extremely inspired today). Gobbler has account locking, but it has certain rules to prevent backlash for the real user, wherever he/she may be. These rules are:
- Only three failed login attempts are allowed.
- The allowance is on a per-IP basis, and resets after 10 minutes.
That sounds reasonable, right? Being the mischievous schemer that John is, he decides to go to three different libraries to try a different password for each account. This way, he can use one computer from each library twice over a ten minute period, distributing his rotation to roughly one library every 3 and a half minutes. Of course, no real hacker would spend that much fuel and effort to hack one account.
Since John is a very skilled coder, he writes a virus that commands the infected computer to connect to an IRC chat room via a hidden script, and spreads this virus to thousands of computers. Now, he has thousands of IPs at his disposal. John types something similar to “!get Gobbler.url –login-name=username” into the chat room. The virus obeys this command and coordinates a brute force attack distributed across thousands of IPs and rotating them in a way that no two IPs attempt a login twice in a span of 10 minutes. As the virus spreads further, more IPs join the pool.
What we’ve described here is known as a botnet. Such a creature is not afraid to brute force most services. In these cases, locking procedures for failed login attempts do very little to help the user. You needsomething stronger.
What’s Stronger Than A Strong Password?
iCloud had an ace in its deck that no one really used. It gave you the ability to use two-factor authentication. If you have a strong password, you don’t completely eliminate the possibility of a hacker eventually slipping into your account. Since hardware gets stronger every day, brute force attacks and social engineering will continue to see use in scenarios like these. With multi-factor authentication, most attacks are no longer a concern.
Once two-factor authentication is enabled in iCloud, the service will send you an SMS code when you attempt to log in. Typing the code will verify your identity. The only way someone could be able to get into your account is by either somehow spoofing your phone number (good luck with that) or stealing your phone. Many top-tier services like our own PerfectCloud and Google offer this in different ways. Enabling such a feature will give you a strong edge against hackers.
Oh, and speaking of PerfectCloud, using our software is also perhaps the best way to thwart hackers. Not only do you get to use a different (and extremely strong) password for each service you use without having to memorize each one, but you also get to keep your encryption key. A little memorized phrase will save you a lifetime of trouble.
Hopefully, after hearing about the iCloud compromise, people will start to realize that this could affect them at some point. Just because you’re a regular Joe or Jane doesn’t mean that someone isn’t going to try to get into your account. You may end up part of a large-scale compromise that will end up costing you dearly. Nothing matters more than protecting your identity and ensuring that people cannot get past it. If you’re not willing to treat your presence on the internet like you would treat a password (you don’t hand it around like candy to everyone who asks for it, right?) then you’ll fare much better and we’ll all be happy for it.
Want to try PerfectCloud today? Sign up for a free trial account!
