September 4th 2014
Is Apple's iCloud secure?
Controversy is rife about the security of iCloud, Apple's cloud storage service used by many to store photos and personal data. This follows the publication online of naked photos of over 100 female celebrities by a gang of hackers, embarrassing and infuriating the victims and sparking an investigation by both the IT giant and the FBI. The gang's principal spokesman – known as 'OriginalGuy' – has boasted that the hacking of the celebrities' accounts is the result of "several months of long and hard work".
The ensuing argument in the cybersecurity industry and law enforcement centres around the question of where the fault lies. Is this a straightforward case of the victims' login details being determined and hacked, something which we strongly warn you about on Get Safe Online? Or is Apple's security flawed? The latter possibility would come at a very awkward time for the company in advance of next week's planned launch of new devices expected to incorporate mobile payment functionality.
Apple statement
In a statement, Apple has said: "We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232"
Two Australian journalists writing for The Guardian found that with the correct information, found with varying degrees of ease from scouring social networking sites, asking seemingly innocent questions and other sources, it is not overly difficult to determine other people's login details – celeb or not.
An alternative view: an insecure system
It has now been suggested, however, that the two-step verification recommended in Apple's statement, can be bypassed using readily-available software that allows access to iCloud back-ups. Apple's two-step verification requires the user to type in a short code sent by Apple to their phone or tablet in order to access their account, and is designed to offer an extra level of protection in much the same way as internet banking. The program still needs the hacker to know the user's email address and password, and it is also not certain whether it was used in the recent breaches.
The software possibly used by the hackers is marketed by Russian firm ElcomSoft to law enforcement agencies and claims to offer access to iCloud accounts without having possession of the device(s) associated with it. Programmer Vladimir Katalov told the BBC that the software can be used for both "good and bad", and was quite certain that it had been used in the recent hacks. He added that while his company "didn't like it much" when the software was used for illegal purposes, he admitted that the system had been sold to individuals, as well as law enforcement agencies.
The BBC also spoke to security expert Mikko Hypponen, who believes that the issue lies in the two-step verification system's design which he says is "implemented only to protect your credit card". He said that said that by focusing on protecting payments and IDs, Apple might have misjudged what customers care about.
Kaspersky's David Emm said: "There is a danger in suggesting that two-step verification is an umbrella that will protect, because obviously that is not the case. He also said "I think (the vulnerability) has probably been raised several times," adding that the fact that Apple had not beefed up its two-step verification system was "a surprise".
Another security expert, the University of Surrey's Prof Alan Woodward, believes that the vulnerabilities in Apple's two-step verification system constitute a fundamental security flaw, which he likened to "double locking your front door and leaving the window open". He told the BBC that Apple's advice gives a false sense of security.
NEW: Additional threat from scam emails
It also seems that the incident has prompted a wave of phishing emails claiming to be sent by Apple, but actually designed to steal your login details. Internet security firm Symantec has said: “Whether or not iCloud was the point of compromise in this incident, scammers have been interested in stealing these credentials for some time. These emails contain links to phishing websites that will capture your Apple ID credentials and send them back to the attackers.” The warning also says that some users may receive a text (SMSishing) message claiming to be from Apple, claiming that an unauthorised attempt to log into their iCloud account has been detected and they need to text back their Apple ID and password or be locked out of their account.
If you receive such an email or text, follow this advice:
– Do not click on any links or open email attachments
– Do not reply or contact the senders in any way
– If you have clicked on a link, do not supply any information on the website that may open
– Report it to Action Fraud on 0300 123 2040 or at www.actionfraud.police.uk