Cyber-security expert Gerome Billois explains how a “targeted attack” on some iCloud accounts — the Apple online service that stores all types of content — led to the release of nude celebrity photos.
How were these accounts hacked?
“Last weekend someone posted a message on the site GitHub revealing a security flaw in the iCloud “Find My iphone” function that allows people to locate a missing smartphone. On the part of the service intended for developers, but accessible to anyone online, Apple had not locked the interface where you have to enter the password for the iCloud account.
The number of attempts was not limited, whereas the portal used by the general public normally locks after five failed attempts.
At the same time, the hacker posted software which automatically tests for possible passwords, a tool called @Brute force, which it had renamed iBrute.
And it explained how to use it very simply. Anyone could then hack the iCloud accounts of celebrities and access their content, including photos from their phones.”
How can such attacks be prevented?
“One can now store all sorts of information in the cloud. iCloud is the service from Apple where one can have access to all one’s information from any appliance. For example, if you change telephone you can find and reload all your data — emails, photos et cetera.
From a functional point of view it’s great. But the key to all these services is the password, which is often weak and the same one used for various services. It’s because of this that we will ask you to use long passwords or passwords with numbers.
It is even better to use passwords with two elements. For example, you may also be asked for a code sent by text message to your phone, as certain banks do.
As for secret questions (which can replace a password) on the one hand you have to trust people who might know the answers and secondly, if you’re a celebrity, it will be easy for someone to find out your place and date of birth or the answers to other common ‘secret’ questions.”
How frequent are such security lapses?
“The ethics code followed by computer security experts means that they reveal flaws only after they have been corrected. However, whoever discovered this one did not inform Apple and what’s more he or she provided an attack tool. They even put out the list of the most common 500 passwords.
Apple corrected the problem but it needed time to react, which is normal because you need at least 24 hours to check if vulnerabilities exist.”