Apple plans to roll out new iCloud security alerts as well as extending its two-step authentication technology in the wake of this week's privacy flap over nude selfies of Jennifer Lawrence, Kate Upton and other celebs.
Private pictures of disrobed (female) celebrities including Oscar winner Lawrence and swimwear model Upton surfaced on 4Chan and anonymous image board AnonIB over the weekend. It seems that in many cases miscreants siphoned off nude snaps stored on victims' iCloud accounts, among other locations.
Metadata in the pictures suggested that many of the leaked photos were taken with iPhones and Apple's backup feature has therefore been implicated in the leak, which came from a collection of images put together by several people who may have traded them between themselves.
Apple acknowledged that a "targeted attack" on "user names, passwords and security questions" had taken place earlier this week, advising users to "always use a strong password and enable two-step verification" as a defence.
However, as previously reported, turning on Apple's two factor-authentication technology wouldn't have blocked the attack apparently behind this week's celebrity nude selfie leak. Apple's 2FA is necessary (when enabled) to make iTunes purchases or to get support from Apple.
But iCloud backups can be installed on new devices with only an Apple ID and password – two step verification codes are not required, as things stand. Police using ElcomSoft's mobile forensics tools are able recover data from iCloud using only iTunes authentication token obtained from seized devices.
One popular theory is that the celeb iPhone hackers might have illicitly used unlicensed copies of Elcomsoft's Phone Password Breaker tool to rip private data from iCloud accounts based on the email addresses and passwords of targets.
"Signing into iCloud in order to access say, your backed up photos, does not require two-factor authentication," mobile security firm Lookout explains in a blog post. "In this case, enabling two-factor authentication would not have helped anyone involved in this latest leak."
Apple bashing, a favoured sport amongst infosec geeks
Hackers may have obtained celebrity passwords through guessing security questions, phishing or malware-based attacks. Security experts faulted Apple for failing to rate limit password reset guessing attempts, a defence against brute force hacking tactics apparently in play, among other factors. This is a particular problem for celebs because their answers to password reset questions (eg pet's name, where did you graduate) are the stuff of trivia.
Crucially, there's good reason to think security shortcomings so graphically exposed by the celebrity nudie leak have previously been abused before. For example, last year Norway had a iPhone indecent pic theft incident, in which a suspect hacked into the iCloud accounts of teenage girls.
The issue goes beyond just pictures, as serious and as upsetting as that may be to victims. If pictures are exposed, so is contact information, SMS messages and other data backed up to iCloud.
Security watchers have occupied themselves all week pointing out Apple's security shortcomings. Noted security expert Dan Kaminsky even made a guest appearance on the Daily Show, in a segment entitled Star Hack: the Nude Generation. The whole issue has gone mainstream like nothing in information security since the early antics of Anonymous and LulzSec several years ago.
This level of ridicule is serious for Apple, which has ambitions to push into the enterprise. The timing just days before the expected iPhone 6 launch next week (9 September) hardly helps either.
The consumer electronics giant has wheeled out its biggest guns to defend its security record and deny that a lax attitude towards security had allowed miscreants to plaster the darker corners of the web with stolen celebrity nude shots. Apple chief exec Tim Cook told The Wall Street Journal that even though it wasn't to blame, it would take additional steps to keep hackers out of user accounts. This, as it turns out, largely centres around more password change notifications.
To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.
Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.
Cook added that Apple will extend its "two-factor authentication" as part of the next version of its iOS mobile-operating system without going into details. Gizmodo, however, reports that 2FA will be extended to cover access to iCloud accounts from a mobile device.
"As part of iOS 8, the next version of its mobile operating system due out later this month, two-factor authentication will also cover access to iCloud accounts from a mobile device," it reports. "Apple said a majority of users don't use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS."
This two-factor authentication, once activated, means that codes could be sent to either a pre-registered email address or back-up mobile phone. Rik Ferguson, security research VP at Trend Micro, told El Reg that the technology also also allows for calls to registered landlines. Access to email addresses used to send the access codes could themselves be protected by third-party two-factor authentication technology unconnected to Apple, he added.
Extending the application of 2FA technology in this way would get around the stumbling blocks of sending codes to the lost or stolen iPhone or iPad device itself – as outlined by ElcomSoft chief exec Vladimir Katalov in our earlier story.
Ferguson explained: "Apple could easily extend 2FA to cover the restoration of iCloud backups by sending the 2nd fator to a registered email address. The process would go something like: Do you want to restore? Yes. Please select the email address to receive your authorisation code select Please enter code. Thanks your restore is in progress.
"As a process, it’s really no different to the current 2FA via SMS, it’s just an alternative channel and one that is ideal if you are restoring in the case of a lost device. It has the additional benefit of course that hopefully your email address is also protected by its own 2FA, so represents a theoretically more secure channel than plain SMS," he added. ®
A good summary of the infosec angle to this week's celebrity picture leaks can be found in a blog post by DNS megaflaw discoverer turned Daily Show guest star Kaminsky here. An analysis on the Hacked Celebrity iCloud Accounts metdata by Jonathan Zdziarski can be found here.
And a good take on the sub-culture that spawned the leak, and the circumstances around it, by Nik Cubrilovic, can be found here.