In the wake of an iCloud hack that exposed highly personal photos from celebrities, enabling two-factor authentication was touted by many within the security community, and Apple itself, as a way to prevent similar incidents in the future. There's just one problem: Apple's incomplete two-factor authentication coverage for iCloud services may still have left users that enabled the security mechanism vulnerable, and experts warn that strong passwords may be the only protection for iCloud accounts at the moment.
Details surrounding the iCloud incident, first revealed Sunday when photos of Jennifer Lawrence, Kate Upton and other celebrities appeared online, remain unclear. The breach was originally linked to a brute-forcing tool called iBrute, which was posted on GitHub just days before the incident.
But an official statement from Apple suggested that attackers had gained access to victims' iCloud credentials, despite the company placing a five-attempt limit on iCloud logins within 24 hours of the incident being revealed.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," said Apple in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone."
Investigations by both Apple and the FBI into the matter are expected to continue.
What is clear about the breach, according to Jonathan Klein, president of mobile identity vendor MicroStrategy, is that it would have never happened if two-factor authentication had been implemented and enabled correctly.
"Someone couldn't have hacked into Jennifer Lawrence's iCloud," said Klein, "if multifactor authentication was enabled on her phone."
Apple did in fact enable two-factor authentication for its iCloud services last year, allowing users who choose to enable the security feature the ability to receive a time-sensitive code on an iOS mobile device every time an account login attempt is registered. What the Apple two-factor authentication mechanism doesn't do, according to the company, is work outside of three specific scenarios: signing in to My Apple ID to manage an Apple account; making iTunes, App Store, or iBookstore purchases from a new device; and receiving Apple ID-related support from Apple.
Other situations, including restoring a new device from an iCloud backup or accessing a user's Photo Stream, do not trigger a verification code. Rich Mogull, CEO of Phoenix-based infosec consultancy Securosis LLC, explained that Apple's two-factor authentication rollout is comparatively in its early stages, and that the company is typically quite conservative when it comes to implementing features that may negatively impact the user experience, a category in which multifactor authentication would definitely fall.
Vladimir Katalov, CEO of Moscow-based ElcomSoft Co. Ltd., agreed that usability is likely the primary concern for Apple's limited two-factor authentication coverage for iCloud. Katalov, who previously detailed the iCloud 2FA limitation, said that in situations where a user loses or breaks a device, they would need to have a separate recovery code stored somewhere to gain access to the iCloud backup, something that may not always be readily available.
Like Apple, other companies have also had problems implementing login attempt limits on API-based services, said Mogull, though he noted that the company definitely made a mistake if it had no limits at all. Combined, those two flaws may have made iCloud accounts quite vulnerable to age-old brute force attacks, and for enterprises that increasingly allow users to do work on their own mobile devices, an iCloud breach could have far larger implications than leaked photos.
"When enterprise users have BYOD devices, the backup stores nearly everything if someone has iCloud backup turned on," said Mogull. Such information could include text messages and iMessages, contacts, calendar details and potentially even the login credentials synced across multiple Apple devices by the iCloud Keychain.
Strong passwords key to iCloud security
If two-factor authentication can't currently be relied upon to protect iCloud accounts, what can?
Both Katalov and Mogull indicated that mobile device management (MDM) products may be utilized by enterprises to limit iCloud activity on employee-owned mobile devices. Katalov noted that enterprises could use MDM to change the default iCloud backup to local storage, though Mogull warned that employees may become annoyed with certain security controls if they own the device.
Beyond implementing MDM, experts generally agreed that the iCloud hack shows the importance of educating users on selecting strong passwords and using different passwords across different sites. Keith Palmgren, an instructor with the SANS Institute and president of San Antonio, Texas-based consultancy NetIP Inc., said that unfortunately, passwords like '123456' are still all too common to find, even for important logins like online banking accounts.
"Frankly, the advice we've been giving users [on password security] for 40 plus years has been very poor," said Palmgren.
For example, Apple policy requires you use strong passwords with your Apple ID. Your password must have a minimum of 8 characters, cannot contain more than 3 consecutive identical characters, and must include a number, an uppercase letter and a lowercase letter (Apple reportedly caps the character limit at 32). But research presented at the Password^12 conference in Norway in 2012 showed that an 8-character password can be cracked in under six hours.
Katalov said that while choosing strong passwords and not sharing them is a good measure, both enterprises and everyday users must be aware of the security risks posed by utilizing cloud services -- whether from iCloud, Dropbox or another provider -- and decide whether that risk is worth the convenience provided by the cloud.
"Apple's security level is one of the best, though as always, there is still room for improvement," said Katalov. "It is all about the human factor; it is not possible to protect your privacy and security using technical measures only."
now that Apple is saying they're not liable for protecting you against well known attacks...here, have a new phone that wants to be a wallet
— davi (德海) (@daviottenheimer) September 3, 2014
In 2009 we launched a few attacks against iCloud too. a) We were more respectful; b) Our Celebs response rocked! pic.twitter.com/0LIIIOPF7d
— haroon meer (@haroonmeer) September 3, 2014
By the way. The attackers who stole the celebrities iCloud passwords might have also been following their movements via 'Find My iPhone'.
— Mikko Hypponen (@mikko) September 3, 2014
Considering rolling out a two-factor authentication implementation at your company? Learn about the authentication technology touted by the FIDO alliance.