Simple passwords key to celebrity iCloud hacking

Cyber-security expert Gerome Billois explains how a "targeted attack" on some iCloud accounts—the Apple online service that stores all types of content—led to the release of nude celebrity photos.

How were these accounts hacked?

"Last weekend someone posted a message on the site GitHub revealing a in the iCloud "Find My iphone" function that allows people to locate a missing smartphone. On the part of the service intended for developers, but accessible to anyone online, Apple had not locked the interface where you have to enter the password for the iCloud account. The number of attempts was not limited, whereas the portal used by the general public normally locks after five failed attempts. At the same time, the hacker posted software which automatically tests for possible , a tool called @Brute force, which it had renamed iBrute. And it explained how to use it very simply. Anyone could then hack the iCloud accounts of celebrities and access their content, including photos from their phones."

How can such attacks be prevented?

"One can now store all sorts of information in the cloud. iCloud is the service from Apple where one can have access to all one's information from any appliance. For example, if you change telephone you can find and reload all your data—emails, photos et cetera. From a functional point of view it's great. But the key to all these services is the password, which is often weak and the same one used for various services. It's because of this that we will ask you to use long passwords or passwords with numbers. It is even better to use passwords with two elements. For example, you may also be asked for a code sent by text message to your phone, as certain banks do. As for secret questions (which can replace a password) on the one hand you have to trust people who might know the answers and secondly, if you're a celebrity, it will be easy for someone to find out your place and date of birth or the answers to other common 'secret' questions."

How frequent are such security lapses?

"The ethics code followed by computer security experts means that they reveal flaws only after they have been corrected. However, whoever discovered this one did not inform Apple and what's more he or she provided an attack tool. They even put out the list of the most common 500 passwords. Apple corrected the problem but it needed time to react, which is normal because you need at least 24 hours to check if vulnerabilities exist."

— Gerome Billois is a cyber-security expert at management and IT consultants Solucom.


Explore further

Celebrity hack puts focus on Internet 'cloud' (Update)

© 2014 AFP

Citation: Simple passwords key to celebrity iCloud hacking (2014, September 3) retrieved 13 October 2019 from https://phys.org/news/2014-09-simple-passwords-key-celebrity-icloud.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments

Sep 03, 2014
An online login being open to a brute force attack is huge security hole. If this is true it seems ridiculous that Apple is blaming users for insecure passwords.

Most sites will take some form of action after only a small number of failed login attempts, from locking the account for a short time to requiring that the user proves their identity in another way, such as, a backup email address or SMS code to a prearranged phone number. I sometimes get caught out by this because I don't use the same password for ever site...

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more