Apple Cloud Compromise – When will developers learn to think like an intruder?

Cartoon hacker with laptopIntroduction

The Cloud is probably one of the most disruptive technologies ever created, and we increasingly are storing much of the details of our lives there, often without even knowing that things are being stored. Many people now have auto-sync of photographs they take into a Cloud environment, so that they do not have to sync using a cable. Thus our emails, pictures, locations, files, and so on, are increasingly stored in the Cloud, where they can be open to probing from intruders. While storing in public clouds such as in the Amazon EC2 or Microsoft Azure clouds can leave organisations open to attack, most users think that the storage in the Apple iCloud would be a safer haven, especially as a breach would massively damage thus trust relationship that they have with the provider of their personal storage. So it was a shock when it was announced that various celebrities had private pictures posted of themselves, and that had been stored in the Apple iCloud. The images, including Jennifer Lawrence, where posted onto a range of sites including Reddit, Imgur and Twitter, and which have been since been deleted by administrators.

Apple iCloud Compromise

What is appearing in terms of the compromise is that Apple have managed to side-step a key issue around the hacking celebrities’ iCloud accounts by saying that it was nothing to do with their Cloud infrastructure and associated backup system. It seems, though, that the compromise has identified a problem on their system, where there was no automatic lock-out on a user continually trying a range of user details, such as for usernames, passwords and related security questions.

Most systems are automatically setup, out-of-the-box, to lock users out after they entered their details incorrect, and which guards against a human trying out a few passwords which might fit. The greatest risk in a system that does not have a lock-out is that an intruder can use automated tools which will try the most common usernames and passwords, and eventually find the right one.

While the root of the hack has still to be defined, researchers have shown that Find My iPhone app did not have a lock-out for a number of incorrect password guesses. For this there are many tools around which provide automated tools which pick from a data list of common usernames and passwords. This include Hydra, which reads from lists of common names, and which is a program that can talk to most types of systems, including for the Web, file transfer, remote access, and so on. This package is able to create the normally communication that a user would normally create, but can do it at a rapid speed, such as millions of times a second. The tool can then blast the login system, and if the user has used weak passwords, can quickly get a successful login. When successful, the intruder then receives back the details, and go ahead and compromise the account.

The failings

The Apple authentication system failing perhaps was created to have a balance of improved usability, where users typically forget their password, and then continually try a range of them, and finally find the right one. If users continually report that they are locked-out, it can be a significant drain on the system, and a human operator is normally required to check the lock-out, and reset it. With an always-on access to data required these days, the loss of access to files, even for a short time can cause major problems for businesses.

Overall the authentication system failed in this case to provide a lock mechanism for the scanning for usernames/passwords, and it should have had in place:

  • A lock-out on a certain number of tries.
  • A network detection system setup to detect multiple logins against a single account.
  • A “human” challenge to stop automated bots from trying the multiple usernames/passwords (such as with Captcha).

The problem often comes down to developers quickly producing a solution, and getting it on-line, but forgetting to take-on an advertorial role. In this case, it was a novice problem, and most system administrators would advise that a three-try system works best, and will quickly knock out an automated agent. This lock can then be identified by the user, and often reported by to the host company.

The solution

The solution for many users is to move toward multi-factor authentication, typically using two or more methods to identify themselves (or device). In Cloud storage applications, the move is towards a two-factor authentication, where a secondary method is used to authentication the user. In Dropbox, for example, to authorize a new Dropbox machine, with two-factor authentication, the user must enter their username/password, and will receive a PIN code as an SMS message to the mobile phone. This makes it difficult for an intruder to gain access to the two authentication methods.

The key to multifactor authentication is to use a method of picking from: something you know (such as your password); something you have (such as your mobile phone); and/or something you are (such as you fingerprint) – as illustrated in Figure 1. Increasingly we use somewhere you are as another check, where the trace on an IP or mobile phone can gain information about the location of the user or device. Basing the security on more than one factor considerably enhances security, especially as the something you know now have problems where intruders can often determines things that a user might know (such as a user’s mother’s maiden name).

1111111Figure 1: Three factors for authentication

Conclusions

There is often balance between usability and security in Cloud-based systems, but, in this case, it would seem obvious that users would have preferred a lock-out after a given number of attempts for the Find My iPhone app, if they know that it will lock an automated agent out of the system. In many cases a lock-out after three attempts is used, but perhaps an increase on the normal three attempts be increased, but a limit should be a standard feature on most cloud-based systems. While not the target of this hack, Apple has found a vulnerability through others investigating, and it was one that they should have identified by their own testing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s