Andrey Belenko had what you might call a ‘brush with infamy’ earlier this week after a presentation he took part in on the security of Apple’s iCloud became a set piece in the news media scramble to identify the source of a huge trove of leaked celebrity photos – many depicting Hollywood A-List stars in various states of undress.
“It’s not the kind of attention you want to receive,” said Belenko, a security researcher with the firm ViaForensics. “It’s all really creepy stuff.”
Belenko’s link to the celebrity hacking scandal was a matter of happenstance. He was scheduled to give a presentation at a small, St. Petersburg multi-media conference, Chaos Constructions, over the weekend. Belenko was presenting research he had conducted a year earlier on the security of Apple’s KeyChain technology and iCloud – a talk he had given twice before in the last year.
Prior to his talk, Belenko was approached by Alexey Troshichev, the founder of HackApp, who was scheduled to talk about a new tool he had created, iBrute, which took advantage of a vulnerability in Apple’s FindMyiPhone service that, Troshichev said, could be used to compromise iCloud accounts. Troshichev had posted a free version of iBrute on the site GitHub for the public to evaluate. The two agreed to combine their talks under the banner of iCloud security.
As they were talking, nude photos of actress Jennifer Lawrence, Kate Upton and scores of other celebrities started cropping up in forums on the image posting site 4chan. The coincidence of the leak of the photos and Troshichev’s publication of iBrute led many to (incorrectly) connect the two: suggesting that iBrute had been the key that provided access to the celebrities’ accounts. Apple seemed to corroborate their suspicion by quickly patching the brute force vulnerability that iBrute exploited. And, in the haste to cover the story, Belenko was lumped in with iBrute, HackApp and Troshichev.
Time – in this case, the passage of a few hours- soon revealed that Mr. Belenko was just a spectator to the whole circus. In fact, neither he, Troshichev nor iBrute had any connection to the celebrity account hacks, many of which now appear to be months old and are likely the work of a covert crew of determined celebrity stalkers. Apple has since disavowed any breach of its security, attributing the compromise of the celebrities accounts to extremely targeted hacks against those individuals account passwords and password recovery questions.
Speaking on Wednesday with The Security Ledger, Belenko said the moral of the celebrity hacking story is the same moral as many other cyber attack stories these days: passwords (and therefore users) really matter when it comes to security.
“Your account is only as secure as the password and security questions you use,” he said. That’s true even for attackers who have the help of automated tools like iBrute.
“Theoretically, the (FindMyiPhone) vulnerability could have been exploited to gain access to iCloud accounts,” Belenko said. “But only if person uses a bad or weak password.” Users who have strong passwords of eight characters random characters and digits (or more) would be unlikely to have their account compromised, even with the help of iBrute, he said.
So-called soft authentication features like challenge questions are often an (easy) back door into otherwise secure accounts, he said.
“There have been a lot of leaks lately. I think people understand importance of having a secure password, but they underestimate the importance of security questions. What is the point of having a 10 character random password when your security question is ‘What was the city where your parents met?’ – a question that can easily be Googled.”
Security issues tied to weak challenge-response questions aren’t news. Researchers from Microsoft and Carnegie Mellon University published a paper in 2009 (PDF) on the topic that found password recovery features to be considerably less secure than the passwords they’re protecting. Specifically: acquaintances that the test subjects said they would not be willing to share a password with were able to correctly guess the answer to the user’s challenge question 17% of the time. And, for users in the same geographic areas, answers could be correctly guessed by iterating through a short list of popular answers 13% of the time, the study found.
Belenko said that the public shouldn’t assume that iCloud is insecure based on the hack of some of Apple’s (high-profile) customers. “I believe iCloud is pretty well-engineered,” he said. “They’re pretty clear about what data gets in and how it is protected.”
That includes limits on password retries that make brute force attempts impossible, as well as hardware based encryption for iCloud data at rest that protects it from malicious insiders who may be able to access iCloud infrastructure.
He said one recommendation for Apple would be to extend its use of two-factor authentication. While that exists for iCloud accounts, it is not enabled by default and doesn’t extend to iCloud backups -a potentially lucrative source of user data.
Doing so could impact useability -a top concern of Apple. However, it would also close off a main avenue of attack against its cloud infrastructure, Belenko said.