When a breach occurs, especially when compromised user accounts are suspected or confirmed to be the source of the data being leaked, we information security pros, amateurs and enthusiasts are the first to scream:
TWO FACTOR AUTHENTICATION!!!11
While 2FA (Two-Factor Authentication, also called Multi Factor Authentication, orTwo-Step Verification – see Mark Stanislav’s presentation for more details on the atrocious naming “convention”) has multiple advantages over a simple password, in the case of the “iCloud Celebrity Nudes Breach/#TheFappening”, it would only have helped a little bit.
Here is why.
iCloud is not Apple ID and Apple ID is not iCloud
Apple’s Two-Step Verification, as they call it, is an Apple ID feature.
Apple’s knowledge base calls it two-step verification for Apple ID.
Once you enable it, further management of your Apple ID will require you to enter a code that is sent to one of your trusted devices, or as an SMS to a verified phone number.
A recovery key is provided, to help you gain access to your account in the event of a forgotten password and/or lost device.
The main advantages of Two-Step verification are:
- No more recovery questions. These are usually easy to break when people use them with real data.
- It makes resetting your password or changing any of your Apple ID authentication settings much harder.
- Purchases made using your Apple ID will have to be authenticated to using Two-Step verification on each device at least once.
That being said, the feature is not called iCloud Two-Step verification, and while the password and usernames are used on both services, Apple’s 2FA is not used on iCloud.
To demonstrate this issue in the context of celebrities being “hacked” in order to steal compromising photos, I performed the following:
Configured a blank iPhone 4 to use my iCloud account
I logged in with my iCloud/Apple ID username and password.
Only a username and password has been entered at this point.
Instantly, most iCloud services were enabled by default. This means that at this point, if my Contacts, Calendar or worse, Mail was in iCloud, the attacker with a stolen/guessed password would have access to it.
I checked my shared photostreams
I had some shared photostreams in my iCloud account. Sure enough, they were there.
A shared photo of a device some might recognize.
I took a suggestive photo of bananas
Well, I actually Googled for suggestive bananas and saved one of the photos to my camera roll. Do not repeat this Google search.
Do not Google for this.
I backed up the phone
The phone has been backed up.
I wiped the phone
I was asked for my iCloud username and password again, as Find my iPhone/Activation Lock were enabled. I wiped the device.
At this moment, I received a notification saying that Find my iPhone was disabled. This is not a step an attacker would normally proceed with, as the attacker is not in physical possession of a device in this scenario.
I restored the backup on the device
The device has been restored. No Two-Step prompt.
Sure enough, the suggestive bananas were there in the restored camera roll, and shared photo streams were being synched.
The only notifications I received during this process were related to me enabling/disabling Find my iPhone on my test device.
I did not get a single push notification or email telling me that a new device was linked to my iCloud account. You receive one when iMessage is enabled on a new device, but as long as the attacker doesn’t enable it, this is quite a quiet process.
The phone I used to restore is the same phone I used to take the backup. I do not believe it makes a difference, but if someone knows for a fact that restoring from a different phone would trigger Two-Step Verification, let me know.
So what should we do?
- Never trust a single security measure to protect you.
Having 2FA, 2SV, MFA or whatever they’ll call it next week is never a replacement for a good password.
- Enable Two-Step Verification.
It might not be perfect, but it will protect you against password recovery based attacks and will make it easier for you to prevent changes made to your Apple ID without your consent. In fact, you should use Two-Factor Authentication almost everywhere, and if security questions are still necessary, make things up or use random strings saved in a password manager.
- Be very wary of having your email in the same iCloud account as the rest of your stuff, and do not use it as the recovery email for other services.
Once someone has gained access to your main email account, getting into your Dropbox account, Facebook account and more becomes trivial.
- Be careful when blaming users for using weak passwords.
I know for a fact that very old Apple IDs with very weak passwords were not forced to change it to a more secure one, as the minimum password complexity policy was updated but there is no password maximum age. Educate people, but realize that people do not have to know how injection works to safely drive a car.
- Be careful when you recommend things to the less technically savvy. In this case, Two-Step Verification would not have been a silver bullet. Is there ever one?
We know about this because there were nude pictures of attractive celebrities. The amount of people compromised due to a similar attack but where the interesting data is more boring to the common public and media are probably extremely common.
What should celebrities do?
Be aware that you are way more at risk than regular users/normal people. Most regular users are at risk of automated attacks, but not targeted attacks.
Follow good password hygiene, store the bare minimum in cloud services, and obtain the services of an information security professional to give you basic training.
What should Apple do?
We’ve seen companies such as Amazon looking actively for leaked credentials on sites like GitHub.
Apple should be more proactive towards weak passwords and failed login attempts, and should especially try to detect passwords that were leaked in other breaches and force a password change on those. Some services like Box even offer to warn you any time you login. Services like Google Apps detect and notify you on suspicious logins, and provide you with more information to see how and from where your data was accessed.
Apple should make it easier to change iCloud / Apple ID passwords without receiving an insane amount of password prompts on every device. It is currently mind boggling. I expect that Touch ID being available on more and more Apple devices soon will help Apple redefine their iCloud / Password management strategy.
Apple should also improve their 2SV to cover iCloud services. It is not an easy thing to fix, especially in cases where the user only has one trusted device, but if someone can pull it off, it would have to be a company that’s very good at user experience and has roughly unlimited money.
Oh, and they should call it something else than Two-Step Verification.
More Reading on the Subject
Mark Stanislav / Duo Security: End User Authentication Security on the Internet
Rich Mogull: iCloud Flaw Not Source of Celebrity Photo Theft
Jonathan Zdziarski: TL;DR: Hacked Celebrity iCloud Accounts