It must have been absolutely horrifying to wake up on Labor Day and find out that intimate photos of yourself had been shared to millions online. It’s one thing to share a personal photo with your significant other, but it’s a bad morning when your Mom calls to tell you your nether regions are the lead story on CNN.
This article doesn’t seek to condemn the idea of taking and sharing intimate photos — I don’t care what two consenting adults do. However, there are some lessons we can all learn about how our data is stored in the cloud, and what we can do to try to protect it.
How the theft happened
According to Apple, the theft was caused by “a targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” The attackers used a combination of social engineering, phishing, and using publicly known information about the target to gain access to his or her iCloud account. Apple CEO Tim Cook told the Wall Street Journal, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
Once hackers had the passwords, they used Elcomsoft Phone Password Breaker to download the iPhone backups from Apple’s servers. From there, getting access to the photos was easy. Actually, given the amount of information the hackers were able to obtain from the backups, the nude photos might be the least of the hackees’ worries.
Is Apple at fault?
Shortly after the hacks, a “Find my iPhone” exploit was patched. But Apple says it does not appear that this exploit was used for the theft of the images, and since it is a publicly traded company speaking about what is now an FBI investigation, I believe them.
Passwords and security questions are what we have right now for account security. It’s up to the user to manage them and decide for him or herself what is manageable. If you’re a public figure, you probably don’t want your secret question answer to also be on your Wikipedia page.
That said, tools like Elcomsoft Phone Password Breaker have been around for a while, and Apple should understand how they are used, and take steps to prevent their usage.
Would two-step authentication have prevented this?
Two-step authentication only adds an extra layer of security if you sign in to My Apple ID to manage your account, make purchases from a new device, or get Apple ID-related support from Apple. It would have stopped the attacker from changing the iCloud password (if needed), but not the actual restore.
It would be very easy to say the fix to this problem is for two-step authentication to work on iCloud restores. But that solution immediately falls to pieces if I buy a new iPhone, or mine has been lost and this is the only device I have with me when I replace it. When I buy a new iPhone in a few weeks it would be trivial to have me authenticate the restore on my iPhone before I wipe it, but not practical if I have nothing else to authenticate the restore with.
So, how do I protect my sensitive photos?
If you want to take a photo with your iPhone and you absolutely, positively, do not want to share that photo, follow these steps:
- Set your iPhone to Airplane Mode
- Turn off iCloud backups in the Settings app
- Turn off Photo Stream
- Take the photo(s)
- Connect the iPhone to your computer
- Launch a program like Image Capture (OS X) that can read the camera roll
- Transfer the images to your computer
- Use the program to delete the images
- For an extra level of security, place the images into an encrypted .zip or .dmg file.
Once you’ve backed up the photo to iCloud, sent it to another person, allowed it into your Photo Stream, or let any internet-enabled app see it, you run the risk of having the photo seen by people you may not want to.
What changes need to be made to prevent these types of attacks?
Over the last 20 years, we’ve been faced with growing challenges in information security. Sadly, the best we’ve come up with still is passwords, probably easily guessed so-called “secret questions,” and the ability to SMS a confirmation code to a phone.
The refrain “I just use the same password for everything” is a common one. Facebook and Google accounts are starting to become the single sign-on (SSO) olution a lot of people use. This frightens me because Facebook and Google aren’t companies I entirely trust to be the keys to my online life. If a company like RSA started allowing me to use an authenticator app and an account with it as a SSO solution for my online life, I would pay a subscription fee for that.
Apple needs to improve security of iCloud backups. As I said, I’m not sure two-step authentication is a complete solution. Right now, though, it seems a little too easy to gain access to iCloud backups. This article by Christina Warren shows how the EPPB tool can be used to gain access to iCloud backups without a password. Apple should also keep lists of common passwords on its servers and not allow people to use them.
Apple is making some changes, however — adding email alerts and push notifications. Raising awareness is a step in the right direction, but knowing my iCloud backup is being restored to an unauthorized device is a far cry from being able to stop it.
As users, we need to stop using weak passwords and easy-to-guess secret questions. One tip: There is no law saying the answers to your secret question needs to be an actual word. A good practice is to use 1Password to randomly create a password and use that as the answer to your secret question. If you make yourself an inconvenient target, hackers may move on to easier victims.