Apple has admitted that a very targeted attack on usernames, passwords and security questions was the cause of celebrity iCloud accounts being accessed.
In an advisory, Apple said that after more than 40 hours of investigation, the “practice that has become all too common on the internet” was the cause. It said: “When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”
Philip Lieberman, president and CEO of Lieberman Software, confirmed that the attack was in two stages: the first part of the attack was obtaining the email addresses (Apple IDs) of the targets; and the second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or alerting.
He said: “Knowing that the iCloud service did not lock out bad password attempts allowed the attacker to try different lists of works, phrases and character combinations from existing dictionaries of words (dictionary attack) and ultimately use every possible combination of letters, numbers and punctuation via a brute force attack if desired.
“Apple should have logs containing IP addresses of all parties connecting to their services and using this information, they should be able to quickly identify attackers executing large numbers of logon attempts.”
Richard Parris, CEO of Intercede, said that the incident called for stronger authentication and more sophisticated forms of identity.
“Whether this is an issue for the app developers, handset makers, regulatory bodies or even the Government is a discussion for another day, but one thing is clear – consumers, celebrity or otherwise need to be educated more about the potential security risks posed by the devices in their pockets,” Parris said.
Lieberman said that the incidents begs the question of Apple’s incompetence in security operations, saying that the company should have detected large numbers of logon attempts from a specific address in a short period of time, and their iCloud system should have provided lockout functionality after a fixed number of bad passwords.
He said: “The technology to protect their clients from these attacks is trivial to implement and costs little to operate. One would think that after the previous Find My IPhone hack, Apple would have realised that they needed to clean up their act in security.”