TechCrunch Disrupt Europe 2014: Photos, commentary and the Startup Battlefield LIVE

Feedback

iCloud hackers likely got away with more than just naked celeb photos

SecurityNews
by Darren Allan, 03 Sep 2014News
iCloud hackers likely got away with more than just naked celeb photos

Apple has confirmed that a large number of celebrity iCloud accounts have been compromised, and indeed it's likely that it wasn't just nude and semi-nude photos (and videos) which were stolen from the hundred or so victims.

Apple issued a press advisory after 40 hours of investigation into the affair which is said to have left the company "outraged". Cupertino said that iCloud had not been hacked or breached itself, rather the accounts had been undone by a "very targeted attack on user names, passwords and security questions".

Read more: iCloud hacking scandal sees naked photos of A-list celebrities leaked on 4chan

While the naked photos have been the scandal and gossip this week, one point that seems to have been overlooked by many is the fact that it's likely that images aren't the only things the attacker was able to pilfer.

The Sydney Morning Herald reported that Nik Cubrilovic, an Australian security expert, noted that it's very likely those who breached the accounts also made off with texts, contacts, calendars, notes, and potentially other info which hasn't been published (yet). These would be accessible via special forensic software which could extract the data from cloud-based backups.

Cubrilovic said the attacker(s) would also have been able to access real-time GPS coordinates via the Find My iPhone service – and remember, this is the location of major celebs we're talking about here (and their address books and so forth).

We could yet see more of a storm from this incident, and in general, Cubrilovic noted that: "What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organised across a large number of sites (both clearnet and darknet) with most organisation and communication taking place in private (email, IM)."

Cubrilovic also said that iCloud is the most popular target for hackers due to the popularity of the iPhone, and because Picture Roll backups are enabled by default (Windows Phone backups, on the other hand, are off by default, and Android uses various third-party backup apps).

Read more: iCloud naked celebs hack lessons: People can't be trusted with their own online security

As we did yesterday, Apple has advised iCloud users that to be fully secure, they need a strong password and to enable two-factor authentication.

However, Cubrilovic also said: "Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups."

He goes into great detail about what is wrong with Apple's current account recovery process and how that can be leveraged by hackers – read more in his lengthy blog post.

Topics
blog comments powered by Disqus