The naked truth about iCloud safety

Photo: Jim Merithew/Cult of Mac

Photo: Jim Merithew/Cult of Mac

By now you’ve probably heard about the avalanche of celebrity nude photos that slammed the Web on Labor Day. But amid the chaos of FBI investigations, celeb denials and Apple PR releases that say basically nothing, understanding how the attackers executed the hack — and how to prevent it from happening to you — hasn’t been so clear.

Apple recommended that all users enable two-step verification “to protect against this type of attack,” but the truth about iCloud’s two-step security is a little more complicated than Apple’s letting on, and turning it on probably wouldn’t have prevented the celebrities’ pics from getting hacked in the first place.

To help sort through the confusing mess, we’ve broken down everything you need to know about iCloud’s security and how you can use two-factor authentication and other security steps to keep some perv named 4chan from blasting your nips all over the Internet.

Should I turn on iCloud two-factor authentication?

Yes. Adding two-factor authentication to your Apple ID account will give you an extra measure of protection against simple password theft. This will require you to enter a code sent to your iPhone or iPad that confirms that, yes, it’s totally you trying to log in.

How do I turn it on?

Our man Joshua Smith will take you through the entire process of setting up two-factor authentication in just 90 seconds in this how-to video:

The naked truth about iCloud safety

Once I have two-factor activated, will the scandalous pics in my Photo Stream be safe?

Nope. There are only three things that two-factor really secures: 1) Signing into My Apple ID. 2) Making iTunes purchases from a new device. 3) Receiving Apple ID-related support from Apple. There have been rumors that iCloud’s two-factor security will expand to other services, but for now it does not protect iCloud backups, Find My iPhone data or documents stored on iCloud.

So an attacker could download my entire Photo Stream and iCloud won’t double-check that it’s really me?

Nope. This is one of the biggest flaws in Apple’s incomplete two-factor authentication. iCloud backups are not protected, so all an attacker has to do is get your Apple ID, hack your password and then siphon all your data completely undetected using the same forensic tools as the police.

Just because some celebrities got hacked, that doesn’t mean I’m at risk too, right?

Wrong. Jennifer Lawrence might be getting all the headlines, but few have mentioned that these attacks are happening every day to ordinary people. An entire 4chan offshoot exists for the soul purpose of stealing nudie pics using anyone’s Apple ID they can get their hands on. The pervs have refined the process down to a science so easy any horny 14-year-old could do it.

Is this all Apple’s fault then?

No, but kinda. Apple left the door open, but the greatest celebrity hack of all time was aided by factors aside from iCloud’s incomplete two-factor authentication. The AnonIB rippers were able to get passwords easier thanks to iBrute, an app that took advantage of a Find My iPhone bug to allow unlimited password attempts. The attackers also used tools like Elcomsoft Phone Password Breaker to download entire backups, allowing them to swipe old photos celebs might have deleted from their Camera Roll months before.

What could Apple do to prevent this from happening again?

A simple notification email any time your iPhone backup has been downloaded by a computer would be a nice start. Requiring users to enter another ID code when restoring a device or logging into an iCloud account from a new device or location would also help. Releasing a statement that celebs just aren’t using their iPhones right isn’t enough. Apple needs to make solutions that allow users to play a more active role with their data and how it’s managed long-term.

What else can I do to protect my data?

Create a complex password for iCloud (and consider using a powerful tool like 1Password that will manage all your strong passwords). Use a private email address to sign up for cloud services. Encrypt your pictures. Make up random answers to your password-reset questions. Don’t share personal info on the Internet. And if you really want to make sure the world doesn’t get a peek at your nude selfies, take RZA’s advice and don’t put your naughty bits on a screen.

  • DigitalBeach

    Thanks for the info.

  • Adrayven

    >”Is this all Apple’s fault then? No, but kinda. Apple left the door open, but the greatest celebrity hack of all time was aided by factors aside from iCloud’s incomplete two-factor authentication. The AnonIB rippers were able to get passwords easier thanks to iBrute, an app that took advantage of a Find My iPhone bug to allow unlimited password attempts. The attackers also used tools like Elcomsoft Phone Password Breaker to download entire backups, allowing them to swipe old photos celebs might have deleted from their Camera Roll months before.”

    Umm… Apple clearly stated in it’s release that Find My iPhone bug exploit was NOT used .. and that hole was PATCHED.. It was a straight attack.. Unless you’re contending they are lying and you show no information on that.

    > “Apple recommended that all users enable two-step verification “to protect against this type of attack,” but the truth about iCloud’s two-step security is a little more complicated than Apple’s letting on, and turning it on probably wouldn’t have prevented the celebrities’ pics from getting hacked in the first place.”

    If two factor auth was enabled, it WOULD have blocked this, period.. Really disappointed in you’re not fact checking.. Those backups wouldn’t have been in anyones hands if two factor auth was enabled. Elcomsoft would have been useless. you cannot restore a backup period w/o going through 2 factor auth to restore to a new device.. which Elcomsoft appears as to Apple’s iCloud. IF it was enabled.. which it was not.

    • BusterH

      totally false.
      if they had two-factor authentication it would not have stopped the attack at all. iCloud does not protect your backups with two-factor authentication. You are not prompted for an ID code when restoring a backup.
      Sure, they didn’t “breach” Apple’s systems in that they didn’t hack and code their way around Apple’s servers. They simply found a really easy way to grab the key and walk right into the vault. That’s a problem.

      Sorry to burst your bubble, but Apple isn’t perfect. The company makes mistakes. There are holes and bugs with its services, just like any other company. Time for apple fanboys to stop treating them like they’re blameless in this situation.

      • Fabio Antonio Esquivel Chacón

        Please, let me understand your affirmation: If I set up a new iPhone with an existing AppleID, I just have to enter the password and begin restoring the backup from iCloud.

        But if the AppleID has two-factor authentication enabled, the SMS security code must come to the registered phone number (that of the owner/celebrity) before allowing the login… How then can a hacker restore the iCloud backup if s/he does not receive such SMS?

        Are you saying it is possible to login from another source without the SMS security code and download the iCloud backup?

      • http://about.me/davidgoscinny David Goscinny

        If you enabled 2-factor, you can have it send codes via SMS or via the Find My Phone application & you can have it on multiple devices.

        So imagine you’re restoring a backup on your phone, you then ask it to send a code via the Find My Phone installed on your iPad & you’ll receive it.

      • Fabio Antonio Esquivel Chacón

        I’m trying to understand the supposed hack from a hacker perspective…

        If the hacker has just an iPhone, the victim’s e-mail address for the AppleID and the password, what Apple service or app allows him to log in with those credentials WITHOUT the SMS security code sent to the victim’s registered iOS devices?

        Is it possible to restore an iCloud backup on a new iPhone (unrelated and unknown to the victim) without requiring the SMS security code? That’s where I’m lost, I can’t believe it!

      • http://about.me/davidgoscinny David Goscinny

        You can log into the iCloud website (contacts, calendar, etc. become readable) & yes, as you’ve said restoring a backup on a brand new phone doesn’t require that code either.

      • Fabio Antonio Esquivel Chacón

        Apple’s FAQ (https://support.apple.com/kb/HT5570) denies that explicitly:

        “Without both your password and the verification code, access to your account will be denied.”

        “After you turn it on, there’s no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent to your trusted devices, or your Recovery Key.”

        Do you say they are lying?

      • http://about.me/davidgoscinny David Goscinny

        Well notice that they’re talking about the My Apple ID website specifically. I’ve tried the iCloud website & it does indeed log you in without the verification code (unless that’s changed in the last hours).

      • Fabio Antonio Esquivel Chacón

        Apple’s FAQ about two-factor authentication says otherwise:

        “Without both your password and the verification code, access to your account will be denied.”

        “Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key.”

        “After you turn it on, there’s no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent to your trusted devices, or your Recovery Key.”

        Are you saying they are lying by allowing some iCloud services (on their website or some apps) to log in without requiring the verification code? If that’s the case, someone should point that up explicitly for it to be fixed!

    • Adrayven

      FYI: They broke in using the Security Questions.. you know.. for when you loose your password.. Security Questions are basically guessable passwords..

      IE:
      1) Mothers maiden name? Kate Upton = Google it
      2) Favorite color? Kate upton = Google it
      3) What high-school did you graduate from? Kate Upton = Google it..

      Basically, for a celeb.. just google their security questions when you get prompted.. Read the on-line biography, etc.. it’s all online

      Suggestion.. if you ever HAVE to use security questions.. enter random passwords into the fields.. don’t actually answer the questions…

      • http://about.me/davidgoscinny David Goscinny

        But @BusterH was still correct in saying that 2-factor authentication wouldn’t have stopped the attack. You can log into iCloud with the 2-factor token and you can restore a backup without it as well.

        That fact, added to the infinite tries could’ve enabled a brute force attack even with 2-factor enabled.

  • http://about.me/davidgoscinny David Goscinny

    It’s very telling that about a year ago, the 2-factor authentication for AppleIDs wasn’t even available outside of the US.

    • Fabio Antonio Esquivel Chacón

      It’s available in Costa Rica and for my carrier (Movistar) according the Apple’s support webpages about it. But whenever I try to turn it on, I never receive the SMS from Apple validating my SMS-capable phone number. And I don’t know where to complain about it!

      • http://about.me/davidgoscinny David Goscinny

        Yes I do remember it taking a long time before receiving the first codes when I enabled it. I asked it to resend about 4, 5 times & still nothing. Then about half an hour later, I got all the codes requested back to back, like a SMS salvo.

      • Fabio Antonio Esquivel Chacón

        I’ll keep trying, but I’m still waiting for the first SMS messages I should have received a month ago…

      • http://about.me/davidgoscinny David Goscinny

        Ok something is really wrong then. Try contacting Apple support.

  • http://bizstarz.com/ Scott Smith

    Re: “consider using a powerful tool like 1Password that will manage all your strong passwords”

    Buster, very much enjoyed your informative and no-holds-barred article about iCloud’s significant security flaws. But are you not assuming that password managers such as 1Password are somehow immune to hack attacks? If so, how so? Also, security experts preach that you shouldn’t use just one password, but simultaneously recommend using a password manager. However, if you rely on a password manager, are you not basically using “one password” for all your log-ins, hence the name 1Password?

About the author

Buster HeinBuster Hein is Cult of Mac's Senior News Editor and lives in Phoenix, Arizona. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News, Top stories | Tagged: , , , , , |