Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

APPLE ICLOUD EXPLOIT

$1.25

Sunday, August 31, 2014

Vol XCIII, No. 311

Hundreds of Celebrity Photos Leaked

First attack by unknown hackers was on 2014 August, 31.

Weakness in Apple Security ?

Pictures first appeared on 4chan and Tumblr.

What we know...

How secure is iCloud?

An Overview of Current iCloud Security

iCloud's encryption

Password

iCloud data is encrypted both in the server and when it is in transit.

Apple requires users to have a password with at least 8 characters, a number, an uppercase letter, and a lowercase letter.

For photos, Apple says there is a minimum level of 128-bit AES encryption

  • Apple said it wasn't a problem with its security controls, but later enhanced security.

  • Security researcher informed Apple a month ago before the breach about the weakness.

  • A hacking presentation about these weaknesses in 2013.

  • Brute-force attacks against "Find my iPhone" service.

  • Tools used to download and rip iCloud backups.

Change passwords anytime it's used in more than one place with the same login name.

Two-factor authentication

Before you can access an account, you must login with both a password and a unique device code (sent via SMS or an authenticator key).

Apple offers two-factor authentication for iTunes and iCloud accounts.

Before a device gets access to iCloud data:

  • You must approve it with a four-digit authentication code (SMS).
  • Grant access from another enabled machine.

Vast majority do not enable this

Apple set two-factor authentication for iCloud on Sept 16, 2014

WHAT DID APPLE SAY?

Apple Security Issues Reported, Ignored

Apple says it will add new security measures after celebrity hack

Researchers discovered security holes prior to iCloud Exploit

Apple Press Info

What Apple said is going to do :

Vladimir Katalov Reports iCloud vulnerabilities at 2013 Hack In The Box conference

  • Alert users via alerts or push notifications when:
  • No breach in iCloud or Find my iPhone.
  • Celebrities accounts targetted.
  • Phishing to get info (usernames, passwords and security questions).

RIPPING iCLOUD BACKUPS

1) Trying to change password.

2) Restore iCloud data to new device.

3) Device logs into account for the first time.

  • Most important measures to prevent future intrusions might be more human than technological.

Breaking into iCloud Servers with EPPB

Create stronger and safer passwords

  • Enhance security with two-factor authentication, have two of:
  • Found that malicious attacker only needs Apple ID and password to access iCloud backups.

  • iCloud data stored on Amazon and Microsoft-owned servers.

  • Users are unable to personally encrypt backups.

1) A password.

2) A separate four-digit one-time code.

3) Long key access code given to the user when they signed up for the service.

  • Users are not notified when iCloud backups are downloaded.

  • 2-Factor authentication was not available for iCloud or Find My iPhone services

EPPB (Elcomsoft Phone Password Breaker)

Program that makes it possible to download iCloud backups from Apple's iCloud servers onto a computer.

Basic professional version

Windows Only

Use EPPB

Get username and password

None of these are security holes that can be patched; they are core implementation problems.

Forensic version

The program asks for iCloud username and pasword

Password Reset

Figure out if an e-mail account is connected to an Apple ID

Apple reveals if an email is valid or not if you attempt to sign up a new Apple ID using that e-mail.

Small program that can be run from CMD in Windows or OS X.

Download latest iCloud backup.

Know account creator's date of birth

encrypted

iOS Keychain file is

It differs from the iTunes backup in your computer, in that

Information widely available, on Facebook; and even Wikipedia for celebrities.

the data is not encrypted

The other files are not.

Answer two security questions

Select the data you want to get with EPPB

Hit "refresh" until you find two questions you know the answers for.

It searches to see if a user has the iCloud Control Panel for Windows or OS X

Find my iPhone

Lack of rate-limiting in the app.

iBrute

Tool:

to crack the password!

Download data to designated folder

Apple has solved this issue

and share!

March 2014: Ibrahim Balic reports that iCloud API appeared to be vulnerable to Brute Force attacks

If it is,

It copies an authentication token from the proper place

and copies it into a text file for easy copying.

"I believe the issue was not completely solved..."

"They kept asking me to show them more stuff."

-Balic

ICLOUD SECURITY TO BE IMPROVED

Steps Apple could take, as well as other Websites

Encrypt iCloud backups

Circumvention of Brute-Force Attacks

  • Restoration process more lengthy

Negative Costumer impact.

  • Login attempt lockout after a number of tries.
  • CAPTCHA.
  • Network throttling.
  • Redirection.
  • Adding pauses.
  • Access Policy (block IP addresses).
  • Improve security questions.

Make it so that it can just be decrypted with the key in a specific device.

Two-factor Authentication for everything

Protect more than just payment methods.

The average user shouldn't be concerned about a stranger hacking his account, but someone they know.

https://github.com/hackappcom/ibrute

So is it safe to use iCloud?

Yes, but...

Send request, and based on the server response, one can tell if user-password is valid.

  • Use unique password.

  • Set two-factor authoritation.

  • Put password on devices.

  • Use latest version of OS

Now we have both username and password!

Citation

Group 1

Marta Méndez Simón

Thomas Zehr

Reefat Alam

  • https://onemonth.com/hacking-olivia-munns-icloud-account
  • http://en.wikipedia.org/wiki/2014_celebrity_photo_leaks
  • http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/
  • http://mashable.com/2014/08/31/how-safe-is-icloud/
  • http://www.elcomsoft.com/eppb.html
  • https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
  • http://mashable.com/2014/09/01/celebrity-photo-leak-weak-technology-or-bad-passwords/
  • http://www.zdnet.com/apples-icloud-cracked-lack-of-two-factor-authentication-allows-remote-download-7000022196/
  • http://www.zdnet.com/apples-icloud-cracked-lack-of-two-factor-authentication-allows-remote-download-7000022196/
  • http://www.businessinsider.com/apple-icloud-problems-before-nude-celebrity-photo-hack-2014-9
  • http://bits.blogs.nytimes.com/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/
  • https://github.com/hackappcom/ibrute

Questions?

the target URL is constructed by placing the "apple_id".

line 39:

A user agent is created, and a json object is created.

Presumably, this information was reverse-engineered by the researchers sniffing the Find My iPhone http traffic.

iBrute

Read passwords and emails from different files:

For the type of targeted attacks performed against celebrities, they already knew the valid e-mail address.

Brute-force Attack

Systematically checking all possible keys or passwords, by entering every single combination of letters, numbers and symbols, until finding the one that works.

The e-mail and password are joined together, and base64 encoded into an authorization header (line 64).

For each apple_ID (email address), the script tries each password, and calls the TryPass method:

Learn more about creating dynamic, engaging presentations with Prezi