Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mining iPhones and iCloud For Data With Forensic Tools

Posted by Soulskill on from the security-through-panic-and-news-articles dept.

SternisheFan points out an article that walks us through the process of using forensic tools to grab data from iPhones and iCloud using forensic tools thought to have been employed in the recent celebrity photo leak. There are a number of ways to break into these devices and services depending on what kind of weakness an attacker has found. For example, if the attacked has possession of a target's iPhone, a simple command-line toolkit from Elcomsoft uses a jailbreak to bypass the iPhone's security. A different tool can extract iCloud data with access to a computer that has a local backup of a phone's data, or access to a computer that simply has stored credentials.

The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone. The author concludes, "Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

85 comments

  1. Last link suspect by SuperKendall · · Score: 2

    The last link (about spoofing device identification) is really just a generic warning about man in the middle attacks.

    Are there published ways to use a man-in-the-middle against iCloud?

    Also normally the backups only activate when the device is plugged in...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Last link suspect by plover · · Score: 1

      It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.

      In the past people have used "sort-of" MITM attacks* for jailbreaking, specifically to keep your iPhone from "upgrading" itself to the new version of iOS. The jailbreakers had figured out that they could restore from an old version of iOS and jailbreak it, so Apple wanted to stop that. They introduced SHSH blobs that contained your phone's signed version info, and when you wanted to install an old version of iOS from a backup, they would check to make sure you hadn't upgraded to a newer version. So the jailbreakers came up with a program called TinyUmbrella that you would load up with your iPhone's old SHSH blobs, and it would pretend to be the official Apple blob server. You'd modify your hosts file to redirect the Apple server at your local host, run TinyUmbrella, then launch iTunes. When iTunes wanted to restore the user-specified version of iOS, it would request the latest blobs, but TinyUmbrella would deliver them, tricking the phone into staying at its older version of iOS. In more recent versions of iOS Apple required the server to securely exchange the messages so iTunes could no longer be fooled, but this worked through about iOS version 6 or so.

      Of course, this is not a MITM attack against iCloud, but rather against their update process. Still, it was a pretty clever hack.

      * I say "sort-of" because TinyUmbrella did not intercept the blob exchange itself; it only stood in as a phony Apple server for a SHSH blob you had to extract on your own, using another tool.

      --
      John
    2. Re:Last link suspect by tlhIngan · · Score: 1

      It's not really a MITM attack, it's spoofing credentials. It's copying the credential token from machine X, installing it on machine Y, then telling machine Y to connect to iCloud pretending to be machine X, and then downloading all the ancient backups in hopes they contained undeleted and unprotected juicy information.

      You know, if you have access to their PC, doing all that to access their phone seems kinda silly. I mean, you have access to their PC. Just accessing THAT ought to get you juicy information!

      It's sort of like installing a rootkit on a PC ... when there's a nice root shell right there on the screen.

      It's also why some of the hacks are so completely silly. Like those that require you to scam the user's password somehow. Well geez, you don't need many fancy tools once you got their iCloud password! (Of course, it's Apple's fault for letting you get phished, I suppose?)

      Some of the other ones are interesting only in that they jailbreak the phone. Which means if you have a later model phone without a jailbreak, it's a bit problematic

    3. Re:Last link suspect by plover · · Score: 1

      You don't need access to their PC if you have a copy of its credentials (otherwise, yes, it's a lot of effort to dig stuff out of a phone that probably could have come from the PC itself.) But who knows what kind of access you have to their PC? Perhaps you can send a corrosive DLNA packet to iTunes and get the credentials that way. Or maybe a snatch-and-grab phishing attack has only the capacity to send a few hundred bytes before it gets shut down, instead of letting you download all the juicy gigabytes of backup files.

      Attacks don't always have to be directly on the repository of the info; sometimes it's very useful to be able to make them from a distance.

      --
      John
    4. Re:Last link suspect by Rosyna · · Score: 1

      Just a note: iTunes does not store the credentials. In fact, iTunes doesn't need to interact with iCloud at all.

  2. a second credential... by fustakrakich · · Score: 1

    You mean, I would have to spoof twice? Ah well, may as well give up then.

    --
    “He’s not deformed, he’s just drunk!”
  3. That almost smells like... by geekmux · · Score: 2

    ""Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device."

    I'm sorry, but this smells a lot like common sense and good security practice.

    In other words, it doesn't stand a chance getting past the don't-bother-me-with-security collective we like to call "smart" phone users.

    1. Re:That almost smells like... by alvinrod · · Score: 1

      You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

    2. Re:That almost smells like... by gnasher719 · · Score: 2

      You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

      Think about it. I buy an iPhone with fingerprint reader. I store top secret information and back it up on iCloud. The I drop the iPhone into the toilet and it dies, unrecoverable. I go to the store and hand over the cash for a new iPhone. At that point the backup functionality must work. It can't use the fingerprint of my old iPhone, because the new iPhone doesn't have it. All I have is the Apple ID and password.

      What could work is that you enter say your name and passport number (I mean physical passport number), you go to an Apple Store with your passport, iCloud sends a passcode to the store, and they hand it over to you only if they see the passport and it matches.

    3. Re:That almost smells like... by dex22 · · Score: 2

      Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

    4. Re:That almost smells like... by Anonymous Coward · · Score: 0

      But the fingerprint is stored in the "secure enclave" on the chip on the A7 and does not leave the phone. So, while you may have the same fingertip, no one has the electronic version of it.

      Now, if they stored the hash of the required match along with the backup...

    5. Re:That almost smells like... by dex22 · · Score: 2

      If they abstract the fingertip so there's a granular range of maybe 10,000 possibilities, it would have the same security as a 4 digit pin and an attacker would only have a 1:10,000 chance per attempt of hacking the fingerprint. That's within the realm of being anonymous enough to not exclusively identify, yet difficult enough to not easily reproduce. It's also a course enough granulation that a person can achieve the same result with their same fingerprint on a new phone.

      It looks like we're in violent agreement ;)

    6. Re:That almost smells like... by gnasher719 · · Score: 2

      Yes, but you do still have the same fingertip. Unless you're worried about the common case of losing your phone and your fingertip at the same time.

      Now you are being stupid. The iPhone doesn't know that it's _my_ fingerprint. It only knows that it's the fingerprint of the person who programmed their fingerprint into the iPhone. So if _I_ can buy a brand new iPhone, program it with my finger print, enter my AppleID and password and perform a restore, then any scammer who knows my AppleID and password can buy a brand new iPhone, program it with his or her finger print, enter my AppleID and password and perform a restore. In other words, this isn't giving any security.

    7. Re:That almost smells like... by Anonymous Coward · · Score: 0

      I think there are (at least) three different issues (and, yes agreement). First, currently Apple does not store the fingerprint abstraction outside the phone, so there is no way to recover the backup with it as it stands just by using the fingerprint.

      Second, if Apple were to store the fingerprint outside the phone, the question is the complexity of it. Apple has said there is approximately a 1 in 50,000 chance of two prints producing a match. So, if you were at an Apple store, with ID (which you would need to replace the phone), your code and the fingerprint, then it seems secure enough for an in person transaction. (I don't have the link for the 1 in 50000).

      Third, there is the case of if someone has a copy of the backup and can brute force it. Here, one would hope that the complexity of the fingerprint would be much greater than 1 in 50,000 plus a passcode. Of course, if it is only a passcode and fingerprint, brute forcing it with a local copy seems trivial. As is well known, once you have the local copy or hardware access, all bets are off unless you have an immense (e.g. 2^120 or more, or even better 2^160 possible combinations),

      So I think a lot depends on the attack vector one is trying to protect against. Ideally sometime in the future, you have a 2^120 ++ complexity everywhere on the encryption and so are protected against most brute force attacks. :-)

    8. Re:That almost smells like... by Anonymous Coward · · Score: 0

      Think about it. I buy an iPhone with fingerprint reader. I store top secret information and back it up on iCloud.

      Well, if you do, you're an idiot.

      The ios ecosystem is all about security theater that looks secure, but is easily crackable.

      Since more people are putting their entire life on their smartphone, you might think that people would be concerned about real security, but they aren't.

      Ooooh! Shiney! New iphone 6!

      Sad.

    9. Re:That almost smells like... by dex22 · · Score: 1

      Indeed.

      It seems contrary of us as an audience to find so much difficulty with solving these problems. Yet at the same time we're roundly condemn Apple for their solution that has, so far, worked for over 99.999% of users. It's easy for us to throw stones, but when we look at what they have done and how they can improve it, it turns into a scrappy brawl of slashdottian proportions. :)

      As a peanut gallery, we are a tough crowd ;)

    10. Re:That almost smells like... by mlts · · Score: 1

      That is the only reason why last year I went to the 5S. I was thinking Apple would let apps use it as an authentication tool.

      That way, I could have an app that groks OpenPGP packets, and can allow the private key to be unlocked at the start of the session, while the fingerprint is used to validate that a request for signing/decrypting with the key is one that has some authorization with it. Since the passphrase is cached, the weakened security during that session isn't that great, and it would stop someone who grabbed the phone from being able to do subsequent signatures/decryptions with the stored keys.

      It would also be useful for apps like PayPal which could require a fingerprint scan to confirm a payment or other financial transaction. An attacker who grabs the phone would be hard-pressed be able to dump PayPal's RAM structure out to grab keys, so it would be "good enough" to keep a phone that didn't lock its screen from being a juicy target.

      I was wrong on those counts, although the fingerprint scanner is a nice shortcut, so I can access the phone without someone shoulder-surfing my PIN.

    11. Re:That almost smells like... by Anonymous Coward · · Score: 0

      What is it with people like gnasher that makes them call normal people "stupid?" Does it help him feel adequate for a minute?

    12. Re:That almost smells like... by tlhIngan · · Score: 1

      by alvinrod (889928) Alter Relationship on Thursday September 11, 2014 @10:26AM (#47882185)

      You would think that with all the noise they made about their fingerprint reader that they would have an optional two-factor authentication method that uses in in addition to a password. Sure, someone could still get around that too more likely than not, but it makes it hell of a lot more difficult than just attacking a password or being able to guess it.

      Except Apple knows fingerprint readers are ineffective for security.

      I mean, the PIN code locks your phone tighter - the fingerprint reader merely unlocks it after the user enters their PIN. Reboot the phone, you need the PIN. Fail fingerprint reader 3 times, you need the PIN.

      And Apple was right - they cracked the TouchID reader within days using common fingerprint reader hacks. (And in the end, the fingerprint reader doesn't add too much - it's about the same strength as the PIN).

      Fingerprint readers are far from foolproof. In fact, they're pretty lousy devices. Apple just used it because it lets people lock their phones with a PIN or a complex password and still have the convenience of being able to quickly glance at information without having to type your PIN or password a thousand times a day. (A lot of people don't use locks because of the inconvenience, so Apple figures that by making it easier to unlock, they can get some security

    13. Re:That almost smells like... by Anonymous Coward · · Score: 0

      Easily crackable? Citation.

  4. Security vs Recoverability by Rich0 · · Score: 3, Insightful

    Apple could go a long way toward protecting customer privacy just by adding a second credential to encrypt stored iCloud data. An encryption password could be used to decrypt the backup when downloaded to iTunes or to the device, or it could be used to decrypt the data as it is read by iCloud to stream down to the device.

    I forgot my iPhone password, and those lousy Apple folks refused to reset it for me. They just said some kind of technobabble about encryption and security. Why did they make iPhones harder to use? Isn't Apple supposed to be easy to figure out?

    You can't have it both ways. I encrypt all my sensitive data that I back up to the cloud, but I also keep copies of the key in safe places so that when my house burns down I don't lose access to my offsite backups along with it. I wouldn't expect the average iCloud user to appreciate the need for this, and neither does Apple, so their backups aren't encrypted.

    1. Re:Security vs Recoverability by Anonymous Coward · · Score: 0

      Encryption is easy and software exist to do it automatically for free.. Anyone not protecting their stuff should really reconsider in an age ruled by technology and if they don't well that's on them. Expect to be hacked at some point whether you know it or not and you might just save yourself some embarrassment especially if you're storing selfies online of all places.

      You think people would know this by now we see it over and over, but people won't listen when security expects explain how to maximize security. Nope they rather spend time listening to the news about the people being hacked because that's more interesting.. Well until they end up on the news.

    2. Re:Security vs Recoverability by Anonymous Coward · · Score: 0

      A few years ago, I stood behind a guy and a customer service rep in an Apple Store. The guy explained that he had forgotten his password for the encrypted disk feature on OSX (at that time, probably just encrypted home directories). He wanted the rep to reset the machine so he could access the files. The rep told him a flat no and explained that Apple couldn't recover any data for him, and, if they could, that would mean that the encryption was worthless. He took the time to explain this and gave a cogent explanation of why good encryption doesn't have a backdoor.

      This was before Apple did key escrow (which is still voluntary). It was pretty clear at the time that Apple actually wanted to provide security for those who chose to use it, and that their employees were not idiot drones, even if some of the customers were. That was also before PRISM. I wonder how much of Apple's current security policy is designed to comply with NSLs and Law Enforcement access to cloud-hosted data. It's worth noting that encrypted backups of iDevices via iTunes only happen when you choose to back them up locally instead of in the cloud: they do provide an explicit option for avoiding iCloud backups.

    3. Re:Security vs Recoverability by RyuuzakiTetsuya · · Score: 1

      When you connect an iOS device to iTunes, one of the options is "encrypt backup"

      Unfortunately, this option doesn't seem to be available to backups via ios. :(

      (Just checked on my iPhone runnjng ios8 GM)

      --
      Non impediti ratione cogitationus.
    4. Re:Security vs Recoverability by Anonymous Coward · · Score: 0

      iOS encrypts the data on the phone and the contents in iCloud are encrypted as well. But if you have the key, encryption is not going to save you.

    5. Re:Security vs Recoverability by AmiMoJo · · Score: 1

      There are plenty of easy options for recovering from the loss of a device when using 2 factor authentication. Google will let you use other trusted devices for recovery or send an SMS text message to your new phone. Since you will probably want to get a duplicate SIM card with the same phone number anyway your new device could be used to authenticate immediately.

      This is a long solved problem. I have no idea why Apple doesn't do it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Security vs Recoverability by Anonymous Coward · · Score: 0

      Encryption is not easy. Encryption that keeps your kid sister out is easy. Encryption that will stop a government/organized criminal enterprise is a different story. That sort of thing is hard to do right. There's just too many ways to fuck it up. Software bugs, hardware bugs, backdoors, "trusted" code, bad RNGs, timing attacks, state leaks, electromagnetic emissions.... and that's just kicking the can a few feet.

      Encryption is a hard problem and the playing field changes constantly. The average end-user is fucked if they piss off the wrong person or are in the wrong place at the wrong time.

    7. Re:Security vs Recoverability by Rich0 · · Score: 1

      Well, encrypting stuff isn't necessarily hard. What gets hard is managing the keys when you do it competently.

      If you just take somebody's screen lock PIN, hash it, and use it as the key, well, that would be trivial to crack which is why android's built-in encryption is useless.

      Likewise, if you want to keep things secure but allow for users to forget their passphrase, that isn't easy either.

  5. Secondary password... by ByTor-2112 · · Score: 2

    ... would end up being the same as the account password. Or just add a one. Not the answer.

    1. Re:Secondary password... by nine-times · · Score: 1

      ... but what if we added a third password...?

    2. Re:Secondary password... by plover · · Score: 1

      Oh, the fools! If only they'd built it. with 6001 hulls! When will they learn?

      --
      John
    3. Re:Secondary password... by nine-times · · Score: 1

      I think that was probably the inspiration for my comment.

  6. Not true. by gnasher719 · · Score: 2

    The discusses also details a method for spoofing device identification to convince iCloud to restore data to a device mimicking the target's phone.

    I checked the link, and it does no such thing. The article is about fake Wifi hotspots. Such a fake Wifi hotspot could of course cause all kinds of trouble (basically it can read WiFi traffic that you thought was encrypted), but it doesn't allow anyone to convince iCloud of anything.

    1. Re:Not true. by nine-times · · Score: 2

      The article is about fake Wifi hotspots.

      I don't think it was even that simple. I didn't read the article in detail because it seemed dumb, but the author seemed to be talking about spoofing a trusted destination for WiFi iPhone backups.

      So if you set up your iPhone to sync over WiFi, and if you connect to a compromised WiFi network, and *if* that network has a machine that manages to spoof the computer that you sync your iPhone to, the iPhone will sync to that computer instead, which might sync sensitive information.

      That's a very special set of conditions, and it's not clear how you would spoof the computer that's serving as a sync destination.

    2. Re:Not true. by AmiMoJo · · Score: 1

      Elcomsoft makes software that spoofs an iPhone. Of you know the user's account name and password it can log in to their iCloud account and download stuff not normally accessible to the user, like app data and photos not visible in the web interface.

      Guessing the user name and password is not that hard. A fake WiFi spot can probably gather at least the user name in plain text, and Apple allowed infinite rapid guesses of the password. Once you have one person's account you can get their contact list, and the email addresses are the user names of their accounts.

      The two flaws that lead to this are that you could make infinite guesses at the password and that there is no two factor authentication. Apple has fixed the former but not the latter.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Not true. by nine-times · · Score: 1

      Of you know the user's account name and password it can log in to their iCloud account

      And then you're pretty much screwed right there, regardless.

      A fake WiFi spot can probably gather at least the user name in plain text

      I wouldn't bet on that. Apple should be passing credentials over SSL. However, given that the username is the same as your email address, it's not impossible for people to find that out.

      Apple allowed infinite rapid guesses of the password

      Well.... no. They allowed an indefinite number of guesses, or an unlimited number of guesses, but not an infinite number of guesses. It may seem like I'm just being picky with word choice, but it they allowed an infinite number of guesses (somehow) then all of their accounts would be compromised. By allowing an unlimited number of guesses, they only open the door for a given account to be compromised after some kind of investment of time. The investment of time required depends on the quality of the password.

      So if your password is extremely weak, then it might possibly get compromised by a general attack-- trying known user accounts with a small dictionary of passwords. If your password is pretty weak, then it might be compromised by a targeted attack on your specific account. If your password is extremely strong, then a brute force attack is unfeasible.

  7. And the forensic tools... by gnasher719 · · Score: 1

    Take the Elcomsoft tool mentioned. It requires for example "The targetâ(TM)s iCloud passwordâ"by them volunteering it, through a phishing attack, or by gaining access through other social engineering.".

    These tools don't do anything cryptographically clever. If you have a victim's iCloud password, they are cracked. All this tool does is to make it easy to download all the data and to examine the data, once the account is cracked. It doesn't do anything about the cracking.

    1. Re:And the forensic tools... by Anonymous Coward · · Score: 0

      It explains what they can do when they have iCloud access. It's also scary that the stuff you deleted is still in the backups.

    2. Re: And the forensic tools... by Anonymous Coward · · Score: 0

      No it isn't. Backups always have data that has been removed from the backup source; otherwise they wouldn't be very useful for recovery of lost files. That is why enterprises set maximum retention periods for backups; so that old data on backups go away.

      Now if Apple only let you delete a backup. Oh they do.

  8. Re:No no no... by 93+Escort+Wagon · · Score: 4, Interesting

    Given the exploit requires the installation of a jailbreak, it's not actually going to work unless you already have the user's security code - the device needs to be unlocked in order to install the jailbreak.

    I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.

    --
    #DeleteChrome
  9. Re:No no no... by nine-times · · Score: 3, Insightful

    I skimmed the article, so I may have missed something, but the attacks that they're talking about generally entail having physical access to the phone, offline access to the phone's backup, phishing for passwords, or WiFi man-in-the-middle attacks *if* you can manage to spoof a computer that the iPhone trusts.

    Which is to say, these aren't tremendous vulnerabilities on Apple's part. An attacker might be able to pull off a brute-force attack on your encrypted password-protected iPhone backup if they have an offline copy, if the password is weak. Well golly! Everyone better stop using their iPhone right away.

  10. All that encryption.... by Anonymous Coward · · Score: 0

    All that crazy encryption and locked down garbage yet it seems to be only protecting Apple's property.

    Jailbreak a phone and they quickly patch the exploit away. Security is to enforce their rights over your device.

    Obviously when the government or law enforcement comes along though all that security just vanishes. Yet the device was sold to you boasting of it's security.

    It all appears to be a carefully thought out plan to get people to trust their phones enough to do things with them that they wouldn't do if they didn't think it was secure. It's all a big plan to draw out your secrets into the open by masquerading as a locked diary.

    Wish some of that security was there for the end user......

    1. Re:All that encryption.... by Anonymous Coward · · Score: 0

      I'm not sure what you're smoking buddy, but lay off the conspiracy theory pipe until you've got some proof. Encryption is already a tall order when governments get involved. If you use it blindly and have no idea what the ramifications are, you're going to get shafted sooner or later. Same for trusting other people with your data.

  11. Easier way. Miley's mother's maiden name is Finley by raymorris · · Score: 1

    I just double checked and the same old attack still works on iCloud. If you forget your password, you can reset it in either of two ways. Either they can email you a new password, or you can answer the challenge questions. So let's get into Miley Cyrus's account.

    https://www.google.com/?q=mile...
    Her mother's maiden name is Finley

    https://www.google.com/?q=mile...
    Her first pet was named Cocoa.

    There you go, now we can reset her iCloud password and Miley's naked pictures. [voice style="ben-stein"]Wow[/voice]

  12. this is the body or subject by Anonymous Coward · · Score: 0

    I don't understand the icloud backup option. The cost of the apple icloud data plan is really large and recurring, so backing up my phone would use 32GB for each backup. I don't want to pay apple for that. The lack of security makes it even worse -- mental note... don't copy the iphone backup to box or dropbox ;)

    1. Re:this is the body or subject by Anonymous Coward · · Score: 0

      Cost per month for iCloud backups:
      20GB $0.99
      200GB $3.99
      500GB $9.99
      1TB $19.99

      So, not all that bad. I'd prefer those to be yearly prices, but they'll come down.

      Security is the issue for me.

  13. Re:Easier way. Miley's mother's maiden name is Fin by Anonymous Coward · · Score: 0

    There you go, now we can reset her iCloud password and Miley's naked pictures

    maybe we can reset her password and prevent HER from posting naked miley pictures instead?

  14. Re:No no no... by nine-times · · Score: 4, Insightful

    I do think Apple was a bit disingenuous regarding the "bad passwords" used by celebrities, given the iBrute tool apparently was able to keep trying different passwords against Find My iPhone without any sort of delay - a shortcoming Apple apparently fixed a few days back.

    First, I don't think that it's known that the accounts were compromised with iBrute. People made the connection because the leak happened shortly after iBrute was announced, but there have been many suggestions that the photos had been acquired months or years before that. That makes it pretty unlikely that the accounts were accessed using iBrute. And Apple seems to deny that the accounts were accessed by exploiting "Find My iPhone".

    Second, their comment about "bad passwords" is valid regardless, and would be valid even if the passwords had been accessed through brute force attacks. Brute force attack mitigation is specifically helpful in protecting accounts with weak passwords. If your password is strong enough, a brute force attack should still take a prohibitively long time to succeed.

    From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service. There was just a news story about 5 million Gmail passwords being leaked, but it doesn't seem that it was from a exploit of Google's services either. Most likely, they were all acquired by phishing, or other non-technical attacks.

  15. Re:No no no... by Anonymous Coward · · Score: 0

    you are aware that he may be a huge apple fan and just mocking flaws in the thing he loves, right? Remember, if you can't take valid criticism about something you love, it's you that has the problem, not everybody else.

  16. Black Phone by Anonymous Coward · · Score: 0

    If you want security get a Black Phone. It is brought to us by Phil Zimmerman, the author of PGP.
    https://www.blackphone.ch/ - And it costs less than an iPhone6!

  17. Pub quizzes! by blueshift_1 · · Score: 1

    I feel like the age of the security question is slowly become more obsolete due to the sheer amount of facts of our lives that are made public (also any question that revolves around your favorite x is subject to change, making it incredibly difficult to answer these questions if the configuration was done a few years in the past). Either that or they have to become more obscure/tricky. Like in the way that pub quizzes have had to become more clever to prevent people cheating with their smart phones. Which would again, make it even more challenging for even the right person to answer the question.

  18. Apple should answer... by Ronin+Developer · · Score: 2

    to the fact that items thought deleted were showing up in the backups. That, to me, is the most disturbing part of this story. Yes, I READ BOTH articles. The second one, as others noted, was focused on WiFi spoofing. The first detailed the use of forensic tools to access the information in the backups.

    Of course, to gain access to any of this information, the author had to have physical access to the phone and jailbreak the device as well as a knowing the iCloud password. And, the exploits he discussed were against older hardware and the obsolete iOS 5.1 He had no success against against iOS 7 on the iPhone 5s.

    As I stated earlier, knowing that so much still existed AFTER supposedly deleting it (such as mailboxes, pictures, call history) is a real issue and one that needs to be publicly addressed by Apple.

    1. Re:Apple should answer... by gnasher719 · · Score: 1

      There is some evidence that the data was collected over a long time. It is quite possible that data was stolen long before it was deleted.

      And yes, it is entirely possible to think you deleted photos and they are in a backup. Or not actually a backup, but just stored in iCloud. If you take tons of photos with multiple devices, you can store them all in iCloud. But you will for example remove lots of photos from your 16GB phone but keep them on your 128GB tablet. So if you delete photos from your phone, they are intentionally kept so you can restore them again. And of course the intent of a backup system is among other things to keep data that was deleted by mistake - how can iCloud know if you deleted something by mistake or not?

    2. Re:Apple should answer... by macs4all · · Score: 1

      And of course the intent of a backup system is among other things to keep data that was deleted by mistake - how can iCloud know if you deleted something by mistake or not?

      This.

      That is precisely why I have set our work backup software to not erase "Deleted" files from our backups. Instead, the backup software just sends me a reminder every month to review the deleted files (which I will do when storage-space or backup-time becomes a problem). Until then, it is pretty cheap insurance against tears...

    3. Re:Apple should answer... by Anonymous Coward · · Score: 0

      This data dump was a collection of images over years from different sources. This has been documented many times, why are you having a hard time understanding? I suppose you think celebrities had fake nudes of themselves too. You have a brain, start using it.

  19. Clueless Apple by koan · · Score: 0

    goto fail;
            goto fail;

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:Clueless Apple by macs4all · · Score: 1

      goto fail; goto fail;

      So you design a better, practical system.

    2. Re: Clueless Apple by Anonymous Coward · · Score: 0

      Cry fanboi Apples days are numbered their products cheap commodities behind the Android curve.

    3. Re: Clueless Apple by macs4all · · Score: 1

      Mike Dell; is that you?

      You do realize, of course, just how ridiculous you sound at this point?

  20. Device spoofing by Hamsterdan · · Score: 1

    People were doing that in the late '80/early '90s with analog cell phones, so nothing new here. Once you have physical access it's mostly game over...

    But why didn't FindMyiphone timeout after let's says, 3 or 5 attempts? that's just sloppy...

    --
    I've got better things to do tonight than die.
    1. Re:Device spoofing by Anonymous Coward · · Score: 0

      Because the thief could lock out that feature preventing the actual owner from using it.

    2. Re:Device spoofing by Hamsterdan · · Score: 1

      Timeout, not lock out.

      --
      I've got better things to do tonight than die.
  21. Re:No no no... by _xeno_ · · Score: 1

    From what I've been reading, it seems most likely that only some of these photos came from compromised iCloud accounts, and those accounts were probably not compromised due to an exploit of iCloud's service.

    As I understand it (and I may be wrong), the accounts were accessed by abusing the "forgot my password" service. Resetting someone's Apple account password on them is notoriously easy, and it would make sense that's the way the hackers did it. I thought they didn't blame "weak passwords" so much as they blamed "weak security question answers" that the "hacker" guessed the answers to.

    Then again, I may be misremembering or misreading the stories, I'm not sure if the actual details have been made public.

    --
    You are in a maze of twisty little relative jumps, all alike.
  22. Re:No no no... by nine-times · · Score: 1

    As I understand it (and I may be wrong), the accounts were accessed by abusing the "forgot my password" service.

    I hadn't heard this exactly, but Apple's public statement did include a mention of security questions. Their statement was pretty vague. They say that there was "a very targeted attack on user names, passwords and security questions".

    Still, that's not really an exploit of iCloud's service. If they chose security questions that someone could find the answer to, I wouldn't consider that an iCloud exploit. I do think that the use of security questions should be reevaluated, but they're a pretty standard practice these days. Even if someone forces a reset of your password, under normal circumstances you should notice that the password has changed the next time you log in.

  23. Mining Data With Forensic Tools by grep+-v+'.*'+* · · Score: 1

    Once your data leaves your direct physical possession, it's no longer yours.

    You either better hope that you're not interesting or any encryption lasts for the lifetime of the data, neither of which is forever.

    What was the saying a decade or so ago? "Don't publish it if you don't want to see it on the front page of tomorrows' newspaper."

    (For you youngsters: "Newspaper", noun: a massively printed and delivered blog written by multiple people that other people paid for.)

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:Mining Data With Forensic Tools by Anonymous Coward · · Score: 0

      This concept is difficult for Millenials. They see a phone and say, "but it IS in my possession! See, it's right here!". Insert facepalm.

      We moved past the golden age of needing to know what the fuck you were doing. (There's a sure sign I'm getting old and crotchety myself. Goddamnit.)

  24. allow myself to introduce...... myself by thatshortkid · · Score: 1

    using forensic tools.

    --
    The IRS is the one organization that you don't want to fuck with. Remember, these are the guys who took down Al Capone.
  25. Re: Easier way. Miley's mother's maiden name is Fi by Anonymous Coward · · Score: 0

    Talk about your low hanging fruit.

    I know it's a theoretical excercise but getting naked pictures of Miley Cyrus is more easily achieved by just hanging around Miley Cyrus with a camera. Or letting people that ready hang around Miley do that.

    Please choose a better example.

  26. Apps can use reader in iOS8 by SuperKendall · · Score: 1

    That is the only reason why last year I went to the 5S. I was thinking Apple would let apps use it as an authentication tool.

    iOS8 provides for exactly that.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  27. Arstechnica is slipping.... by Anonymous Coward · · Score: 0

    The arstechnica article is rubbish.

    They used a 4 year old iphone4 running 3 year old iOS5 and installed a jailbreak on the phone while it was already unlocked after putting in the 4 digit passcode.

    Then they used some software to brute force a hash for a 7 character dictionary password.

    Absolute trash article. Surprised to see it here on slashdot.

    The only valid point they make in the massive 4,000 word article is that if you trust a PC when connecting your phone - that PC gets keys that can be used to talk to your phone. So you need to make sure that the PC is encrypted and/or not stolen by attackers.

  28. Not any more by SuperKendall · · Score: 1

    Except now when you try that MLC gets an email saying someone is requesting her password to be recovered, and can just change it.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  29. Re: Did they use forensic tools at all? by garryknight · · Score: 0

    "using forensic tools to grab data from iPhones and iCloud using forensic tools" The words "Yo, dawg!" spring to mind...

    --
    Garry Knight
  30. after the party,when it's too late by raymorris · · Score: 1

    One night, I change her password. I log into her account, and download everything. She's twerking while I do this. I can either parlay this to email access or run the same attack against gmail. I use the access to her email to reset every other password she hhas - Facebook, etc. If I want to, I can use her icloud credentials to lock her out of her phone for a while. The next morning, she reads her email and finds out that I reset her password- but only if I haven't deleted that email,while I was setting her account to forward a copy of all future emails to me.

  31. Re:No no no... by Fnord666 · · Score: 1

    Still, that's not really an exploit of iCloud's service. If they chose security questions that someone could find the answer to, I wouldn't consider that an iCloud exploit. I do think that the use of security questions should be reevaluated, but they're a pretty standard practice these days. Even if someone forces a reset of your password, under normal circumstances you should notice that the password has changed the next time you log in.

    What people don't seem to understand is that you don't have to answer those security questions honestly. It just has to be something that you will remember of something that you can store in your password manager application.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  32. Re:No no no... by nine-times · · Score: 1

    Also, if you're famous and you're going to answer those questions honestly, it probably isn't so smart to use questions like "What city were you born in?" or "What was the name of your high school?" That information is probably available on your Wikipedia page.

  33. Re: No no no... by jerkychew · · Score: 1

    That's not entirely true. There's a way to jailbreak a locked iPhone by booting into DFU mode and replacing the key chain with a clean one. Then you can jailbreak it as if it were an unlocked iphone. The downside to this method is that you can't harvest any of the encrypted logins and passwords stored on the device, but you do gain access to the user section of the filesystem.

  34. Re:No no no... by jerkychew · · Score: 1

    This is incorrect. If you boot the iPhone into DFU mode, you can replace the device's keychain and then jailbreak it from there. This method means you won't be able to decrypt any of the stored passwords on the phone but you do gain access to the user portion of the filesystem.

  35. Re:No no no... by david_thornley · · Score: 1

    The worst thing about answering security questions honestly is that other people can get the information. The second worst thing is that I can never remember what I actually wrote. First pet? I remember that cat distinctly, and can tell lots of stories about him. His name changed over time, as different people called him different things. First address? There's several ways to write it (not to mention that it acquired a zip code while I lived there). I can't remember which way I used.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  36. Cool by Claire617 · · Score: 1

    Cool