Wired has an interesting article that discusses how sensitive celebrity photos may have been leaked from iCloud backups. The article describes using a password guessing tool called iBrute that leverages a flaw in "Find My iPhone" infrastructure to brute force a user's iCloud username and password. Once the iCloud credentials are obtained, attackers can use the forensics tool Elcomsoft Phone Password Breaker (EPPB) to impersonate an iPhone and download the entire iCloud backup, which includes not only photos, but texts, email, and much more sensitive information.
Apple has apparently fixed the "Find My iPhone" flaw that allows iBrute to guess iCloud passwords (it now times out after 5 attempts). And there is currently an investigation into the data leaks. In the meantime, if you're an iCloud user, it might be a good idea to setup two-factor authentication, and make sure that you're using a unique, hard-to-guess password. Also, don't do stupid things with your smartphone.
UPDATE: Tim Cook addresses iCloud security issues and promises increased security and account activity notifications.
Also, Ars Technica has a great article that details some real-world testing they did trying to crack their own devices using some of the techniques mentioned above.
Just because you have a smartphone, doesn't mean you're smart.
ReplyDelete