A few days ago, we received the following communication from an obsessed password researcher and our long-standing friend (quoted with his permission):
There are reports in some of the largest newspapers here in Norway of teenagers (or young male adults) hacking Apple accounts of teenage girls through the “lost password” function by correctly answering the reset questions such as the victims’ names and birthdates. I’ve found at least one who is using Elcomsoft Phone Password Breaker to illegally download and extract images & videos of teenage girls like this, and then offering them for sale online.
Due to laws and regulations, it is hard for the police to investigate these cases (logs that connect people to IP addresses are only stored for 21 days at ISPs here).
Relevant news stories (in Norwegian, use google translate):
Example forum where this is being discussed:
Perhaps I could get a statement from you/Elcomsoft on this, and that you/I will offer our assistance to the Norwegian police if needed?
This news is disturbing. We’re always concerned when our products end up in the wrong hands. Elcomsoft works in IT security for more than 15 years already and it has always been our aim to explain users hidden rocks, and we are always assist law enforcement in their workflow both with our tools and our advice.
However, the bad guys can also take advantage of available tools – including tools made by our company. We have to admit that that once you let the genie out of the bottle there’s no way back.
We are concerned and very disappointed with what has happened in this very case. If only we could, we’d be happy to help users safeguard their iCloud accounts against this type of attack. Unfortunately, Apple has an inherent problem at the level of data authentication, so there’s actually very little that can be done except not using the iCloud at all or faking registration details with Apple.
iCloud stores huge amounts of information. Access to this information is provided to either iOS devices linked to the account, or to anyone who uses a Web browser and supplies the correct Apple ID and password. Of course there is also transport layer security (via the use of HTTPS communication protocol), and only three attempts to enter a password are allowed before the account is locked. But this is nothing more than anyone does. Here at ElcomSoft, we strongly believe that outsourcing the storage of personal information to a cloud bears significant risks. It is essential for the consumer to understand exactly the risks involved. Many corporations with concise security policies already ban cloud storages such as Apple iCloud from their networks (e.g. IBM).
As for Elcomsoft Phone Password Breaker, the tool is most definitely not intended to commit crime. The use of the tool requires the correct user credentials (Apple ID and password) and/or the device itself in order to get access to the data. Unfortunately, it is difficult to stop intruders from exploiting all the tools available to forensic and law enforcement customers to extract as much data as they can.
In this particular case, what seems to be happening is teenage hackers are using their classmates’ names, dates of birth and answers to “secret” questions to “recover” (or, actually, reset) their iCloud passwords. This type of attack is called “social engineering”, and it does not take much for teenagers to guess (or know) the answer to teenage girls’ “security” questions.
Due to what’s been done, the usual advice of “choosing a long, complex password” and “not sharing it with strangers” will not work, as the vulnerability targeted here lies in the way Apple authenticates account holders.
Our recommendations here could be as follows. iPhone and iPad users should be doing the following from the very beginning:
- Avoid using iCloud services to back up information from the phone. As ElcomSoft demonstrated multiple times, information stored in the iCloud is NOT secure, and is prone to eavesdropping and spying upon without the user even knowing.
- Choose secure verification questions *and* provide unexpected or illogical answers. This will make it difficult for anyone to “recover” your password by guessing the right answer.
- Choose a secure device password, a long and complex one, which is NOT a 4 digit passcode which can be cracked within half an hour, the longer password the better – train your memory if you want to keep your privacy! Brute forcing the device password is very slow which makes a real problem for the intruder, if it’s long.
- Choose a secure Apple ID password, long and complex. Never key in your Apple ID on laptops and computers you don’t trust and even if you do so, make sure the computer is totally under your control which practically means never leaving it unprotected or unattended.
- Choose login names that aren’t obvious, which is not your name and surname in all their variations. This will make it harder to guess.
- Never use the same password as one protecting your email account!
- Link your Apple ID account only to an e-mail account also protected with a secure password and control questions with unexpected answers.
- Never re-use passwords, this is extremely dangerous thing today, when new databases with passwords are made public after every new hack.
- Do not jailbreak your iPhone unless you clearly understand all consequences. Why should you willingly unsecure it?
- Finally, do not use iCloud.
We regularly hear most people care about security only when it touches their financial side of life. However, today in the age of information technologies losing one’s identity may lead to a number of sequential mischiefs, as a lot of information is interconnected and its threads are running to numerous endpoints that are not always securely protected. Unfortunately, security and convenience don’t walk together, so you have to balance between security and convenience.