Latest iCloud crack can't beat a good password

You've likely read about iDict, a very publicly released cracking tool designed to compromise iCloud accounts using brute-force techniques--techniques that try a series of passwords in quick succession in the hope of finding the correct one. According to reports, the vulnerability was patched by Apple within a few days. (Apple has declined to comment, however.)

The developer released the code without providing details in advance to Apple, which is unusual. The standard practice is to disclose this information privately in order to give a company time to patch the vulnerability.

iDict relied on what the author claimed was a "painfully obvious" problem with how Apple dealt with repeated password failures through a particular URL. This kind of issue is similar to reports that came out after last summer's iCloud "hack," which involved a combination of unthrottled password attempts against iCloud and attempts to answer security questions based on celebrities' biographies and other sources.

The iDict developer claimed it bypassed "secondary authentication," which doesn't appear to be a two-step verification hack, but rather a method that allowed the attacker to avoid answering security questions. The tool should now be ineffective as the developer's code-repository page says that Apple has enabled "rate limiting"--a process that tracks the number of queries from a given source or for a given account, and clamps down when a limit is hit.

The anatomy of an attack

But how exactly did it work? Let's examine this attack, your risk of exposure, and what Apple should be doing (but may not be).

iDict and similar remote attacks without special knowledge rely on three elements: a way to perform excessive tests of passwords for an individual account; a way to bypass triggering an account lockout, throttling to reduce queries, or alerts to let the account's owner (or Apple) know that an account is being attacked; and a weak password (and sometimes also weak security questions).

By having a strong password associated with an account--and preferably one that's unique to that account--you bypass nearly all of the risk of having an account hacked through brute force methods, whether through a URL exploit like the one iDict found, or when password files or databases are stolen and cracked over time.

Despite the incompetence at Sony, which allowed IT and other personnnel to store unencrypted passwords in files named "Password," most sites encrypt passwords through a one-way hashing algorithm that transforms the plain text into something that's impractical to decipher. There are weaknesses in an older algorithm--which is still in use out of laziness and lack of updates--that could allow a government agency or criminal enterprise trying to crack individual account passwords to succeed. More sensible sites employ stronger methods.

If you pick a weak password, brute force techniques allow captured, encrypted passwords to be tested with home-computer equipment against billions of passwords per second--yes, per second. In those weakest cases, finding one password match also allows the attacker to find all accounts that use the same password. (What's a strong password? Either make it very long--15 to 20 characters--or it should be a gibberish mix of letters, numbers, and punctuation.)

In the iDict exploit, however, there's no way to get the encrypted form of the password. Instead, the software tests passwords one at a time and, despite no apparent throttle on queries previous to Apple patching the flaw, the code has to wait for Apple's authentication server to reply to each attempt before testing the next.

iDict came with a list of a few hundred default passwords that meet Apple's minimum requirements for an Apple ID (see the image above). These could be added to (or modified by) anyone using the code. Making these short lists even more dangerous, it's possible for hackers to chain attacks. Plus, using passwords extracted from people's accounts on other services, they can attempt to break an Apple ID with an iDict-like exploit using passwords that might have been used by the same person. (Because Apple IDs are email addresses--except for those legacy accounts set up years ago--they allow for easy matching.)

If you're using any password on that list, or anything similar, change it immediately. Better still, if you haven't already, also enable two-step verification (and make sure you know how to find your Recovery Key in the future).

The other two elements required for an iDict attack to work are under the control of Apple, and it concerns me that, after years of running online authentication servers, the company still has these vulnerabilities. Every publicly reachable URL that deals with authentication, password recovery, and the like should have been tested by Apple long ago--and should be routinely tested as updates are rolled out to ensure throttling, monitoring, and notification are still functioning. If all the detals around iDict are accurate, Apple needs to step up its game.

Real world, real problems

I tweeted about iDict after it was released, and shortly thereafter my Apple ID account was locked down for security concerns. This is likely because someone used the iDict software and my Apple ID to see if they could crack my account. Fortunately, I have both a strong password and two-step verification enabled. And, having just written about issues of finding a Recovery Key, I knew just where it was, restored my account access, and reset the key.

Separately, late in 2014, I received a couple of reports about Apple ID or iCloud details being changed in password-protected accounts without any notification or other alerts. In one case, the user's address and phone number were swapped, but apparently to an account used by someone who had nothing to do with the change. If you've had a similar mystery occur, get in touch so I can gather more details.

Glenn Fleishman is the author of Take Control of Your Apple Wi-Fi Network, about configuring and securing your wireless network. He is a regular contributor to Boing Boing and The Economist, and a senior contributor to Macworld.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applehackpasswordssecurity

More about AppleSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place