Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
- Thread starter MacRumors
- Start date
- Sort by reaction score
Immediately logged into my Apple ID to fortify my security settings after this. There were 2 devices still authorised to receive 2-step ID's that I no longer own.
You never know.
Again, having 2 factor authentication on does not matter. You can access iCloud backups without a need to authenticate other than with a username/password. This is the whole problem. Apple 2-factor authentication has serious loopholes because they don't always require it.
----------
Again, not true. As has been reported in many places, some of Apple's servers allowed brute force password attacks and did not lock you out. So all a hacker really needed as a username and they could run a script to figure out the password.
Screen grabs are what the scripts do
The scripts are very powerful. They basically give the criminal an over the sholder view of what the user is doing.
There should be a way of preventing this type of attack but let's let Apple get some help on this one.
After all they don't write the underlying UNIX stuff.
The scripts are very powerful. They basically give the criminal an over the sholder view of what the user is doing.
There should be a way of preventing this type of attack but let's let Apple get some help on this one.
After all they don't write the underlying UNIX stuff.
If you already got the password, even 2 factor authentication does not help.
It just another password called security code: It's constant
And it's worst because people keep a copy of it.
Or do you want to check you phone for the code for every iTunes purchase you do, every find my iPhone function, open every iCloud-supported software (Including but not limited to iWork, Photos, iLife), and every Photo you take?
I mean, we can do that as opt in, but no one will use it until its too late.
So the real problem is this brute force attack. Making the verification pop up on every task is not the solution.
Apple has to patch this brute force hack. I honestly didn't even know they have this problem. Usually it locks your account after a number of fails.
I was simply responding to the article and the steps that were posted on here to get your password can be avoided by 2-step verification.
According to the article, Apple said that they patched the "Find My iPhone" brute force attack vulnerability and iBrute was not a factor. My question to that response would be, when did they patch the vulnerability and did the attackers use some other brute force technique other than iBrute?
No, they just guessed their security questions as mentioned by another poster who showed us the steps they used. So if Brute force is patched, and you enable 2-step verification, your password should be safe.
Just tried the step suggested by these guys.
Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was asked: what is your hometown? WTF everybody knows this guy's hometown!I didn't go any further but it made me very worried about my security questions. I'd better enter some password like stuff in the answer fields.
I forget what Apple has for security question options but an often offered question is make or model of your first car. This is what I choose for the question because I use a completely fictitious make and model so the odds are very slim that any hacker will guess what I made up. Another option that is easy to remember is for the hometown question, spell it backwards. You always know your hometown and so may someone else but will they think of spelling it backwards?
Have a good password, tell nobody, and invent security answers--and you are, as of today, safe. One-factor security.
But Apple can provide MORE than that, and more easily, and they must do so. For ALL entry vectors. Every company needs to improve on this, and Apple doesn't get a free pass any more than any other vendor.
Just be glad we don't also have Android malware to face.
End game: put TouchID in Macs and we won't have to TOUCH the Internet in any way not gated by fingerprint. (Yes, someone can rebuild your fingerprint if they stalk you in real life, and have a enough time, money, and specialized equipment. But can they do so BEFORE you notice the device is gone and remote wipe it? Very unlikely. Easier to just threaten you and make you give them anything they want. No security protects against that. Meanwhile, no hack will get people inside one of Apple's chips' secure enclaves, where things more sensitive even than your backup may soon reside....)
But Apple can provide MORE than that, and more easily, and they must do so. For ALL entry vectors. Every company needs to improve on this, and Apple doesn't get a free pass any more than any other vendor.
Just be glad we don't also have Android malware to face.
End game: put TouchID in Macs and we won't have to TOUCH the Internet in any way not gated by fingerprint. (Yes, someone can rebuild your fingerprint if they stalk you in real life, and have a enough time, money, and specialized equipment. But can they do so BEFORE you notice the device is gone and remote wipe it? Very unlikely. Easier to just threaten you and make you give them anything they want. No security protects against that. Meanwhile, no hack will get people inside one of Apple's chips' secure enclaves, where things more sensitive even than your backup may soon reside....)
I just posted a blog entry about this very thing. It appears I am not the only that feels this way.
Lots of victim blaming up in here. That's what you get with anonymity I guess.
I guess I'm ahead of the game since I have 2 step enabled, I don't keep iCloud backups in the cloud, and I keep my computer password protected so people don't see my private material.
I guess I'm ahead of the game since I have 2 step enabled, I don't keep iCloud backups in the cloud, and I keep my computer password protected so people don't see my private material.
Nice little read here. I guess we can say "You're locking it wrong." is the new "You're holding it wrong." catch phrase for the year. Classic Apple stuff folks.
http://www.ibtimes.com/apples-blame...oto-breach-wont-fix-its-trust-problem-1676436
"This is a distinction that customers dont care about. They will hear, in effect, Its not our fault hackers guessed your password. This blame-the-user mentality is reminiscent of the 2010 release of iPhone 4. The phones antenna was exposed externally, and gripping the phone a certain way might cause your call to disconnect. Apple dismissed loads of complaints with what became a party line amounting to a joke: Youre holding it wrong.
This is 2014s Youre holding it wrong. Blogger Michael Arrington thinks this is a big problem going forward. Even if Apple fixes the problem, or has fixed the problem with the patch they just released, theyre still screwed, The damage, the massive damage, has already been done. Because everyone now understands that their phones arent secure. Even things they thought they deleted are vulnerable. Thats something that will haunt Apple for a decade.
http://www.ibtimes.com/apples-blame...oto-breach-wont-fix-its-trust-problem-1676436
"This is a distinction that customers dont care about. They will hear, in effect, Its not our fault hackers guessed your password. This blame-the-user mentality is reminiscent of the 2010 release of iPhone 4. The phones antenna was exposed externally, and gripping the phone a certain way might cause your call to disconnect. Apple dismissed loads of complaints with what became a party line amounting to a joke: Youre holding it wrong.
This is 2014s Youre holding it wrong. Blogger Michael Arrington thinks this is a big problem going forward. Even if Apple fixes the problem, or has fixed the problem with the patch they just released, theyre still screwed, The damage, the massive damage, has already been done. Because everyone now understands that their phones arent secure. Even things they thought they deleted are vulnerable. Thats something that will haunt Apple for a decade.
What truly matters is that you feel good about yourself because of your superiority.
Its called using the same username & password for all your internet logins. All it takes is for one internet account to be compromised, so that lets all your accounts being compromised. That is up to the user to ensure this method is not used against him. If not, its his own fault.
Does it. The article suggests this is merely a suggestion of how the hack might have happened, not confirmed knowledge.
----------
Guessing you don't use iCloud backups. Two step requires a working iphone that can receive SMS messages. But you log into and load an iCloud backup before SMS is possible.
Sites such as techcrunch are mimicking what's been written here: that 2FA would not have stopped this attack. But, I feel pretty sure trevorbsmith has laid it out correctly. 2FA would stop such an attack insofar as the hackers are just using social engineering to find answers to your security questions... which is what it sounds like they were probably doing.
If that's not right, can anyone explain why?
----------
it makes the title quite misleading, that's what. "Terrorists attack New York" and "Terrorists may attack New York" is the same one word, but it makes for a pretty different headline, doesn't it?
For every iUser that understands this there are 100 more that don't get it. Face it; this is Apples target audience, the walking clueless. It's why people prefer iProducts because their easy to use and just works. Apple does not want to make it hard or confuse people. Otherwise 2 Step verification would have been mandatory a very long time ago.
It's also the same reason why kids were able to buy $100's of in app purchases for the longest time. Make it easy to spend money. Apple is not dumb, they know exactly what their doing.
At the end of the day Apple will be forced to do 2 step verification and automatic lock out after the dust settles.
I don't think we are getting the same conclusion. The hackers are getting the persons ID AND password somehow, someway. Then they are getting someone's backup using their ID AND password (or resetting them). This isn't a security hole. This is a feature overlook. But yes, needs to be fixed.
Just tried the step suggested by these guys.
Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was asked: what is your hometown? WTF everybody knows this guy's hometown!
Indeed.
I use fake answers and not always in English. Like "what is your hometown" might be Atlantis. "What was the model of your first car?" Hot air balloon. Written in Klingon. And so on.
I loved when system let me create my own questions. For my question I might put something like "stroking a cat" and the answer is biscuits. The logical progression between the two is something I will remember but not even my friends are likely to figure out and a random stranger wouldn't.