Sunday, September 7, 2014

Selling your Security: Crashing the Cloud Party

In the wake of the celebrity photo hacks that were brought to light last week, many consumers have been left wondering just how secure their data is. If celebrities as big as Jennifer Lawrence could have the records of their most personal moments leaked online for everyone to see, whats to stop the same from happening to you or me? The majority of the photos leaked originated from the Apple iCloud accounts of the victims, which prompted a quick response from the company, who stated that "none of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

While the company insists that there was no breach of the service, the real issue is that it was not necessary to breach the service through some back door or other manipulation; the methods used were not simple, but they're freely available. The breach of the personal data on iCloud arises from a combination of two easily accessed pieces of software, iBrute,  released by security researcher Alexey Troschichev, and Elcomsoft Phone Password Breaker, sold by the Russian security company of the same name.  The first, publicly available on github, brute-forces passwords based on a since patched flaw in the Find my iPhone software allowing it to input thousands of guesses at once, as long as you have an iCloud account name. After a user obtains a password, Elcomsoft's software impersonates an iPhone and downloads a complete backup of a users iCloud account, as long as the proper credentials are used.

The issue here isn't the fact that celebrity nudes were leaked. While it certainly is tragic that their privacy was violated in such a public matter, whether by a jilted lover, unscrupulous assistant, or a hacker who ascertained the correct password for an online account, this sort of fiasco has happened many times over, although certainly not to quite the same extent. Apple plans to use its cloud service with its new batch of devices to tie everything you do, on your phone, tablet, or mac, together as a cohesive experience. The real problem is that cloud storage, attempting to place itself into such as a central role in people lives, could be so completely violated. If every piece of your digital persona can be stolen, why should you trust anything to companies offering this service?

Companies selling "security" tools like Elcomsoft complicate the situation even more. Advertised as a tool for forensic specialists, the wording shows it to be a rather spurious claim, "Online backups can be acquired by forensic specialists without having the original iOS or Windows 8 Phone device in hand." No credentials are needed when purchasing the the $399 software, and copies circulate all over torrent websites. And every day, security firms are looking for new ways to exploit these services so they can sell tools to governments and law enforcement agencies looking to access your information.

This leaves any concerned person wondering whether they should trust any of their information to cloud services. As the leaks and exposure of these pieces of software show us, our entire digital lives can be violated with almost no effort or knowledge of the processes involved. The unfettered access to your information anywhere you want makes using the cloud an attractive prospect. In the end, it comes down to your level of trust in those you use to host your information to; whether they work to keep your information private, constantly looking to combat any possible exploit, or if they only address problems once they appear. Use of the cloud has taken over, we as consumers of these services just have to decide if the risk of having everything exposed is worth having it available anywhere and everywhere.

The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud
iBrute
Elcomsoft Phone Password Breaker

1 comment:

  1. It seem that with every new software that is developed, other people work just as hard to find vulnerabilities in said software. It seems like in this day and age we should not expect anything we store online to be "private". There will always be someone somewhere who has access to it, and all it takes is a couple of people to break into a piece of software for a massive leak like this to happen.

    As unfortunate as the situation was for those whose privacy was invaded, my hope is that this serves as a lesson for people to get a bit more educated about the risks that are out there with cloud storage.

    ReplyDelete