There are new concerns that the iCloud hack that caused numerous celebrities’ sensitive photos to be leaked on the Web could allow hackers to target the service in an attempt to gain access to privileged government information.
Once the hack was made public in early September, cybersecurity experts began pointing to a weakness used to exploit Apple’s “Find My iPhone” feature, a technique known as iBrute. The method allows hackers to make thousands of password attempts without being locked out of the device. The tool was designed by security researcher Alexey Troshichev and uses brute-force tactics to cycle through numerous guesses to crack a victim’s code.
Along with iBrute, another hacking tool has been making the rounds of shady online forums like Anon-IB, where users admit to using a type of hacking software known as Elcomsoft Phone Password Breaker to surreptitiously obtain data from victims’ iCloud backups. The tool was created by Elcomsoft for use by law enforcement officials to find information on suspects’ phones, but is available for sale online and does not require law enforcement credentials to be purchased.
When cybercriminals combine the use of iBrute to obtain credentials with EPPB, they are able to impersonate a victim’s phone and have access to its full iCloud backup instead of the more restricted information available on iCloud.com. In an interview with Wired, security researcher and forensic consultant Jonathan Zdziarski noted that the desktop application for iCloud allows hackers using the EPPB tool to download the device’s entire backup as a single folder. This gives cybercriminals the ability to access application data, contacts, videos and even text messages, posing a major problem for government workers using the iCloud service on their personal phones.
Lack of knowledge causing security concerns
According to NextGov, many government agencies fear their employees have a lack of awareness about the services they’re using. In the case of iCloud, the program’s default is to automatically save users’ information over Wi-Fi on a daily basis. And Apple isn’t the only provider with these kinds of programs – some Android devices also automatically sync device information to cloud storage sites like Dropbox. If these default settings aren’t turned off, government employees could be unknowingly storing sensitive agency information to their vulnerable cloud accounts when they work from their personal devices, possibly allowing cybercriminals to access GPS coordinates to secure facilities, work documents or wireless device configurations.
NextGov contributor Aliya Sternstein noted that the federal agencies she spoke to all had policies in place that blocked the use of iCloud on government-owned devices, but that still leaves information vulnerable on employee’s personal devices. The best course of action for organizations worried about sensitive information being compromised is to implement two-factor authentication on all mobile devices, whether government or personally owned. This security technique provides a second layer of defense against cybercriminals be requiring multiple forms of identification before allowing access to privileged files. Data encryption is another reliable method for keeping information secure. Encrypted files can only be read by those with a specific decryption code, ensuring that even if sensitive data is stolen, it can’t be deciphered by the thieves.