Recent reports about hacked celebrity iCloud accounts seem to be attributable a vulnerability in iOS’ Find My iPhone service which enabled someone trying to gain access to an iCloud account to use a brute force attack to guess the account password. A brute force attack involves guessing a large number of possible passwords until the correct one pops up and grants access. Apple usually rate limits password attempts (in other words, Apple’s software imposes a limit on the number of password attempts before locking the account or device – something an iPhone or iPad user with small children will be familiar with). That security feature doesn’t seem to have been implemented properly but Apple has reportedly since patched the vulnerability.
As The Next Web reported earlier today the attack may be linked to software on GitHub called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts. In this scenario, an attacker simply guesses a password again and again until they succeed. While tedious and time-consuming for a person, it’s a simple and infinitely faster process for a computer.
The as-yet unknown attacker had one other thing going for him: Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.
Assuming this was the nature of the hack which exposed the celebrities’ account data, iCloud users can probably protect their accounts from similar attacks by enabling what Apple calls “two-step verification” (also known as “two-factor authentication”). I came across two terrific tutorials for enabling two-step verification:
- Macworld’s post titled “How to set up two-factor authentication for iCloud“;
- TechnoFYI has a great step-by-step post and video titled “How to set up Apple two-step verification“.
Here is the TechnoFYI video tutorial:
Two-step verification protects your accounts by requiring you to supply a unique code you usually receive on a device you own by SMS or through a code generator of some kind. It is a good idea to enable two-step verification (often referred to as “two-factor authentication”) if your service or app supports it as a way to prevent brute force attacks from being successful.
TechnoFYI also has a useful video tutorial to enabling two-factor authentication on a Google account:
Other services which support two-factor authentication include –