5.
In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned. This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing –
it appears that such techniques were not necessary or never discovered.
6.
iCloud is the most popular target because Picture Roll backups are enabled by default and iPhone is a popular platform. Windows Phone backups are available on all devices but are disabled by default (it is frequently enabled, although I couldnÂ’t find a statistic) while Android backup is provided by third party applications (some of which are targets).
7.
Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Being able to POST an email address to
https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.
7. a) To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:
Password reset (secret questions / answers)
Phishing email
Password recovery (email account hacked)
Social engineering / RAT install / authentication keys
7. b)
Once they have access to the account they have access to everything – they can locate the phone, retrieve SMS and MMS messages, recover deleted files and photos, remote wipe the device and more.
The hackers here happen to focus on private pictures, but they had complete control of these accounts for a period.
8. Authentication tokens can be stolen by a trojan (or social engineered) from a computer with iTunes installed easily.
Elcomsoft provide a tool called atex which does this. On OS X the token is installed in the keychain. The authentication token is as good as a password.
9. Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups. 2fa is used to protect account details and updates.
