Is Your iCloud Secure? iCSC Blues

The unauthorized access, download, and eventual dissemination of personal photographs of celebrities from Apple’s iCloud might have been the result of exploiting an iCloud vulnerability; Apple prefers this is not called a ‘bug.’ This vulnerability allowed a hostile party to crack a user’s iCloud password by attacking the (default) four digit iCloud Security Code (iCSC) which is used to retreive and store a user’s iCloud keychain onto a new device . (For background info see Dave Lewis Forbes report at this link).

The foundation behind this vulnerability was posted publicly on GitHub, and was released by Andrey Belenko and Alexey Troshichev in their presentation called “iCloud Keychain and iOS 7 Data Protection” at the Russian Defcon Group DCG#7812. Their slides, accessible via slideshare, can be accessed here via link and are embedded below:

The critical vulnerability is summarized in slide 48. Because the iCSC (the official Apple description is listed here) is short by default (only four digits) it can be guessed by an attacker.

iCSC vulnerability

If iCloud users opt to use a custom Complex Security Code, provided they employ a reasonably long and hard to guess code, security is much more improved (a random iCSC can also be used, which provides serious security –but then again, the user will certainly have to copy down the random iCSC somewhere). Instructions to setting up a complex code can be found here. In addition, adding two-step verification should is always helpful. Apple’s instructions to do this can be found at this link.

It is a bit too soon to know if indeed this was the actual vulnerability exploited. But the good ole’ rule holds: always use a long secret as a password or key, and a combination of words and digits.

Comments are closed