The recent publicity surrounding A-list celebrities having private pictures from their iPhone put on public display for all to see, just serves to highlight once again the downside of the ‘Cloud Computing’ model we are all being encouraged to adopt.
This was an iCloud hack, so the pictures were only accessible because the celebrities concerned had synchronised their iPhone with iCloud. But isn’t that what most of us do? That’s the whole point of it, isn’t it?
The thing that they wouldn’t have known was that only 24 hours before the pictures appeared a notification of a so-called ‘vulnerability’ in the Apple ‘Find-my-iPhone’ app was published on a public forum, which effectively pointed out that the service would allow multiple attempts to ‘guess’ a password making it susceptible to an automated brute force dictionary attack.
Now, you probably know, that all you need to access your iCloud files is your Apple ID (your registered email address is usually sufficient) and your password. If the password isn’t strong enough it could be ‘guessed’ by such a brute force attack and your email address is already common knowledge.
Voila! Open sesame!
The vulnerability was, in fact, patched by Apple within 24 hours of the pictures appearing, effectively closing the door to future iBrute attacks. But that was too late for some.
So, what are the two lessons to be learned from this?
Firstly, if you don’t want certain files to become public property, then don’t put them on the Cloud in the first place.
Secondly, if, as is likely, you do find the convenience of being able to access your own files from virtually anywhere so compelling that you are going to put them up there anyway, then, at least, ensure you have them protected by very good, strong, unique password.
Ideally this would be a completely random set of characters containing numbers, UPPER case and lower case letters and some special punctuation characters like (:,.,*,(,&,@,£,”,#) , for example. It should also be at least 10 characters long and the longer the better. And it should contain no words or recognisable parts of words or names.
Believe me, if it’s random enough and long enough, brute force attacks, like iBrute, will not ‘guess’ it in several of your lifetimes.