Sunday, September 7, 2014

I Was Wrong (2-Factor Edition)

You'd have had to be living under the metaphorical rock if you haven't heard about the latest celebrity nude photo scandal. There have not really been many reactions; a handful of responses were quickly standardized and echoed between the THIS IS A HORRIBLE ACT BY HORRIBLE PEOPLE group and the THEY GOT WHAT THEY DESERVED SHOW ME THE BOOBZ group.

Nuanced exploration of the issues is apparently not a strong point for for most online people.

The theft of the images is a case study of many issues. It's an invasion of privacy. Celebrity culture. What are people entitled to know or not know about public figures. Cognitive dissonance from people condemning the image sharing as theft before going back to playing a pirated game or watching stolen movies. Exploring the revelation that one of the images was taken of...and by...an underage celebrity, so are they in possessing of child pornography as well?

The list goes on but there is only one aspect I'd like to review here. When this happened there were initially several reports about the "hack." How did it happen? Was it a breach in iCloud security?
Slowly details came out. While few were reluctant to admit it, it sounded like the celebrities in question basically had crap passwords coupled with security questions that were answered with information that people could find online. The thieves guessed passwords and logged in as legitimate users to get the data.

"You dumbasses," I thought. "You're stalked by fans and paparazzi all the time. Plus having your embarrassing pictures was publicized when Scarlett Johanssen had her pictures stolen a few years back. Why the hell didn't you use 2-factor to protect your stuff?"

I've gone over 2-factor before, but in a common implementation, when an unrecognized device tries to log into your account and correctly enters a username and password a token is sent to a designated "known good" device. The service gives you a limited time to enter that token or else it rejects the attempt.

Lots of parrots will reflexively reply that it's victim-blaming to say they should have had this enabled if they didn't want their stuff stolen. There is almost a need to not acknowledge that the tools to better secure information exist and there are risks to participating in certain activities; we must maintain a victim status, that these people had absolutely no control in stopping this with reasonable forethought placed on security.

Short of not taking the pictures in the first place, this was just inevitable!

As it turns out there is a grain of truth to this. Apple has two factor authentication, much like most other big online companies. But Apples implementation is seriously, seriously flawed. It doesn't cover the method believed to have been used to get access to the photo stream and dump images as a backup.

In other words these people could have done everything "right" and still have this happen.
An article on TechCrunch states that
  • iCloud backups
  • Find my phone data, and
  • Documents stored in the cloud
...are not protected by 2-factor.

So I was very wrong in this case.

Oversimplified, things that can end up costing you money like purchases on iTunes would trigger notification. Apple apparently wanted to keep 2-factor as a credit card protection. Attempts to access your data? Not so protected.

I suppose I shouldn't be too surprised. Apple services have often felt disjointed at points where they should be unified, and security has the feeling of being an afterthought. I remember one instance where I was talking to someone trying to change an AppleID password, and said he couldn't remember the answers to the challenge questions.

Challenge questions? I had changed the password before...I didn't need the challenge questions. Turns out he was using the Manage My AppleID web page to change the password. When I log in to the account through iTunes, it let me change the password without the challenge questions. Inconsistency is not endearing and in my head it calls into question how they're tying all their services together.

In the end it seems Apple has really dropped the ball on security. It's one thing when the end user avoids implementing a security solution because <insert excuses that really is summed up with "It's more hassle than I want to deal with but I'll complain when something happens that these steps would have prevented">, but it's another when a company implements security in such a way that it's not only incomplete but leaves you with a false sense of security in the process.

That doesn't mean the celebrities in this incident actually had 2-factor enabled. They very well might not. It seems at least one of them bragged about their lack of tech-savvy skills. On the other hand, this incident made Apple take noticed of the incident and now may pay more than lip service to the deficiencies in their security implementation.

No comments:

Post a Comment