How an attacker can lock you out of your iCloud account

It appears Apple has taken an unusual approach when it comes to handling suspicious iCloud login activity.  Unlike other tech giants, Apple immediately locks you out of your account whenever a string of bad sign-ins occurs.  Other companies like Google or Facebook force you to review suspicious activity when it occurs, but do not lock you out of your account.

At first glance, this seems like an unusual, but decent security mechanism to prevent brute-force password guessing, but it has a number of nasty side-effects that I’ll explore below.

Screen Shot 2016-12-08 at 7.11.11 PM.PNG

When locked out, Apple forces you to regain access through a 10 minute, 3-step process. It  starts by clicking on the info link in the lock prompt, which takes you to iforgot.apple.com to receive a verification email.

 

Screen Shot 2016-12-08 at 7.29.58 PM.PNG

The iforgot process.

The site claims the verification email will let you back in, but unfortunately the email you get actually contains password reset instructions, and not a verification link.  When you follow the emailed instructions, you are forced to choose a password you haven’t used in the last 6 months as the final step in order to regain access.  Resetting your password means you have to re-log-in to all your Apple devices in order to renew their iCloud sessions.

There is no way to disable this suspicious activity auto-lockout feature, and all Apple services are rendered immediately inaccessible when it happens.

Maybe you’re starting to see where this is headed…

What are the effects?

You can essentially DoS someone out of their account continuously using only their email (which you can usually find online).  You can cause extreme inconvenience to anyone, even Tim Cook.  By just repeatedly entering wrong passwords on appleid.apple.com you deny them access to all their Apple communications and products indefinitely.  They are forced to answer their security questions or click an email link in order to change their password, and it’s a process that takes at least 15 minutes (including the time it takes to log back in to all your devices).

When I asked a support rep on the phone, they confirmed that is a real issue that support deals with frequently, and that they have no power to stop the auto lock-out behavior.

Who can take advantage of this?

  • any angry ex who knows your email
  • any old twitter troll who can Google and find your email online
  • anyone who wants to prevent you from reading an email or receiving an iMessage
  • anyone with access to one of your Apple devices
  • a thief who steals one of your devices

To elaborate on that last one, a thief who steals your iPad can find your iCloud email easily, then DoS you out of your account to prevent you from seeing the device’s location using Find My iPhone.  This is important because even though the device can be put in Airplane Mode, it will still report its last known location to iCloud.  Thieves can effectively prevent you from seeing that last reported location or any of your other devices locations for a lengthly period of time by using this lock-out trick.

What can you do when you get locked out?

Change your AppleID email.

The obvious solution is to follow the recovery steps but change your iCloud email address immediately once you get in.  If the attacker is unable to guess your new email, they wont be able to lock you out of your account.

This is not a great solution, as they can still deny you access initially, and it forces you to burn an email address every time this happens, which is a huge ordeal for normal users who don’t have access to infinite email addresses or their own domain.

Jesus-facepalm.jpg

Facepalm.

The other issue with this fix is that several major iCloud features are tied to your email, and issues will crop up whenever it changes (e.g. iMessage is tied to your email, and you may receive email at your iCloud address).  There is a reason Gmail doesn’t force you to change your Gmail address and password every time suspicious sign-in activity occurs, the same should be true for your iCloud address.

Enable 2-factor Auth?

This is a good idea anyway if people are attacking your account.  Unfortunately it doesn’t help the root problem, as you can still cause lock-outs for people with 2-factor-auth by trying wrong passwords.  More Info…

What can Apple do to address this?

There are number of options:

  1. follow Gmail’s approach by notifying you of suspicious login attempts and prompting you to review all recent activity (without forcing a password reset)

    ZEUQA.png

    Gmail’s suspicion prompt.

  2. get rid of auto-lock in favor of exponential backoff of login attempt delays
  3. keep the auto-lock feature, but allow users to unlock their Apple account without forcing a password change (still require email verification for safety)
  4. allow you to disable auto-lockout i you are confident your password cannot be realistically brute-forced

As it stands, Apple is currently forcing users to burn a password, and potentially an email address every time they get locked out, whether triggered by malicious activity or by accident.  This implementation allows for an unacceptable DoS vector, and lets anyone cause massive inconvenience to their victim using only their email.  To fix it, they should follow the lead of other major tech companies, and implement a way to review suspicious login activity without forcing a password reset.

Information I got from Apple Support:

  • When your password changes, Find My iPhone remains active and continues to send location on devices with the old password, even though all other iCloud services immediately become inactive.  This is good, as it means you can change your password when a device is lost to protect your data, but still receive location updates from it in case it ever comes online.
  • Different Apple services use iCloud sessions with different expiration times, but all sessions except Find My iPhone are revoked server side when account information like email or password changes.  iMessage sessions are 24 hours, iCloud Photo Library and iCloud musics’s are shorter.
  • AppleIDs will be locked (they call it a Security Lock), if several wrong passwords are entered in a short period of time.  I was unable to find exactly how many password attempts you need, but I’ve been able to reliably trigger it with 8 attempts in 10 minutes.
  • Locked AppleIDs can only be re-entered once you go to iforgot.apple.com, and reset your password.  Apple used to unlock them automatically if no more attempts occurred within 24 hours, but this no longer seems to be the case.
  • When locked out of your AppleID, you are immediately logged out on all devices, and prevented from accessing iMessage, Mail, Contacts, Calendars, iCloud Photos, iCloud Music, icloud.com (including the Find My iPhone site), and all other Apple services

A formal bug (#24129504) has been filed with Apple Support (see this support thread), if you encounter iCloud lock-outs, please call Apple Support and urge them to fix this bad implementation.

Advertisements

One thought on “How an attacker can lock you out of your iCloud account

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s