iOS, in particular iCloud, has had its fair share of trouble from hacking in recent months and, on Friday, a new brute-force dictionary attack was posted on GitHub. The tool attacks iCloud logins with weak passwords using a dictionary that has more than 500 words in it. It’s called iDict and it masquerades as a genuine iPhone attempting to login to iCloud without getting caught in the lockout restrictions.
Image : iCloud Under Attack in 2015
If you have a complicated password, you should be OK but if you use one based on something simple like a pet name or date of birth you are at risk and are urged to change your password with immediate effect. You should also enable Apple’s two-step verification as a matter of course. In a move that appears to be unrelated, some users have noticed that the Photos web app has gone from iCloud as well. Since the celebrity photo hacks, Apple has increased their security on iCloud, including a lockout after 5 wrong attempts to login.
The hacker behind iDict is Pr0x13 and it is somewhat worrying that his tool seems to be able to get past the lockout. He says that it was an obvious bug and the reason he disclosed it publicly was so that Apple would do something about it – we can only hope that they do it soon.
How to Protect Yourself :
This is a very real threat; the dictionary posted on GitHub is miniscule compared to the one that unscrupulous hackers will use. To protect yourself .
- Change your password to something more complex
- Enable two-step verification on iCloud
- Make sure you store your Recovery key, given after two-step is enabled, somewhere safe – if you lose it you could lose access to iCloud
- Consider changing your Apple ID email to a private one