Apple’s recent advances in protecting user privacy help tremendously to protect consumers’ information and online activities. However, it seems the bad guys have already learned how to exploit iCloud Private Relay. An Israel-based cybersecurity firm has discovered cyber fraud and bot attacks using the service to mask their origins.
Background on iCloud Private Relay
Apple introduced iCloud Private Relay during WWDC 2021. The privacy feature helps separate you and your browsing activity from companies and individuals hoping to track it. The feature is available to anyone with an iCloud+ subscription. It works in Safari on all of the Cupertino-based company’s latest operating systems.
Apple’s iCloud Private Relay obfuscates your browsing. It routes your Safari traffic through two extra servers before delivering it to the web page you’re visiting. Apple owns and controls one of these servers. Meanwhile, a content provider such as Akamai and Cloudflare operates the second. None of the parties can see the whole picture of your browsing history.
The Double-Edged Sword Providing a Critical iCloud Private Relay Exploit
The problem with this implementation is that anyone can use it for good or bad. Israel-based cybersecurity firm Immue recently discovered threat actors taking advantage of the anonymity of iCloud Private Relay. Using Apple’s technology to cover their tracks, these hackers launched multiple untraceable attacks.
These attackers, Immue told VentureBeat, abused Apple’s new feature to launch thousands of bot attacks on the consulting firm’s customers. Apple whitelists the Cloudflare and Akamai servers used for the service. This gives the attackers have practically uninhibited access to any website they want to attack.
All told, Immue identified the attackers using 192 different IP addresses to generate three attacks. These attacks had a volume of up to 50,000 bot requests each time. These sort of attacks can cripple a server or open it up to hack attempts.
For its part, Apple does take measures to prevent fraud and abuse. It implements systems like rate-limiting, single-use authentication tokens and consistent IP addresses for each browsing session. However, Apple advised updating fraud detection systems relying only on IP addresses.
Basically, it’s the old adage that we can’t have nice things. Yes, Apple has provided us with tools that give us more control over our data and privacy. Unfortunately, Cupertino has also inadvertently given cyberattackers another way to evade detection. Companies should carefully audit their anti-fraud and cybersecurity systems. This way, they can try to detect and prevent abuses of iCloud Private Relay.
Jeff:
I think it’s safe to say that, given adequate time and motivation, there is not a security feature on any system that a sufficiently clever and resourced bad guy cannot defeat.
That, however, does not obviate the point that auditing systems should be in place to determine that the system is working as intended and without compromise.