iCloud? Find My iPhone? What should be blamed for nude celebrity photo leaks? Neither, says Apple
Apple is fighting hard to keep its reputation for protecting user privacy. The company is mired in controversy after leaked sexually explicit celebrity photos reportedly hacked from Apple's iCloud storage service made the rounds of the Internet, but has denied allegations that hackers were able to penetrate Apple's security systems.
On Tuesday, Apple released a statement confirming that multiple iCloud accounts, including that of prominent Hollywood celebrities such as Jennifer Lawrence, Kelly Brook and Selena Gomez, have been hacked but stopped short of saying that iCloud's security systems have been breached.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," says Apple in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."
With Apple denying accountability, the question of where these photos came from and how the attackers were able to get hold of them becomes even more puzzling. While many Internet users say storing nude pictures on the cloud isn't a very wise move, security researchers say Apple and other cloud storage providers could have placed better security measures to prevent hackers from infiltrating targeted accounts.
Ashkan Soltani, an independent security researcher, told the Wall Street Journal that there is cause to believe that Apple gave the attackers several chances to guess the usernames and passwords of the hacked iCloud accounts. This observation stems from the discovery of a bug in Apple's Find My iPhone service made by Russian Internet security analyst Alexei Troshichev of HackApp. Just a day before the hackers posted the pictures online, Troshichev and his partner Andrey Belenko, a senior security engineer at viaForensics, presented his findings at the DefCon conference in St. Petersburg. Finding the bug, he says, was "a trivial task" that took him only two hours.
The bug makes Find My iPhone vulnerable to a brute force attack, a simple hacker technique that lets computers guess the password by entering different passwords until it chances upon the correct one. On Saturday, HackApp posted a proof of concept tool called iBrute that allows hackers to brute-force their way into Find My iPhone and, from there, obtain Apple IDs and make their way into other Apple channels such as iCloud and Photo Stream.
"This bug looks really critical in context of the photo leaks," Troshichev says, but admits that he has not seen any evidence that iBrute was used to hack the celebrity photos.
Apple maintains that it has a limit on the number of password attempts before an iCloud user gets locked out but did not specify how many attempts it allows. On Monday, Apple appears to have quietly fixed the vulnerability after testing conducted by Owen Williams of TheNextWeb shows Apple locked accounts after five attempts at entering the wrong password.
"We are continuing to work with law enforcement to help identify the criminals involved," says Apple.
Just a week from now, Apple is expected to introduce its much awaited iPhone 6, which will presumably come with a number of new services that require users to share more of their private data, including health and fitness information for Apple's new HealthKit platform and credit card data to be used for Apple's rumored mobile payment system.
Apple recommends its users to use strong passwords and two-factor authentication, a security measure that allows users to enter a unique numerical code sent to their smartphones every time they log in to their accounts. However, Darien Kindlund, director of threat researcher at security firm FireEye, criticizes Apple because it's "a little late to the game" and "doesn't advertise" two-factor authentication.
"If you contrast what Apple and Dropbox and Google are doing with what banks are doing, then you can see the banks are taking significantly more steps to protect their customers," says Dr. Steven Murdoch, information security researcher at University College London. "And it's not fair to blame the victims of crime who may have simply been following the instructions websites are giving to protect their accounts."