Apple Investigating Potential iCloud Flaw That Opened Door To Extensive Celebrity Photo Hack
The iCloud accounts of numerous A-list and C-list celebrities in the USA and the UK were breached by hackers and photos released on the internet over the last couple of days. Reddit and other sites were quick to act as repositories for the cache of over 300 photos, purported to be of celebrities Kate Upton, Jennifer Lawrence and others.
Several of the celebrities with explicit photos distributed without their consent over the internet have acknowledged the photos are of them including actresses Jennifer Lawrence and Kirsten Dunst.
Both Apple and the FBI have made statements in the last 24 hours that they are actively investigating. In the case of the FBI, they rarely make comments about active investigations but said that this involved high profile individuals and was now under review by the Los Angeles FBI office.
The technology behind the breach and how it was carried out is yet to be determined. There has been recent commentary about the Find My iPhone app which is intended to help lock and then locate a lost or stolen iPhone device which may have been used instead for nefarious purposes.
Email As A Vulnerability
Email is particularly a point of vulnerability for every user. Many services use email accounts as their central point of contact. The Apple iCloud data storage in the virtual online cloud service is no different. Unique PINs and contact information are coordinated and reset partly via emails. It is possible for a hacker to gain access to an email account, locate emails from the iCloud service and use them to gain access to the iCloud service. From there, they can download all media stored on the service for that Apple account owner.
Strong passwords for email accounts and separate ones for the Apple iCloud service, as well as two-factor authentication that uses personal contact numbers as a second security protection is what is needed. However, it's useful to bear in mind that if a mobile device is lost or stolen and it's unlocked at the time of the loss or theft, then the person who has the device in their possession will receive the security SMS text message and not the owner of the phone. For this reason, a different number and phone is useful for registration for two-factor authentication for ultimate protection.
A detailed explanation of how an iCloud hack could occur via email security vulnerability is detailed here.
Brute Force Password Attacks Inside iOS
In some cases, it's possible for hackers to use a brute force approach to password discovery as seemed to be the case with the aforementioned Find My iPhone app which allowed repeated attempts to access a device via the app. The individuals involved with a previous hack using this exploit have since been apprehended and the security vulnerability seems to have been resolved with a restriction for how many times an access attempt can be made before the Apple account is locked up tight.
The issue with iCloud and other cloud-based services is that many apps and iOS itself will often automatically sync data like new photos taken right up into the cloud as a matter of course. The user may not be completely aware – or simply forget this is going to happen – when they're busy snapping away.
Photos also contain a greater deal of informative data in the form of EXIF meta data information (see this example) which is added to a photo at the time it is taken. This can include the device used to take the photo, the GPS coordinates where the photo was taken and other revealing information.
Cloud-Based Risks and Prevention
Ultimately, storing private files like bank records, financial spreadsheets, personal photos and videos is risky when they are placed on the internet. Even if they are held behind security walls, any security can ultimately be broken.
Dropbox had a window of 4 hours where any password could access any user's account until they closed the security breach. Other types of vulnerabilities in security mean that each individual has to consider the benefits and the risks of using the cloud to store important information that they'd rather no one else saw. Data may be encrypted end to end but if the hacker can determine the password to the service then that doesn't really matter.
Removing Devices from iCloud
Please see our article for how to remove a device from iCloud via a Mac or iOS device, or over the web.