14 DAY TRIAL // The recent celebrity nude photo leaks from iCloud uncovered major security flaws regarding the protection of user data on Apple’s data centers.
Although the company has denied that the systems storing the user content have been breached in a cyber-attack, the accounts of several female celebrities, more than 100 according to the list provided by the hackers, have been compromised and private images have been published online.
This shows that the protective measures were vulnerable in some way that evaded the prowess of Apple’s engineers.
Security experts speculated that a brute-force attack may have been the method used to gain unauthorized access to the content; brute-forcing is an abuse of the login feature and consists of running special software to enter multiple character combinations, based on a dictionary file, until the right password is guessed.
In July 2013, the iCloud service had 320 million users, which, until recently, made for at least the same amount of potential victims to this type of attack, provided that the hacker knew the username for the account (not a very difficult piece of information to find out).
Apple addressed this issue by rolling out an out of band update for Find My iPhone app, which limits the number of failed login attempt to five and disables the account for security reasons if the right passcode is not entered; it can be re-enabled by resetting the password.
The app’s functions for tracking a lost device and locking it down can be accessed by signing in with the Apple ID used for authentication in Apple’s products, iCloud included.
Users enabling the 2FA security measure would be protected against the brute-force attack, but another Apple slip-up, which has not been reported as fixed at the moment of writing, would make the content stored on the data center vulnerable to unauthorized access anyway.
2FA safeguards against fraudulent sign-ins and allows users to make iTunes, App Store or iBookstore purchases from a new device, as well as get Apple ID-related support from the company; it does not cover iCloud backups, Find My iPhone data, or files stored in the cloud.
What this means is that a hacker can rely only on the username and password for the victim’s account to restore a device from an iCloud backup.
All this irresponsibility regarding user data may backfire at Apple, especially with the media touting the impenetrable defenses of the company’s products.
Moreover, these security flaws were known to Apple, the brute-force attack having been reported by the media back in May.
As for the lack of 2FA in iCloud services, the issue has been known at least since November 2013, when Vladimir Katalov from ElcomSoft held a presentation at the DeepSec security conference in Vienna about how iCloud worked.
[UPDATE]: Katalov presented information about this poor practice in May, 2013, in a company blog post.
Given all this, Apple’s reputation for offering the best security for its products is irremediably stained.
Even if the glitches are eliminated, users have already associated the flaws with the Cupertino tech giant and they know that their media content deposited on the company’s data centers is vulnerable to unauthorized access.
In the mind of the fans, probably not the diehard ones, Apple has failed spectacularly at protecting the privacy of its customers.
And on top of this, more damage is to be done by the legal battle that may be initiated by the celebrities whose iCloud accounts were compromised.
Lawsuits have been filed for less damage than this, and in some cases, careers have ended after the emergence of compromising photos.
A lot of famous names have been affected by the leak and celebrities’ lawyers are usually quite aggressive (not that Apple’s aren’t), and they tend to become even more fierce when it comes to fighting against big corporations.
However, the bottom line is that Apple could suffer the consequences of poor security practices in the long run, as it has to work on restoring trust in its products and services.