Apple Fixes iCloud Security Gap, ‘Actively Investigates’ Celeb Photo Theft

| News

Apple closed a gap in iCloud security over the holiday weekend, a gap that facilitated brute-force password breaking. The move comes in the wake of celebrity nude photos that were allegedly stolen from PhotoStream iCloud storage and distributed online. Apple issued a statement on Monday saying it was actively investigating the reports.

"We take user privacy very seriously and are actively investigating this report," an Apple spokesperson told Re/code.

Cloud Security

In case you've had the temerity to step away from a computing device over the weekend, here's a breakdown of what's been happening:

Nude and otherwise risque photographs of Jennifer Lawrence, Ariana Grande, Mary Elizabeth Winstead, Kate Upton, and more than 100 others were posted to 4chan. The bottom feeders responsible demanded Bitcoins for a peek at the images, and BusinessInsider reported that they netted a grand total of US$95 worth of the cryptocurrency—a princely sum, as Engadget put it.

Some of the photos have been verified as real by the celebrities themselves, while others have been labeled as fakes. That effects this story only so much as it involves whether or not they were stolen from iCloud accounts, which Apple or anyone else who can has not yet verified. Mary Elizabeth Winstead, for instance, tweeted that her photographs had been deleted long ago:

In the meanwhile, Engadget reported on a piece of code called iBrute hosted on Github, a repository for online source code. Developed (in theory, at least) as a proof-of-concept exploit on iCloud security, iBrute allowed users to perform brute force attacks on Apple's Find My iPhone.

Brute force attacks refer to efforts to simply try one password after another until you get one that works. Because Find My iPhone allowed unlimited attempts to enter a password, it was perfectly exploitable by brute force attacks—this is a big deal and something Apple should have had right from the get-go.

It's fixed now, however, as noted by the developers of iBrute, which may or may not have been used in the celebrity photo theft in the first place. The patch notes for iBrute now say, "The end of fun, Apple have just patched."

While that's been fixed, and while we await word on whether these images came from PhotoStream in the first place, this seems a nice reminder to enable two-step authentication on your iTunes/iCloud account.

In 2013, Apple brought two-factor authentication to iTunes and iCloud, a security feature that requires users to enter a code sent to one of their own devices before allowing a new device to access their accounts or otherwise meddle with them.

I penned a primer explaining how to set it up at that time. Do it. Now.

Cloud image made with help from Shutterstock.

Comments

Lee Dronick

  Brute force attacks refer to efforts to simply try one password after another until you get one that works. Because Find My iPhone allowed unlimited attempts to enter a password, it was perfectly exploitable by brute force attacks—this is a big deal and something Apple should have had right from the get-go.

Yes, more 2 or 3 attempts should sound a klaxon at security.

pattii

Moral of the story is, as my Mother once told us: “Never take, or let anyone else take photos of you that you don’t want anyone to see.” And she said that back in the 1970’s before the Web and the Cloud existed, and it applies even more so now. Basic Mom advice never gets old.

Bosco (Brad Hutchings)

The bigger problem, affecting all three major smartphone platforms (yes, I include Windows Phone), is that it’s easy and tempting to turn on cloud services, but not easy to sort out what should be shared and what should be kept private on your device. I made a video offering a potential solution.

https://www.youtube.com/watch?v=KId2HmtIQxI

I’ve started mocking up mobile “camera” and “photos” apps on the Mac, using a webcam and image file dropping to explore this human interface idea. I’m a bigger fan today after trying it out.

mrmwebmax

+

I can’t believe, as Lee said, that no klaxons blared after 2 or 3 failed attempts. I also can’t believe I took the time to read this article, only to find no nekkid JLaw pics. Disappointing, TMO, disappointing…. smile

Lee Dronick

Good idea Brad, and probably not hard to implement.

Side note - You could make a lot of money teaching dogs how to clean up their droppings. Ya have to see the video to understand.

Bosco (Brad Hutchings)

Lee grin. A metaphorical stretch for cleaning up messes before they get worse. I’ll probably tone it down or make it more apparent for version 2. And yeah, this isn’t rocket science at all. Just a design goal of putting users in charge of what they share. I wish someone else would just do it already and sell me the apps.

Log-in to comment