Apple Denies Systemic iCloud Flaw in Celeb Nude Hacking Case
After a nearly two-day investigation into the celebrity iCloud photo hacking, Apple has concluded that none of its systems were to blame, saying that the high-profile accounts in question were simply compromised by a hacking attack described as "all too common on the Internet."
Over the Labor Day weekend, some hackers from the infamous message board 4Chan (the same online destination that spawned the group Anonymous) announced they had gained access to up to 100 celebrity Apple iCloud accounts and stolen intimate photos of high-profile models, actresses and pop stars -- including allegedly those of Jennifer Lawrence, Kate Upton and Ariana Grande -- in various states of undress.
While the hackers initially demanded payment in Bitcoin in exchange for dumping the images online, dozens of images were leaked anyway, with the hackers reportedly gaining a little under $100 in Bitcoin after all was said and done.
And so began the controversial storm of cultural commentary, social media exchanges and the continuing shell game of postings and takedowns of the images online -- all while both Apple and the Federal Bureau of Investigation opened investigations into the hacking.
How Did It Happen?
Beyond the celebrity and Internet culture-permeated side of the story, the practical questions "How could this happen?" and "Could this happen to anyone?" have remained not fully answered, though Apple now has claimed one prominent theory -- one that incidentally would have shouldered Apple with some of the blame -- is incorrect.
That theory posited that a so-called "brute force" hack attack, which involves using a computer program to repeatedly guess passwords until the correct one is entered, could have been used to gain access to Apple iCloud accounts.
(Photo : Imgur, via TNW)
Brute force is one of the oldest hacking tricks, and most websites and services like Apple are well protected from repeated password attempts. But that wasn't the case with Apple's "Find My iPhone" service until recently, according to The Next Web. They found a script on the programming database GitHub called "iBrute" that allowed users to gain access to their own iCloud accounts through brute force, as the location-tracking service allowed unlimited password attempts.
Apple: Attacks Were of the Increasingly "All Too Common" Variety
Apple has reportedly patched that hole within the last day or so, limiting the number of attempts to five before disabling an account's iCloud credentials. And the company has denied the Find My iPhone vulnerability led to the unsecured celebrity iCloud accounts.
In a media advisory released on Tuesday, Apple stated, "We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."
The company went on to state, "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."
If accurate, the company is probably breathing a sigh of relief that such a high-profile hacking wasn't the result of their own systemic cybersecurity vulnerabilities especially as the company is planning to unveil its next generation of software and devices on Sept. 9. It should be noted though that "Find My iPhone" was the feature used to hijack the devices of many Australians earlier this summer. The FBI investigation into the celebrity account hacking is ongoing.
Protect Yourself!
As we've said before, we're in a new age of the Internet -- one where easy-to-guess passwords the sloppy re-use of login credentials can put anyone at high risk of that "all too common" guesswork style of hacking.
That's why one of our recent Tap That App Tuesday features focused on password managing apps, which can help create and securely store unique, randomized passwords for every site you login to, as well as keep them synced across all of your devices.
Some apps are free, some require a minimal yearly subscription, but anyone who has any sensitive information linked to online accounts -- especially iCloud users, because all photos are automatically backed up online (which is what got those celebrities in trouble) -- should definitely be using one.
Apple also has an informational page up about activating two-step verification for Apple IDs, which is an additional security feature that (among other things) eliminates the use of that leaky and problematic outmoded security component known as "the security question."