Apple's iCloud hacked, nude celeb photos posted

News by Steve Gold

Questions have been raised about the security of Apple's iCloud service, after a hacker posted nude pictures of celebrities to the 4Chan forum, claiming they were obtained after a hack of the iCloud system.

Launched in October 2011, iCloud was reported as having around 320 million users in a July 2013 set of figures from Apple.

The service is used to automatically store data - including music and pictures - from iOS devices, making the task of synchronising data file sets between mobile devices a lot easier. It also allows iPhone users to easily migrate their files to a new handset as and when Apple releases a new device.

Apple has not made any comments on the celebrity photo postings, but some celebrities are claiming their pictures are fakes, although Jennifer Lawrence and Kate Upton are reported as saying the pictures are real.

According to the International Business Times newswire, if the hacker isn't lying and the pictures were stolen from iCloud, "then it is highly unlikely that the hacker was able to breach Apple's security in general but targeted specific victims using a combination of social engineering and inherent flaws in Apple's system."

The newswire notes that there are there are three main methods open to the hacker - social engineering, cracking the password or use of Apple's `forgot my password' route, the latter of which can be compromised using a combination of a celebrity's email address and other data obtained relatively easily online.

The solution for anyone worried about iCloud security, concludes IBT, is to turn on two-step verification for an iCloud account, requiring users to supply a four-digit PIN - sent to the trusted device - when accessing the account from a device other than on trusted devices such as an iPhone.

Trend Micro's security evangelist Rik Ferguson agrees that a wide scale hack of Apple's iCloud is unlikely, but a targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page "would do the job just as well as any more complex hack."

Ferguson says that there are lessons for all users of the Internet from this emerging saga, including that if any online service offers options that increase your security, users should enable them.

"Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I'm willing to bet that a compromise of a service at the heart of your digital life will be considerably more so," he said, adding that users should not re-use their passwords on multiple systems.

Finally, Ferguson says that deleted may not always mean deleted, as some of these victims are discovering. Users should, he adds, familiarise themselves with the online services they use and work out if backups or shadow copies are taken and how they can be managed.

"In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple's Photo Stream," he explained.

Ensuring personal data safety

Alex Fidgen, group director with MWR InfoSecurity, says that - as the story emerges - everyone (and not just celebrities) should be ensuring that their personal data is safe, regardless of what type of data or who they are.

Creating personal photos, he explained, can create a certain amount of risk, meaning that Internet users should stop storing their most sensitive data on cloud services, and should also be aware that many devices will automatically upload photos and received messages to the cloud as a backup service.

He says that users should also use two-factor authentication, as well as choosing secure and unique passwords.

Finally, Fidgen advises that users should not be tricked into giving out their password and, if you receive an email from a service trying to get you to log in, never click the link, instead open a new browser, go to the service as you normally access it and log in from there to attempt to resolve the issue.

"It is easy for attackers to create very realistic emails and websites to trick you into logging in," he said.

Eduard Meelhuysen, EMEA vice president of Netskope, meanwhile, said that corporates who think their company isn't using iCloud should be aware that employees probably will be.

"Apps like iCloud - which are predominantly aimed at consumers - are such an essential part of users' lives that blocking their use within a business environment isn't really an option. But as this breach shows, iCloud is far from infallible, and there are many questions around security that need to be addressed," he said.

"To protect sensitive corporate data, organisations need to understand what data is being moved into iCloud and what users are doing with that content. Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours such as the upload of personal identifiable information or the sharing of sensitive content outside of the company. That way you can mitigate risk while enabling the use of cloud in your business," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews