iCloud Security Leaves Users Feeling Bare


By David Abbou - Sep-15-2014

Nothing elicits attention to a cause like celebrity endorsement – or in the case of Apple and its iCloud storage – celebrity outrage over their private nude photos being hacked and exposed all over the internet.

Private nude photos of more than 100 celebrities were stolen from their respective iCloud accounts and leaked online on August 30, putting Apple and its security protocols on the hot seat, just a few weeks before the release of iOS 8.

But as organizations recognized the value in using technology that complements our behavior in the mobile age, they began accommodating employees by letting them access work resources and information on their personal devices. The Bring-Your-Own-Device (BYOD) revolution had arrived.

So who’s to blame for this infamous celebrity unveiling (pun intended)?

It took less than 48 hours for Apple to release a statement ensuring the public that none of these privacy violations were in fact a successful breach of their security systems, and that they were working with the FBI and other law enforcement to hunt down the as yet unknown assailants.

Problem solved? If only it were that simple for Apple. It’s been anything but ever since. In the case of iCloud, the truth seems much cloudier than their original synopsis.

Apple’s original statement would lead you to believe that iCloud’s security infrastructure is pristine, citing users that choose weak passwords and forego using two-step verification as the main culprit. Granted, many users are generally annoyed at having to go through an additional step just to retrieve a code from their phone and end up neglecting this feature. And episodes like this make it blatantly clear that the days we could get by using simplistic passwords and security answers to set up accounts containing our sensitive information are over. You may as well leave your front door unlocked and post signs to the whereabouts of your most valuable and personal possessions.

But in appearing to blame its rather prominent victims, Apple invited a well-warranted media storm of negative PR and celebrity backlash. It also motivated industry experts and pundits to hold Apple’s security up to intense scrutiny. What has been turned up by security experts and researchers so far is pretty alarming.

First, iCloud’s popularity in this case makes it one of the prime targets for attackers, and their “Picture Roll” backups are enabled by default. Comparatively, Windows Phone backups are turned off by default, while Android’s are mainly indirectly opened by third-party applications.

Noted hacker and tech blogger Nik Cubrilovic’s exceptional post on the issue reveals the relative ease with which someone can detect a user’s email address via iCloud’s recovery process which leads to several main bugs that can be exploited to access an account.

Another eye-opening wrinkle to the story is Elcomsoft Phone Password Breaker (EPPB), a Moscow-based forensics program originally created for use by police and government agency clients. This software – available online for anywhere from $79.99 to $400 – has shown it can easily download data from iCloud backups onto a computer, even with two-factor authentication enabled.

Apple has since acknowledged the need to improve this security measure as well as communicate it more effectively to their customers. On Friday, Apple CEO Tim Cook announced that from now on users will be sent an alert when there is an attempt to log in, change the password, or connect a new device to their iCloud account.

So where does Apple go from here? If it compiles the lessons learned from these security holes and bolsters its password set up and recovery processes that would be a step in the right direction towards preventing future breaches and gaining back some customer confidence. Another equally important lesson that should not get lost in the shuffle is one of customer accountability. Most of us who are not cyber-security conscious will continue our bad habits until we get caught with our pants down. Which is why in the end, whether you’re an ordinary Joe or Jennifer Lawrence, it is ultimately still iCloud’s responsibility to save us from ourselves.