The nude photo scandal engulfing celebrities and Apple iCloud just days before new iPhone 6 models will launch has seen Apple issue a rare media advisory denying its iCloud service was breached, putting the blame on targeted attacks instead.
With the iPhone 6 launch around the corner, the last thing Apple needs is a cloud security scandal getting in the way of the Company’s famed “reality distortion field”.
However that’s exactly what has unexpectedly happened as we reported yesterday
with suspicion naturally having fallen on Apple’s iCloud having potentially suffered some kind of major breach.
In yesterday’s article we pointed to reports that Apple had failed to “rate limit” the number of attempts that could be made to reset a password, allowing hackers unlimited tries at guessing passwords and answers to secret questions using a “script” to automate the task.
Click to enlarge
Apple’s 40-hour investigation into the scandal has led the Company to claim targeted attacks of passwords and answers to security questions is responsible for the breaches, rather than any vulnerability of the iCloud system, but this is clearly an Apple problem.
Although Apple enforced more complicated passwords some time ago, it along with every other online company needs to do more to encourage very strong passwords while somehow enforcing better answers to security questions, alongside potentially also making two-factor authentication mandatory rather than optional as it currently is.
Apple has reportedly now put rate limits in place and a notification that too many attempts to reset an Apple ID password results in an account being temporarily suspended to stop hackers in their tracks.
That’s all well and good, but what about having done this in the first place, alongside informing end-users that their accounts have been under attack or have been logged into in different parts of the world?
Gmail, for example, alters end-users to suspicious log-in activity, and it may well be that Apple needs to do the same.
Apple does inform end-users when their ID and password has been used to activate iCloud services on new iOS and OS X devices with an on-screen pop-up, as well as delivering a two-factor authentication capability last year.
This means Apple clearly hasn’t been ignoring security and has been beefing it up, but as always when a hacking scandal occurs, where Apple can do a lot more has been as exposed as those celebrities in the nude.
It starts off with the headline “Update to Celebrity Photo Investigation”, and continues, stating:
“We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud? or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
“To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
This is where Apple’s advisory concludes, but it raises questions over how a targeted attack could so easily and spectacularly succeed, as well as whether Apple’s iCloud security team needs a kick up the backside.
There are also reports that Apple’s password reset system and Find My Cloud did previously offer a rate limiting feature after three failed attempts but was removed.
So, as usual, these episodes are a massive wakeup call to consumers across the globe to think twice before putting extremely private information into any cloud service, to force yourself into much stronger passwords and to switch on security features such as two-factor authentication and to force companies to dramatically upgrade security practises.
It should also make you wonder whether you really need to have your photos automatically uploading to iCloud, Google+, Dropbox or anywhere else.
Finally, this whole scandal might be the shot in the arm Polaroid needs to make its instant, non-Internet connected photo cameras wildly popular again – but probably not.