Celebrity iCloud Security Intrusion Prompts Apple Response


The leak online of nude celebrity photos this weekend, including those of Oscar winner Jennifer Lawrence, has raised ire about the security controls protecting Apple's iCloud service and the security of similar cloud-based services.

Following 40 hours of investigation on the company’s end, Apple said the large release of several female celebrities' photos in intimate moments -- which also included musician Ariana Grande and model Kate Upton -- did not stem from a breach of its systems. The company instead blamed the lapse on a targeted phishing attack against the celebrities.

“We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” Apple said in a statement. “We are continuing to work with law enforcement to help identify the criminals involved."

[Related: 10 Most Common Security Incidents of the Past 10 Years]

The incident came to light over the holiday weekend when a cache of private images of female celebrities was released first on Sunday to the image-based bulletin site 4chan.org. Some of the photos were reportedly fake, according to some of the victims, but Lawrence confirmed at least one of the photos of herself was genuine. The attackers apparently used the "Find My iPhone" service to gain access into the iCloud service.

The API for the "Find My iPhone" app should have prevented an attacker from brute forcing their way into the celebrity accounts, said Rob VandenBrink, a threat handler at the Sans Internet Storm Center, in an analysis of the story. People who value their data need to ensure stronger protections are in place, said Vandenbrink, a senior consulting engineer at Metafore, a Canadian solution provider.

"Once an account password is successfully guessed, all iCloud data for the account is available to the attackers," he wrote. "So no rocket science, no uber hacking skills [here] -- just one exposed attack surface, basic coding skills and some persistence."

Security experts agree users are often to blame for using weak or duplicate passwords across the Web services they use. It is ultimately the consumer’s responsibility to continue to protect their data by using strong and unique passwords and, if required, that other protections are put in place, said Tripwire security analyst Ken Westin.

“It’s just like anywhere else. When you’re walking on the street, you can be secure if you’re aware of your surroundings,” Westin said. “You have to make sure you’re not going into rough neighborhoods and that kind of thing. It’s the same thing online.”

The celebrity victims also may not have realized their personal data and photos were instantly being backed up to the iCloud, Westin said. Users should be aware of their default settings and continue to be cautious, he said.

NEXT: Solution Providers Say What Impact This Could Have on Apple, Upcoming Announcement