Celebrity iCloud Security Intrusion Prompts Apple Response

The leak online of nude celebrity photos this weekend, including those of Oscar winner Jennifer Lawrence, has raised ire about the security controls protecting Apple's iCloud service and the security of similar cloud-based services.

Following 40 hours of investigation on the company’s end, Apple said the large release of several female celebrities' photos in intimate moments -- which also included musician Ariana Grande and model Kate Upton -- did not stem from a breach of its systems. The company instead blamed the lapse on a targeted phishing attack against the celebrities.

’We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,’ Apple said in a statement. ’We are continuing to work with law enforcement to help identify the criminals involved."

[Related: 10 Most Common Security Incidents of the Past 10 Years]

The incident came to light over the holiday weekend when a cache of private images of female celebrities was released first on Sunday to the image-based bulletin site 4chan.org. Some of the photos were reportedly fake, according to some of the victims, but Lawrence confirmed at least one of the photos of herself was genuine. The attackers apparently used the "Find My iPhone" service to gain access into the iCloud service.

The API for the "Find My iPhone" app should have prevented an attacker from brute forcing their way into the celebrity accounts, said Rob VandenBrink, a threat handler at the Sans Internet Storm Center, in an analysis of the story. People who value their data need to ensure stronger protections are in place, said Vandenbrink, a senior consulting engineer at Metafore, a Canadian solution provider.

"Once an account password is successfully guessed, all iCloud data for the account is available to the attackers," he wrote. "So no rocket science, no uber hacking skills [here] -- just one exposed attack surface, basic coding skills and some persistence."

Security experts agree users are often to blame for using weak or duplicate passwords across the Web services they use. It is ultimately the consumer’s responsibility to continue to protect their data by using strong and unique passwords and, if required, that other protections are put in place, said Tripwire security analyst Ken Westin.

’It’s just like anywhere else. When you’re walking on the street, you can be secure if you’re aware of your surroundings,’ Westin said. ’You have to make sure you’re not going into rough neighborhoods and that kind of thing. It’s the same thing online.’

The celebrity victims also may not have realized their personal data and photos were instantly being backed up to the iCloud, Westin said. Users should be aware of their default settings and continue to be cautious, he said.

NEXT: Solution Providers Say What Impact This Could Have on Apple, Upcoming Announcement

The news could pose a setback for Apple, some solution providers said.

Apple has a PR problem on their hands, said Westborough, Mass.-based solutions provider Cumulus Global CEO Allen Falcon. And the timing isn't great with the company reportedly ready to make waves in the mobile payments space and healthcare industry -- two areas dealing with confidential information -- at its event next week, Falcon said.

"It's not a great time to have this happen to Apple given what is expected to be announced next week, but it isn't clear if it is an issue with Apple or iCloud," he said. "They'll have to increase what they say about security, but I don't think it'll be a killer to what they announce. I'd be very surprised if they mentioned it directly at their event. They might have more information and bullet points about security than they would have otherwise."

Apple needs to get its users to embrace two-factor authentication and advocate that its customers use stronger security measures, said Michael Aquino, director of cloud services for managed service provider Cetan. Solution providers also need to help users by offering tools and educating them about having safeguards in place to protect data in the cloud, Aquino said.

’The password is so easy, but it’s so vulnerable,’ he said. ’Eventually, (the IT community is) going to have to come up with something else.’

Having a user base that is educated about security threats is important, added Chad Boeckmann, founder and CEO of Minneapolis-based Secure Digital Solutions.

’Brute force is one of the oldest forms of account compromise we know about in the computer age. Seeing this is being applied to cloud accounts is no surprise,’ Boeckmann said. ’…. Alerts should be sent to users so the account is locked out due to multiple unsuccessful attempts. That gives a head up to the user. I think there’s very little responsibility on the service provider’s end. It should be on the user, but the service provider should give an opportunity to lock out (the solution).’

Robert Westervelt and Ramin Edmond contributed to this story.

PUBLISHED SEPT. 2, 2014