iCloud Photo Thefts Put Apple, Cloud Data Storage in Cross Hairs

by Don Reisinger

This hack came about because some household-name celebrities apparently uploaded private images and personal information from a variety of computing devices to Apple’s iCloud service. The hacker or perhaps a group of hackers launched targeted attacks against these celebrities’ personal accounts to gain access to whatever was stored in the iCloud accounts.

Some security experts said iCloud customers are vulnerable to attack because of the lack of two-factor authentication on the accounts. With that feature in place, the hacker would have been forced not only to enter the correct password, but would also need to have a second form of identification to get access to user accounts. That didn’t happen with the celebrities’ accounts because they ostensibly did not take advantage of Apple’s two-factor authentication option. Hopefully, in the future, more people will use Apple’s two-factor authentication services, or Apple itself will start to require it.

Not surprisingly, the images that were initially posted to 4Chan started widely circulating on the Web very quickly. The photos, some of which are reportedly real and others fake, were shared on Twitter, Facebook, Reddit and other sites. While many of the sites have removed the images, they’re still floating around the Web and likely will continue to do so indefinitely.

While security experts and pundits have been quick to blame Apple’s security flaws for the hack, the company claims that iCloud’s infrastructure isn’t at fault. In a statement late on Sept. 2, Apple said that the hack was “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” Even so, the company could expect to face some backlash from security experts who contend Apple should have done more to prevent the data thefts.

A tool called iBrute might have been used in the attack, according to some security experts. However, the tool, which carries out a so-called “brute-force” attack that uses an endless string of password guesses to break into users’ accounts and files, was marginalized by early September when the tool’s author said Apple closed the vulnerability that allowed it to work. It’s likely, though, that the attacks were going on for a long period and iBrute could have been used before it was neutralized.

One of the big issues with Apple’s iCloud is that it allows for an unlimited number of password guesses. So, an automated tool like iBrute could be used to carry out an attack that inputs countless guesses until the password is finally cracked. It hasn’t been confirmed that this was the tactic used, but considering Apple’s password system doesn’t time-out after multiple password entries, it gave the hacker an unlimited number of chances to break the password security.

Let’s not forget that Apple is not the only cloud storage service that’s at risk these days. While its iCloud was the apparent target this time, countless companies have had to deal with network and database attacks that resulted in data breaches. Some of these breaches have resulted in the leak of celebrities’ private images. Apple just happens to be the latest victim in a long line of attacks.

To its credit, Apple said it is moving swiftly to address the security issue. The company has said that it has looked into how this happened and will take every measure to ensure it doesn’t happen again. The big question on everyone’s mind, however, is whether Apple actually has the ability to stop hackers from accessing iCloud. Like every other company out there, Apple is discovering that safeguarding customer data is a serious challenge.

Apple is planning to hold a product introduction on Sept. 9 when it is expected to unveil the iPhone 6. Some pundits suggested that the hacks would negatively affect iPhone sales, as customers would see iCloud as a security risk and decide against buying the company’s device. However, several Apple analysts chimed in on the issue, saying that it won’t hurt iPhone sales whatsoever, and Apple will have yet another banner year for smartphone sales.

When, exactly, did the hack occur? Although the pieces are being put together, it’s believed that the hacker was able to access the accounts over a period of time. The attacker may have been stealing the images from targeted accounts for at least several weeks. Only after all that data was stolen did the hacker actually move to release the images and threaten to share even more.