Apple Proclaims Innocence Over Celeb Photo Hacking

Apple has denied any responsibility for the recent theft and publication of compromising photographs of celebrities. But some analysts say the pictures were vulnerable thanks to a combination of Apple's technical setups, plus the easy availability of password cracking software designed specifically for law enforcement authorities.

Pictures and videos of famous females such as Jennifer Lawrence, Kirsten Dunst and Kate Upton began circulating earlier this week after being posted at controversial website 4chan. The US Federal Bureau of Investigation (FBI) is said to be investigating, but it has proven impossible to prevent the images being reproduced on other websites.

Many of the photos appear genuine and were taken by the celebrities on their own phones for personal use. It doesn't appear any of the celebrities intentionally shared the pictures online, or that their phones were physically accessed.

iCloud Backup Breached By Photo Thieves

Instead, it quickly emerged that the celebrities had all been using iPhones and that the pictures had been automatically backed-up online through Apple's iCloud service, which is meant to be a protection against a phone or computer being lost or stolen.

Initial rumors suggested iCloud had in some way been hacked with the photo thieves taking advantage of a technical security flaw. However, Apple says that isn't the case and that instead they used "a very targeted attack on user names, passwords, and security questions." (Source: independent.co.uk)

However, security experts say that although there was no technical flaw, there may be a couple of reasons as to why the iCloud setup makes such attacks easier. Firstly, iPhones regularly ask users to type in their passwords if they have iCloud switched on. That may make users more likely to pick easy to guess passwords for the sake of convenience.

Secondly, iCloud isn't covered by two-factor authentication. It means that if somebody tries to log on to an account from a different computer (compared to usual), a security code is sent to the user's mobile phone. The security code then becomes part of the login; without it, the user can't log in even if the password is correct.

It appears Apple has decided not to use this extra level of protection with iCloud as most genuine attempts to login will inherently come from a different computer, compared to usual. The problem is that this has made it easier for the photo thieves to try to guess passwords over and over again without raising any alarms.

Government Password Cracking Tools Used By Thieves

Meanwhile, reports suggest that the same hackers may have used software designed for government agencies in order to crack the passwords. Discussions on hacker message boards claim the culprits may have used Elcomsoft Phone Password Breaker, which automates the process of guessing passwords by using either every word in a dictionary or trying random combinations of characters. This is otherwise known as a dictionary attack.

Officially, the software is only available to government agencies for use in accessing computers seized from criminal suspects, but it appears the hackers may have acquired a copy of the program. Some of the comments found on hacker forums suggest the software may even allow greater access to iPhone data: normally accessing an iCloud account will only allow you to download individual photos, but it seems the hackers may have been able to download a complete backup of the entire contents of the phone. (Source: wired.com)

The American Civil Liberties Union is now calling on Apple to give iPhone users the option to designate particular photos as sensitive. Such pictures would not be included in the online backups.

What's Your Opinion?

Should Apple do more to protect its online backups, even if that makes things less convenient for users? Do you think smartphone owners understand enough about the pros and cons of automated cloud storage backups? Do you use online backup services and if so, do you trust the security?