The iCloud leak: weak security among many problems for Apple's backup service

Apple's cloud backup service, iCloud, has emerged as a likely weak link in the leaking of personal photographs of celebrities this week - but with online security, there are many possible ways for sensitive personal information to leak.

This week the world has experienced the biggest leak of naked celebrity photos in the history of the internet. And where did these photos come from? Apparently, straight from the smartphones of the celebs in question - obtained by a hacker (or hackers) and uploaded to image-sharing message board 4chan.

But what has quickly became known across the internet as "The Fappening" (seriously) has more significant implications than the revealing of famous people’s private parts. When the hysteria has died down, the important question is, should everyday iPhone users be concerned about data security?

The answer seems to be no. Although this historical event is being referred to as “an iCloud leak”, Apple has not confirmed that their servers were hacked and have yet to issue a statement on the issue. The broad consensus among security experts is that a straight Apple hack is an unlikely explanation. As you’d expect, there are a number of competing theories about exactly how these photographs were obtained.

The most prevalent idea is that this leak is the result of clever guesswork, amplified through a programme from web developers’ site Github. The software, ibrute, allows programmers to take advantage of a flaw in Apple’s "Find My iPhone" feature to input hundreds of passwords on iCloud accounts without being locked out. The fault has since been fixed by Apple as a result of ibrute’s appearance online.

Weaknesses in cloud storage could be to blame, but not just iCloud. The Dropbox and Google Drive services have also been cited as possible culprits, given that some of the leaked photos were taken on webcams and Android devices as well as iPhones. Additionally, many people use the same passwords across multiple accounts, so discovering a person’s login details for one service could easily result in access to another.

A more peculiar line of thinking suggests that the WiFi service at last month’s Emmy Awards was compromised, giving hackers access to the data on connected devices. A phishing scam - when websites masked as official services request and steal login details - is also a strong possibility.

Given that a full-scale infiltration of iCloud servers is unlikely, there are few measures that individuals can take to protect themselves, at least until the source of the leak has been confirmed. Users can take advantage of the extra security offered through the two-step verification process for Apple IDs, a service that provides additional protective measures so that accounts are more difficult for intruders to access.

The general security guidelines of many apps and web services also advise users to create unique usernames and passwords for each account they have, and to change those passwords periodically. In the case of a data leak through a programme like ibrute, however, such measures wouldn’t necessarily do much to assist. When it comes to online security, our model of passwords seems fundamentally flawed.

Originally published by New Statesman. Image above by The Next Web Photos (CC BY-SA 2.0).

top