Blog Post

How we can prevent another event like the iCloud celebrity photo hack

It must have been absolutely horrifying to wake up on Labor Day and find out that intimate photos of yourself had been shared to millions online. It’s one thing to share a personal photo with your significant other, but it’s a bad morning when your Mom calls to tell you your nether regions are the lead story on CNN.

This article doesn’t seek to condemn the idea of taking and sharing intimate photos — I don’t care what two consenting adults do. However, there are some lessons we can all learn about how our data is stored in the cloud, and what we can do to try to protect it.

How the theft happened

According to Apple, the theft was caused by “a targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” The attackers used a combination of social engineering, phishing, and using publicly known information about the target to gain access to his or her iCloud account. Apple CEO Tim Cook told the Wall Street Journal, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Once hackers had the passwords, they used Elcomsoft Phone Password Breaker to download the iPhone backups from Apple’s servers. From there, getting access to the photos was easy. Actually, given the amount of information the hackers were able to obtain from the backups, the nude photos might be the least of the hackees’ worries.

Is Apple at fault?

Sort of.

Shortly after the hacks, a “Find my iPhone” exploit was patched. But Apple says it does not appear that this exploit was used for the theft of the images, and since it is a publicly traded company speaking about what is now an FBI investigation, I believe them.

Passwords and security questions are what we have right now for account security. It’s up to the user to manage them and decide for him or herself what is manageable. If you’re a public figure, you probably don’t want your secret question answer to also be on your Wikipedia page.

That said, tools like Elcomsoft Phone Password Breaker have been around for a while, and Apple should understand how they are used, and take steps to prevent their usage.

Would two-step authentication have prevented this?

Sort of.

Two-step authentication only adds an extra layer of security if you sign in to My Apple ID to manage your account, make purchases from a new device, or get Apple ID-related support from Apple. It would have stopped the attacker from changing the iCloud password (if needed), but not the actual restore.

It would be very easy to say the fix to this problem is for two-step authentication to work on iCloud restores. But that solution immediately falls to pieces if I buy a new iPhone, or mine has been lost and this is the only device I have with me when I replace it. When I buy a new iPhone in a few weeks it would be trivial to have me authenticate the restore on my iPhone before I wipe it, but not practical if I have nothing else to authenticate the restore with.

So, how do I protect my sensitive photos?

If you want to take a photo with your iPhone and you absolutely, positively, do not want to share that photo, follow these steps:

  1. Set your iPhone to Airplane Mode
  2. Turn off iCloud backups in the Settings app
  3. Turn off Photo Stream
  4. Take the photo(s)
  5. Connect the iPhone to your computer
  6. Launch a program like Image Capture (OS X) that can read the camera roll
  7. Transfer the images to your computer
  8. Use the program to delete the images
  9. For an extra level of security, place the images into an encrypted .zip or .dmg file.

Once you’ve backed up the photo to iCloud, sent it to another person, allowed it into your Photo Stream, or let any internet-enabled app see it, you run the risk of having the photo seen by people you may not want to.

What changes need to be made to prevent these types of attacks?

Over the last 20 years, we’ve been faced with growing challenges in information security. Sadly, the best we’ve come up with still is passwords, probably easily guessed so-called “secret questions,” and the ability to SMS a confirmation code to a phone.

The refrain “I just use the same password for everything” is a common one. Facebook and Google accounts are starting to become the single sign-on (SSO) olution a lot of people use. This frightens me because Facebook and Google aren’t companies I entirely trust to be the keys to my online life. If a company like RSA started allowing me to use an authenticator app and an account with it as a SSO solution for my online life, I would pay a subscription fee for that.

Apple needs to improve security of iCloud backups. As I said, I’m not sure two-step authentication is a complete solution. Right now, though, it seems a little too easy to gain access to iCloud backups. This article by Christina Warren shows how the EPPB tool can be used to gain access to iCloud backups without a password. Apple should also keep lists of common passwords on its servers and not allow people to use them.

Apple is making some changes, however — adding email alerts and push notifications. Raising awareness is a step in the right direction, but knowing my iCloud backup is being restored to an unauthorized device is a far cry from being able to stop it.

As users, we need to stop using weak passwords and easy-to-guess secret questions. One tip: There is no law saying the answers to your secret question needs to be an actual word. A good practice is to use 1Password to randomly create a password and use that as the answer to your secret question. If you make yourself an inconvenient target, hackers may move on to easier victims.

5 Responses to “How we can prevent another event like the iCloud celebrity photo hack”

  1. This never ceases to amaze me –
    I have been working on Inter/Intra-net and server infrastructure since arpanet. Yes I am older, and have seen a lot. The one thing I never saw was any document of any kind explaining how on earth anyone could have any expectation of privacy on the Internet – period. It is patently impossible, making the answer simple – if you want privacy, keep it off the internet – period. Internet appliances are not toasters – and if you treat your personal photos or information like a piece of toast left on a table outside – don’t be surprised to see a flock of birds chipping away at it and making off with the pieces. For each and every “security feature”, there are countless back doors and holes. Some planned for internal use, others errors caused by cascading updates creating holes where there were none. With the speed of development nowadays, it is again, impossible to test all the possible scenarios, and therefor even more impossible to suggest there is any security for those who choose to throw things at some mysterious “cloud” (a roomful of servers), without knowing what they are doing. When I started working on computers in the 70′s, there were already signs of what is now here. “Captain Crunch” used a whistle from a cereal box to make “free” phone calls anywhere in the world, and there were countless other “hacks” in the works that the public was totally unaware of. Computer use required knowledge, something that has fallen by the wayside. There was no “casual” use. Imagine if you stopped all driving courses and just sold cars to anyone who waited in line for 3 days to get the newest one, with nothing more than a PDF instruction manual. Would you be surprised at the fact that 80-90 percent of these new car owners killed themselves within a week? Would you also post articles about how the car manufacturer should be responsible for these peoples “security”? Look – point blank – in my circles no-one gets “hacked”, no one finds naked photos of themselves anywhere – let alone the Internet, and no-one is crying about their “right” to security. That’s because we are educated users of technology and do not engage in ridiculous behavior. Recommendation: Learn about any and all devices before using the technology. If you skip that – you do it at your own peril and you are then completely to blame. If you can’t keep your naked body and every bit of your personal information off your phone – that’s not a security issue…

  2. I like how everyone glosses over the fact that it was a law enforcement backdoor that made the hack possible. Nothing to hide, nothing to fear? I wonder if JLaw feels safe from “the terrorists” right now.

  3. How about you start with:
    1- don’t take naked pics
    2. don’t take naked pics with an internet connected device
    3. don’t view the pics on an internet connected device
    4 don’t store the pics on an internet connected device
    5 don’t upload the pics to some remote server
    Or, you know, just don’t be a moron.

    And are you seriously telling people to store the pics on a PC instead of phone because ??? And then to store in an PW archive? If anyone takes the time to get the file they can easily get inside it , brute force on GPU should do the job pretty fast and it wouldn’t be a significant problem, especially when the target is high profile.