Hacking of nude celebrity photos on iCloud a threat to Apple

Leak of nude celebrity photos comes at a bad time for company, showing security problems in storage software the company has bet heavily on

PUBLISHED : Thursday, 04 September, 2014, 11:53pm
UPDATED : Friday, 05 September, 2014, 9:23am

With Apple expected to unveil its new generation of iPhones next week, the tech firm is on a quest to turn your smartphone into a universal remote control for your life. Want to open your garage door, set your thermostat or look over the stats for your weekly workout? Your iPhone, Apple says, will be able to handle it.

But just as the company wants consumers to let their smartphones run more aspects of their lives, Apple is doing damage control.

It has often displayed uncanny timing, with its well-orchestrated end-of-year iPhone releases. But the leak of racy celebrity photos in the past few days put the company in the unusual position of having to mend its image just days before a highly anticipated product launch next Tuesday.

Nude photos of Hollywood celebrities, including Oscar-winning actress Jennifer Lawrence, posted on internet forums by unknown hackers have drawn condemnation from stars and their publicists, and prompted an investigation by the United States' Federal Bureau of Investigation.

In the wake of the breach, cybersecurity experts and mobile developers have pointed to inadequacies in the security of Apple's and others' cloud services. Thousands have taken to Twitter to express their frustrations with the company.

The incident has raised new questions about how much users can trust their most sensitive data not just with Apple but other companies as well. Security experts said that companies were routinely rolling out new features and products without firming up the security of the data consumers were giving up in exchange.

"In a lot of cases, consumers don't understand that when they slide a button one way or the other that they're agreeing to upload all their data," said Dennis Fisher, security evangelist for Kaspersky Lab, an internet security firm. "It's all getting very, very convoluted and complex."

Having a company run your thermostat remotely and track something like your electricity usage may seem like a neat feature that doesn't reveal a lot of sensitive information about you. But criminals could, for example, use those trends to figure out when you're on vacation.

Apple said none of the cases related to the hacking of celebrities "resulted from any breach in any of Apple's systems".

Among security experts, the iPhone, iPad and Mac are actually considered fairly secure from viruses and hackers.

But even before the hacked celebrity photos, some were criticising Apple for not doing more to protect its users' information in the cloud. The firm, for example, offers users some more advanced security options to protect their iTunes purchases, but doesn't extend the same protections to iCloud.

Shortly before news of the hack broke, Apple instituted protections against "brute force" attacks, in which criminals try to obtain a user's information by flooding an account with trial-and-error attempts to guess the correct username and password. There's been no evidence that that weakness led to the pictures being leaked, but prominent security experts say it's a strong possibility.


New cloud platforms

The news has taken a toll on Apple's standing on Wall Street less than a week before its launch event. The stock dropped more than 4 per cent on Wednesday.

Apple is expected to launch two new iPhones with larger screens to compete with smartphone makers like Samsung. It is also expected to announce a release date for its new mobile operating system, iOS 8, which features two new cloud platforms - HealthKit and HomeKit.

They will serve as central hubs for data collected by apps that gather fitness data and information from smart appliances.

Apple has taken some notable steps to protect particularly sensitive data. For example, HealthKit data will be stored only in encrypted form on Apple devices, rather than in the cloud. The company forbids developers from using either HealthKit or HomeKit data in advertisements.

And it's also strict in reviewing apps on its store, saying on Wednesday that it will reject apps that could threaten user security or that even feel "creepy".

But the company is far more reluctant than its competitors to speak with outside experts about its cloud security practices, making it difficult to objectively determine how secure its services are. That reluctance also limited its chances to head off vulnerabilities before they turned into hacks, as Google and Microsoft did, researchers said.

"Apple has to be more open to the security community," said Alexey Troshichev, founder of Russian security firm HackApp, who first identified the brute force weakness.

If Apple, the most valuable company in the world, prized security more highly, it could effect real change in the consumer tech world, experts said.

So what, exactly, is keeping Apple from making its services more secure?

Perhaps the difficulty of making security easy for the average person to understand, said Lorrie Cranor, a professor at Carnegie Mellon University who focuses on privacy.

It might take a really big problem to get any company to devote the resources to making secure services that are also easy to use.

Cranor noted, for example, that it took the revelation that the US National Security Agency was tapping into consumer technology firms for data to get companies such as Google and Yahoo to encrypt their information by default - something security experts had advocated for years.

"If Apple is concerned that people won't buy their products because they won't trust them, then they will have the incentive to fix this problem," she said.

"I can only guess that they've done the calculation and decided it's not that big a deal yet."

Additional reporting by Reuters