Apple (AAPL) denies that hackers who stole hundreds of private celebrity photos “breached” its iCloud service, but that doesn’t mean the company couldn’t have done a better job protecting its customers’ private information.
The controversy over the stolen photos, which included naked pictures of Hollywood stars including Jennifer Lawrence and Kirsten Dunst, could hardly have come at a worse time for Apple. The company is expected next week to unveil new iPhones that will able to collect sensitive health data, interact with home automation systems and act as mobile payment devices.
Shares of Apple took a beating Wednesday, as word of the iCloud theft spread along with a suggestion from Pacific Crest analyst Andy Hargreaves that the stock may have reached overvalued territory. The shares were off 4.2% at the close Wednesday afternoon at $98.94, after trading as low as $98.59.
Apple blamed the theft on “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” But, the company added, “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
The security of backups is critical because, by default, iPhones back up all photos, text messages and some other data to Apple’s iCloud service, and many users simply agree to the default. That has, no doubt, saved many users from the pain of losing beloved photos when their phones were lost or wrecked. But hackers who stole the celebrity pictures appear to have cracked passwords on the accounts using Apple's password reset service, and then used a widely available law enforcement program to download copies of the backed-up data.
Such techniques have been used in the past to break into the accounts of actress Scarlett Johansson, Wired reporter Mat Honan and others. Given that password guessing by hackers has “become all too common,” and can even be done in an automated fashion with software programs, security experts say Apple should do more to secure iPhone users’ private data.
Jonathan Zdziarski, a top iPhone security researcher who consults with law enforcement authorities, says Apple’s statement is “very carefully worded to attempt to avoid direct blame, aka spin.”
Apple didn’t have security policies in place to better protect the data, says Zdziarski. For example, Apple’s Find My Phone service had allowed an unlimited number of guesses at a user’s password, he notes. Apple eliminated the vulnerability this week.
Another part of the iCloud service verifies whether an email address is already in use, simplifying the task of hackers using the password-reset technique. Nik Cubrilovic, who has helped uncover previous online security vulnerabilities, says that's a bug that should be eliminated. "Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account," he wrote on his blog this week.
Apple allows users who back up their iPhone to a computer, instead of iCloud, to encrypt their backups with a unique password. Stolen backup data would be gibberish without the password. But iCloud backup doesn’t offer an encryption option.
Apple also offers a more secure form of login, called two-factor authentication, to protect some aspects of iCloud. Under the two-factor system, a user types in a password and Apple sends an additional code via text message that also must be entered to log in. But Apple doesn’t use the two-factor method for every kind of login, and restoring backups doesn’t require that additional layer of security.
Apple demonstrated just how easily it could promote more-secure passwords on Wednesday. When iCloud users with weak passwords logged in, Apple required a change to a stronger password. There was no option to stick with the weaker, if easier to remember, key.