Apple’s iCloud under fire over hacked celeb photos

2 Sep 2014

Just months after Apple refuted claims that loopholes in iCloud’s security lead to ransomware attacks in Australia, the California tech giant’s cloud platform is once again at the centre of attention over the hacking of celebs’ accounts and the theft of private photos.

Compromising pictures stolen from Hollywood stars such as Jennifer Lawrence and Kate Upton are understood to be the tip of the iceberg.

While no one is precisely saying there are specific problems with iCloud, the fact is this is where some of the celebs had their photos stored.

Various theories are being mulled about how the hacker accumulated the images: was one device of a celeb hacked, opening the door to other celebs’ smartphones? Were other third-party storage providers also compromised? Was it down to lax personal password security by the celebrities themselves?

Another theory being mulled, according to The Next Web, is that a Python script emerged yesterday on GitHub that allowed malicious hackers to ‘brute force’ a target account’s password on Apple’s iCloud.

Apple itself says it is actively investigating how user accounts were accessed and emphasised it takes user privacy very seriously.

According to independent security analyst Graham Cluley, former contributor to the Sophos Naked Security blog, more than 100 celebrities, including Hunger Games star Lawrence, models Upton and Cara Delevingne, actresses Vanessa Hudgens and Kirsten Dunst, reality TV star Kim Kardashian, and singer Ariana Grande are alleged to have also had their private snapshots and, in some cases, videos published for anyone to see on the internet.

Links to the images have been widely shared on sites such as 4Chan and Reddit.

While the images started appearing online in recent days, it is unknown where and when the security breach occurred. Some of the pictures apparently date back to 2011 while the most recent are understood to be dated 14 August.

One celebrity, actress Mary Winstead, said private photos that had appeared had been deleted by her some time ago.

Cluley said, “Remember, even if a photo has been deleted from your physical phone, it might still exist somewhere in a backup.

“It’s possible that whoever collected the naked images has been doing so for some time, and amassing a collection for his or her own entertainment for quite some time. If naked images of celebrities are your bag, it’s possible you would curate quite a large ‘butterfly collection’.”

But was it only Apple’s iCloud that was hacked?

No one appears to be certain at this stage. Firstly were the celebrities using Apple, Microsoft or Android devices? Some Android devices, such as HTC, for example, have an option of automatically backing up photos to other storage platforms, such as Dropbox, while Microsoft Windows Phones will encourage users to back data up to its SkyDrive service.

“There have been claims that iCloud may be involved, but it’s tricky to confirm, even if all of the celebrities affected use Apple devices,” Cluley pointed out.

“Many folks are blissfully unaware about iPhone photos being automatically sent to an Apple iCloud internet server after it is taken. That’s great in some ways – it means it’s easily accessible on our other Apple devices – but might be bad in others.

“Even if they were all using iCloud, it’s possible that there isn’t a security hole in iCloud itself but rather that celebrities had not properly secured their accounts with – for instance – hard-to-guess passwords.”

He said the celebs could have been phished or shared the password with assistants or have used the same password elsewhere on the internet.

“All this, of course, depends on knowing your target’s email address in the first place. The email addresses of celebrities aren’t, understandably, easy to determine – but if one celeb manages to get hacked their address book might be a goldmine for hackers who wish to widen their attack.

“Also, in the last few days, proof-of-concept code has been shared online which claims to brute force iCloud accounts – although it’s hard to believe that this could have been successfully used against a wide number of accounts without detection in a short space of time,” Cluley said.

Password hacker image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years