Yesterday’s leak of private celebrity pictures may have exposed a major security flaw on iPhones and iPads.
Photos began circulating of high-profile celebrities like Jennifer Lawrence, Kate Upton and others across the internet yesterday. Lawrence’s publicist confirmed the authenticity of the photos, and the hackers claiming responsibility said they retrieved the photos from the Oscar winner’s iCloud account. iCloud, Apple’s online storage solution for iPhone and iPad users, stores files, photos, contacts and device backups automatically when enabled.
It isn’t unusual for a public figure with a stolen phone or weak online password to have their personal info and photos leaked. Christopher Chaney, who leaked photos of celebrities like Scarlett Johansson and Mila Kunis in 2011, accessed around 50 personal email accounts with weak password and security settings. The number of affected celebrities in this week’s case, reportedly over 100, may be a result of the same methodology over a long period of time, but early reactions indicate worry among some people about the security of iOS devices, especially with the large number of iPhones involved in the hack.
Apple uses 128-bit AES encryption when transmitting and storing photos, contacts and more over iCloud. The security protocol should make it almost impossible for a hacker without account access to intercept and read that information. The most plausible explanation for the leaks involves the affected celebrities using iCloud backups and having weak account passwords. Hackers who correctly guess a target’s iCloud logins could gain access to pictures stored in Photo Stream. In this scenario, it’s likely that only photos added to the Photo Stream would be susceptible to being accessed by outsiders without any kind of notification.
There is, however, a piece of evidence suggesting a larger problem for Apple. Data leaked from the iPhone of Justin Verlander, Detroit Tigers pitcher and boyfriend to Kate Upton, suggests the individuals responsible for the leaks obtained more than just photos uploaded to Photo Stream. Hackers released chat bubble thumbnails generated when sending a picture message, which are only accessible from a complete device backup file and not the Photo Stream. Apple’s security protocols don’t allow direct downloads of backups from the cloud to a computer. Hackers obtaining a full backup could indicate a security glitch such as Apple storing iCloud backups on their server unencrypted or a similar flaw.
Obtaining a full device backup on accounts with weak passwords would be much more difficult than accessing the Photo Stream. A hacker could in theory download Verlander’s backup from iCloud to a new device, then transfer that restored data to a computer to extract photos. But that scenario could only work if Verlander had no four-digit PIN or password on his phone and he ignored prompts generated on his existing iPhone, which notifies users when a new phone or tablet is added to the account. While other hacks in this yesterday’s leaks possibly took place years ago before the implementation of current security provided by Apple’s iCloud service, the leaks from Verlander’s phone showing iOS 7 chat bubble icons suggest hackers obtained the data within the last year. While Verlander’s data vulnerability may be a unique case such as if someone stole his phone or accessed a personal computer Verlander used to backup his phone, more leaked photos with a similar pattern could indicate an encryption flaw in the company’s cloud backup system.
For iPhone and iPad users worried about security, steps can be taken to better protect against hackers. Requiring a four-digit PIN to unlock the phone gives better protection if the phone is lost or stolen. Users should make sure to use strong iCloud and iTunes account passwords with a combination of letters, numbers and symbols as well as upper and lower case characters. At the same time, owners of iOS devices can create encrypted backups of their devices onto a PC or Mac instead of the cloud.