Support 100 years of independent journalism.

  1. Science & Tech
2 September 2014

The iCloud leak: weak security isn’t only a problem for Apple’s backup service

Apple's cloud backup service, iCloud, has emerged as a likely weak link in the leaking of personal photographs of celebrities this week - but with online security, there are many possible ways for sensitive personal information to leak.

By Lauren Razavi Lauren Razavi

This week the world has experienced the biggest leak of naked celebrity photos in the history of the internet. And where did these photos come from? Apparently, straight from the smartphones of the celebs in question – obtained by a hacker (or hackers) and uploaded to image-sharing message board 4chan.

But what has quickly became known across the internet as “The Fappening” (seriously) has more significant implications than the revealing of famous people’s private parts. When the hysteria has died down, the important question is, should everyday iPhone users be concerned about data security?

The answer seems to be no. Although this historical event is being referred to as “an iCloud leak”, Apple has not confirmed that their servers were hacked and have yet to issue a statement on the issue. The broad consensus among security experts is that a straight Apple hack is an unlikely explanation. As you’d expect, there are a number of competing theories about exactly how these photographs were obtained.

The most prevalent idea is that this leak is the result of clever guesswork, amplified through a programme from web developers’ site Github. The software, ibrute, allows programmers to take advantage of a flaw in Apple’s “Find My iPhone” feature to input hundreds of passwords on iCloud accounts without being locked out. The fault has since been fixed by Apple as a result of ibrute’s appearance online.

Weaknesses in cloud storage could be to blame, but not just iCloud. The Dropbox and Google Drive services have also been cited as possible culprits, given that some of the leaked photos were taken on webcams and Android devices as well as iPhones. Additionally, many people use the same passwords across multiple accounts, so discovering a person’s login details for one service could easily result in access to another.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

A more peculiar line of thinking suggests that the WiFi service at last month’s Emmy Awards was compromised, giving hackers access to the data on connected devices. A phishing scam – when websites masked as official services request and steal login details – is also a strong possibility.

Content from our partners
How to create a responsible form of “buy now, pay later”
“Unions are helping improve conditions for drivers like me”
Transport is the core of levelling up

Given that a full-scale infiltration of iCloud servers is unlikely, there are few measures that individuals can take to protect themselves, at least until the source of the leak has been confirmed. Users can take advantage of the extra security offered through the two-step verification process for Apple IDs, a service that provides additional protective measures so that accounts are more difficult for intruders to access.

The general security guidelines of many apps and web services also advise users to create unique usernames and passwords for each account they have, and to change those passwords periodically. In the case of a data leak through a programme like ibrute, however, such measures wouldn’t necessarily do much to assist. When it comes to online security, our model of passwords seems fundamentally flawed.