Apple and FBI launch iCloud hack investigation

Apple and FBI investigate the breach of Apple’s iCloud causing fresh business concerns over cloud security

Apple and FBI are investigating the publication of nude celebrity photos online after Apple’s iCloud was allegedly hacked.

The private photographs of celebrities such as Jennifer Lawrence, Kate Upton, Kelly Brook and Rihanna were uploaded by hackers.

But Apple has so far remained tight-lipped about claims that hackers managed to access photographs automatically backed-up on its iCloud service.

A piece of software called iBrute has been linked to the alleged attack because of its ability to exploit a vulnerability in Apple's Find My iPhone service.

Apple had no limit on the number of password guesses, which allowed the malicious script to make multiple attempts at a fast rate until the correct password was identified.

But Apple has patched the flaw, and the service now has a five-attempt limit, according to Digital Spy.

There is still no concrete evidence that the images were stolen from iCloud and some commentators have suggested multiple breaches may have been used to access the photographs from the mobile phones of A-list celebrities including Jennifer Lawrence and Kate Upton.

Lawyers acting on behalf of Jennifer Lawrence and Kate Upton have threatened to prosecute anyone found disseminating or duplicating the illegally obtained images.

Calls for Apple to tighten security

Read more about Apple’s iCloud

  • How to restrict iCloud access in the enterprise
  • Should enterprise IT fear Apple iCloud?
  • Apple debuts two-factor authentication to protect against hackers
  • Introduction to iCloud Keychain: Security for password synchronisation

Despite the lack of evidence of an iCloud leak, the incident has prompted calls for Apple to make two-factor authentication mandatory for all users of its services.

Currently, two-factor authentication that improves security by requiring a one-time password is optional. But independent security consultant Graham Cluley said not all users know it is available.

“It would be great to see Apple make such protection mandatory, rather than an opt-in choice for the few that know about it,” Cluley wrote in a blog post.   

The hack has also raised renewed concerns about the security of cloud-based backup and storage services.

Data transparency and biometrics

But some security commentators say the shift from data stored in one physical location to seamless cloud synchronisation creates a near total lack of transparency about the location of data.

“When you take an action on your phone, and it synchronises to your laptop and tablet, that data is almost certainly going somewhere else, stored and backed-up,” said Tim Erlin, director of security and risk at Tripwire.

“Each of these locations and systems in which the data exists creates a vector for attack that must be protected. We are largely at the point where nothing you do on your iPhone can be considered private.”

To stay ahead of hackers it is important to use a new trust model that incorporates technologies such as biometric authentication, said Raj Samani, chief technology officer in Europe for Intel-owned McAfee.

“Biometric authentication replaces passwords, taking into account human attributes such as fingerprints, voice or even facial recognition to provide a higher level of security during the authentication process,” Samani said.

Read more about cloud security

  • Assessing cloud security controls key in repelling cloud attacks
  • Multifactor authentication key to cloud security success
  • SME cloud - blanket security or security blanket?
  • Government releases security guidance for cloud services
  • Most cloud services pose security and compliance risks to European businesses

Cloud security warning to businesses

The alleged iCloud breach should be a warning to businesses, said Eduard Meelhuysen, vice-president for Europe at cloud analytics and policy enforcement firm, Netskope.

“Even if organisations do not think they ares using iCloud, their employees undoubtedly are,” Meelhuysen said.

But with services such as iCloud an essential part of users' lives, Meelhuysen said blocking their use in a business environment is not an option.

“To protect sensitive corporate data, organisations need to understand what data is being moved into cloud-based services and what users are doing with that content,” he said.

“Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours such as uploading personal identifiable information or sharing sensitive content outside the company.

“That way you can mitigate risk while enabling the use of cloud in your business.”

Read more on Privacy and data protection