NovaBACKUP Security Blog

iCloud Hack: Apple Vulnerability Reveals More Than Security Breach

Cloud file-sharing services like Apple iCloud have almost become synonymous with cloud backup, but in reality they are not the same thing. Online or cloud file sharing services were originally designed to make it easier for users to upload and download large files for sharing that were simply too large to email. Cloud file sharing services have exploded into a rapidly growing market that allows users to access and share photos, videos and document files on the go from anywhere. But as these services become more mainstream the question becomes, how secure is our data and should we be concerned about the safety of our personal files in the cloud. My response is yes…we should be concerned and the latest iCloud hack only proves this point. At least with backup software you can encrypt your backups and then save them to the cloud (even if they are then synched with a file sharing service). For information on the difference between cloud backup and file sharing, read our post, What Do You Mean Dropbox / Onedrive / Google Drive isn’t Backup.

iCloud hack detectediCloud Hack: The concern for data leaks due to cloud hacks are real.

Who Was Affected by the iCloud Hack?

The recent iCloud hack should raise some eyebrows and not just due to the fact that nude celebrity photos were leaked onto the Internet, but also because it goes to show that cloud file sharing services are not impenetrable…and our files may not be as secure as we may have previously thought. The security of our data, no matter where it is stored should be of utmost priority. No one should ever have to go through the utter devastation that celebrities like The Hunger Games star Jennifer Lawrence and model Kate Upton (among over 100 others) are now faced with the reality that their private and very personal photos were leaked onto the Internet at the hands of a group of hackers who broke into their iCloud accounts. If Apple’s iCloud service can be hacked, so can others…no file sharing service on its own is 100% secure.

How Hackers Cracked into Hundreds of iCloud Accounts

While there are several theories as to how this could have happened, the leading theory is that the vulnerability was in Apple iCloud’s “Find My iPhone” app service, which is designed to help users locate lost or stolen iPhones, laptops and iPads. Typically there are security measures in place to lock users out when a passwords is entered incorrectly after three to five attempts to prevent so-called brute force attempts to gain access to users’ password data. The flaw in the “Find My iPhone” service resulted from NOT having any type lockout system in place. This vulnerability gave hackers a means to make an unlimited number of password guesses, which they allegedly did using software on GitHub called iBrute, to automate this guessing process. Once these hackers were able to gain access to user’s Apple ID login credentials, they were able to use that same password to login to user’s iCloud service and retrieve user’s personal photos...and to make matters worse, these hackers uploaded these nude celebrity photos to photo sharing site that were then spread through social networks. No one, no matter what their celebrity status should be subject to such a complete and utter invasion of ones privacy.

In the aftermath of the nude photo scandal, Apple has reportedly fixed this security flaw by placing a five attempt lockout on Apple ID passwords for the “Find My iPhone” service. Now the question becomes, what can we do to protect ourselves so that we are not vulnerable to the next attack.

iCloud-hack

What We Can Learn From this Vulnerability

This vulnerability that has became very real for the victims of this attack should be a wakeup call for all of us. None of us are exempt and all of us need to take the steps necessary to protect ourselves online. One way we can protect ourselves is to choose stronger passwords that are longer in length and include a combination of letters, numbers and symbols. Secondly, do not use the same password for multiple online accounts. The last thing you want is to have one vulnerability lead to a complete compromise of your entire virtual landscape.

In an attempt to increase the security of your iCloud account, Apple now offers an optional two-factor authentication which allows users to secure their iPhones and iPads with a second layer of security. Here is more info on how to set this up directly from Apple support. That being said, the verification code that is sent to your phone appears on the lock screen, so anyone who has your phone would be able to access this code without unlocking your phone, which in my opinion defeats the purpose of this added security measure. You can read more about this on an informative blog post called Apple Two-Factor Authentication and iCloud.

Lastly, you may want to consider setting up secure backups of your files and photos using a software like NovaBACKUP, and then syncing your backups to the cloud so that the data stored on the cloud is encrypted.