Apple has confirmed celebrities' iCloud accounts were compromised, but says the security of its automatic backup system was not breached.
The private photographs of celebrities such as Jennifer Lawrence (pictured), Kate Upton, Kelly Brook and Rihanna were obtained in a “carefully targeted attack on user names, passwords and security questions”, Apple said in a statement.
But Apple gave no details of how the attackers obtained these pieces of information from all the celebrities involved.
In the days since the photographs were leaked, there has been speculation they were obtained by exploiting a vulnerability in Apple’s Find My iPhone service, which the company denied.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone,” Apple said.
Despite the denial, Apple quietly fixed the vulnerability after researchers went public with the fact that Find My iPhone had no limit on the number of password guesses attempted, which allowed hacking tools to make multiple attempts at a fast rate until the correct password was identified.
Apple confirmed its investigators are working with the FBI to identify those responsible for breaking into the iCloud accounts.
Read more about cloud security
- Assessing cloud security controls key in repelling cloud attacks
- Multifactor authentication key to cloud security success
- SME cloud - blanket security or security blanket?
- Government releases security guidance for cloud services
- Most cloud services pose security and compliance risks to European businesses
Cloud security concerns
The incident has renewed security concerns about cloud-based services and prompted calls for better authentication processes.
The traditional model – that relies on user names, passwords and security questions – is widely considered flawed because attackers can easily get around these checks.
Independent security consultant Graham Cluley said Apple should make two-factor authentication mandatory for all users of its services.
Currently, two-factor authentication that improves security by requiring a one-time password is optional, but Cluley said not all users know it is available.
“It would be great to see Apple make such protection mandatory, rather than an opt-in choice for the few that know about it,” he wrote in a blog post.
Following the compromise of the celebrities’ iCloud accounts, Apple recommended users choose a strong password and enable two-factor authentication.
Some security experts suggested going a step further to improve security for cloud-based services.
Calls to reduce risk
Authentication processes should be bolstered further by incorporating biometric technologies, said Raj Samani, chief technology officer in Europe for Intel-owned McAfee.
“Biometric authentication replaces passwords, taking into account human attributes such as fingerprints, voice or even facial recognition to provide a higher level of security,” he said.
The incident prompted calls for businesses to tighten their security processes to ensure they are not exposed to risk through employee use of cloud-based services.
“Corporations should be thinking about the cloud services their employees may be using store company information and making sure that it is protected or removed from those services," said Bob Doyle, security consultant at risk management firm Neohapsis.