In the wake of leaked nude photos of Jennifer Lawrence and multiple other celebrities like Kate Upton appearing online on Sunday, many people are reporting that Apple's iCloud storage service was the source of of the leak.
The anonymous hacker who originally posted the images on renowned internet forum 4Chan claimed the images of celebrities like Lawrence, Upton, Ariana Grande, and Kirsten Dunst were taken from their iCloud accounts.
But is this likely, how could the hacker have accessed so many accounts and does it mean all iCloud users should be worried?
Firstly, while some of the stars involved, notably Lawrence, have seemingly confirmed the leaked images are real, it is far from certain that Apple's iCloud was the source used by the hacker. Apple has yet to respond to multiple requests for a comment on the matter.
If however the hacker isn't lying and it was through iCloud that the photos were stolen, then its highly unlikely that the hacker was able to breach Apple's security in general but targeted specific victims using a combination of social engineering and inherent flaws in Apple's system.
Here's how such an attack would work:
Get the victims' iCloud email address: While getting a celebrity's email address may not seem like the easiest piece of information to obtain, a quick Google search for Jennifer Lawrence's email address throw's up a Time article from June about her new email address, as well as a story from January about Lawrence's mobile phone being found in the back of a taxi. With a combination of information readily available online and some social engineering it is not an impossible task to uncover a celebrity's email address.
Crack the iCloud password: This is a little bit more tricky but there are three options available - social engineering, cracking the password or use Apple's "Forgot my password" route.
- Using social engineering, a hacker could trick the victim into sending them their password details. Hackers typically would send an email to their victims which looks like it comes from Apple asking them to update their account details etc.
- If that doesn't work, then the hackers could try what is known as a brute force attack where vast lists of the most popular passwords are tried using an automated program.
- Finally, Apple has a "Forgot my password" system but to get past this a hacker would need to known the victim's birthday (information widely available for celebrities) plus answer two out of three security questions. Now considering the amount of information available about celebrities online, these questions could be relatively easy to answer.
Download the iCloud data: Once you access an iCloud account online you will notice you are not able to see any of the photos or videos which are automatically uploaded from your iPhone or iPad. However there are a number of pieces of software available (such as Dr. Fone for iOS) which will allow you to automatically download all iCloud content to your PC before letting you extract and view all the content - and potentially leak it online.
So, should all iCloud users be worried?
The short answer is no. The hacker hasn't been able to crack Apple's security giving them access to all of Apple's hundred of millions of users. However, what this does show is how vulnerable iCloud can be if you don't take the proper security measures.
How to better protect iCloud account
While it will likely never give you 100% peace of mind, there are a number of steps to make it much more difficult for a hacker to break into your account.
The first step anyone should take is to turn on two-step verification for your iCloud account. This system means if someone tries to log into your account from a computer other than a list of your trusted devices (your iPhone/laptop etc) they will need to supply a four digit security code which is sent to your phone each time.
It means that unless the hacker has access to your phone they won't be able to access your iCloud account and download its contents.
The second thing to do is to make your security questions more complex than your date of birth, your pet's name or your home address, all pieces of information which are more-than-likely already out there on the internet somewhere - especially if you are in the public eye.
Finally, and this goes for all online services, just making your password more secure will at least help prevent hackers being able to use brute force attacks to crack your account.