Lessons From the Celebrity iCloud Photo Breach

Based on initial media reports, it seems that intimate, private photographs from several celebrities' online accounts have been accessed without their consent and widely shared on the Internet. For now, many details about the breach (or breaches) remain unclear. One working theory, which is supported by anecdotal evidence, suggests that a security vulnerability in Apple's iCloud service may have been exploited to gain access to the celebrities' accounts and download their photos.

The blame game

In the flurry of news after the photos surfaced, several commentators smugly suggested that some blame should fall on the victims, either because they used weak passwords, or because they were using their phones to take sexually explicit photographs. This is ridiculous.

These celebrities exhibited behavior that is perfectly normal. As researchers like Joseph Bonneau have documented at length, most people choose bad passwords, and reuse them for multiple accounts. Similarly, the fact that these celebrities took sexually explicit photographs of themselves or were photographed by their partners using mobile phones is just further evidence that deep down, celebrities are just like the rest of us. As the old saying goes, the best camera is the one that's with you, and as our cell phones have morphed into tiny computers with the ability to shoot photos and movies, it isn't surprising that people are using them to capture private moments too.

For the victims whose privacy has been violated, this experience is awful. For the rest of us, it can be a teaching moment and an opportunity to think about what we expect from the companies that build the devices and online services we trust with our most private information.

Could Apple have prevented this?

According to media reports, a long-standing vulnerability in Apple's "Find My iPhone" service was exploited to gain access to iCloud accounts. Many online services will temporarily lock access to individual accounts after a few failed login attempts, in order to prevent a so called brute force attempt to crack an account's password by repeatedly trying common passwords until the correct one is discovered. Most of Apple's services had used such a rate-limiting mechanism, except the Find My iPhone service. Apple has, over the past few days, fixed this issue.

In the days and weeks to come, Apple will no doubt be justifiably criticized for failing to protect the Find My iPhone service with a rate-limiting mechanism. There are, however, other deeper issues worth probing, such as the default security settings that mobile phones ship with, and the extent to which these devices and synchronized online services can withstand an attack by determined adversaries.

One password to rule them all

It is likely the case that many of the victims also had poor quality passwords, which increased the ease with which the hackers could gain access to their accounts. The use of poor, low entropy passwords is not specific to Apple accounts – but Apple requires their customers to regularly enter their password on their phones whenever they wish to download an app from the company's App Store, even for free apps. This encourages users to pick short, easy-to-enter passwords.

No doubt, Apple's privacy and security teams will be carefully analyzing the security of their authentication systems as a result of this incident. Apple should seriously consider permitting users to have a short, easy-to-remember password or PIN to install apps from the app store for on-device entry, which will allow them to have a longer, higher-quality password for remote access to iCloud.

The downside to default, automatic cloud backups

It appears to be that iOS devices are automatically opted-in to Apple's Camera Roll feature, which uploads all photos to Apple's iCloud backup service. As a result, many users are likely using this service without realizing it and a result, do not understand the associated security and privacy risks.

There are, no doubt, useful aspects to nudging users towards automatic online photo backups – they ensure that a lost or stolen iPhone does not result in the permanent loss of photos, without requiring that the device owner first configure a backup service. Similarly, photos taken during a protest are instantly archived online, which can be particularly useful if police seize phones or force people to delete photos they have taken.

Automatic online backups of photographs may be appropriate for photos of your friends, kids, and pets. However, given that people also routinely take intimate, private photos with their smartphones, automatic backups may not always be desirable. One obvious solution to this is to provide users with an easy way to take private photos that won't be uploaded, while still offering the convenience of automatic backups for the majority of photos that aren't sensitive.

The need for a private photo mode

Apple, Google, Microsoft, and Mozilla already include "private browsing" modes in their web browsers. Clearly, these companies recognize that there are certain activities that their customers will engage in online that should remain private (or at least should not be revealed in the browser's history).

One thorny problem with these private browsing modes is that the companies steadfastly refuse to publicly acknowledge how they are actually used – that is, instead of recognizing that they are used by millions of people to look at pornography, the companies instead describe them as being useful for shopping for engagement rings or looking up health information. No doubt, these are occasional uses, but they aren't the majority use. The companies know this, but they don't want to admit it.

This prudish approach to describe private browsing may make life easier for the companies' marketing departments, but it also seriously undermines user education efforts when the companies refuse to describe how their products and services are actually used. Effective privacy education should not be communicated with a nudge and a wink.

Apple, Google and the other big tech companies should acknowledge that millions of their customers regularly use their products to engage in sensitive, intimate activities. These companies can and should offer a "private photo" option for sensitive photos that prevents them from being uploaded to the cloud. More importantly, they should treat their customers like grownups and educate them about how they can use their products and services to engage in intimate activities, as safely as possible.

Add a comment (8)
Read the Terms of Use

Wil C. Fry

I've never owned (and won't own) an iDevice, so I can't speak for them. But none of my smartphones have uploaded anything by default. My current phone (Motorola Droid 4) does not upload anything without asking me. I was surprised to see this plea for phones to have such a setting, since I assumed all of them did.

Anonymous

Actually, there is no evidence that brute force techniques were used to compromise iCloud. There was some initial media speculation, but that is it. There may have been a flaw recently patched but no evidence of it an Apple has said that Find my iphone hacks were not the issue.

As well, subsequent investigation by Nik Cubrilovic suggests that this was not what people were doing.

http://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/

There certainly are many ways that Apple could improve security but definitive statements about how hackers accessed files based on initial media speculation is misleading.

Andy C.

Use common sense. If you have something on your mobile device you do not want others to see do not put it on your mobile device. I am not blaming the victims but am just stating the way that it is.

Anonymous

Yeah right...and like PC NEVER has breach-able equipment. Get a clue.
I have android and that's how the assholes stole my money, by breaching all the security Samsung SUPPOSEDLY had in place as well as the security my BANK had in place.

Anthony Endres

Well, the rich, the powerful and the famous naked selfie-pornographic ones ( he he he) hopefully now realize that they too are not secure, not exempted nor protected from the immense privacy rights insecurities as well as violations, and intellectual property rights NSA/GCHQ's abhorrent blankly blank unwarranted global mass surveillance programs and hideous secret private neoconservative tech corporate alliances' introduced back-doors in anything electronic made by our too big to jails and fails?

With the NSA criminal dragnet fully intact, NO ONE's privacy will be ever really "private". It's in the nature of the Beast called: A group of secretive people armed with near-absolute what-ever-it-takes powers!

else electronic

love this blog!so much information about technology!agree with you andy..just dont put it in your mobile device :)

else-electronic

Anonymous

"One thorny problem with these private browsing modes is that the companies steadfastly refuse to publicly acknowledge how they are actually used"

But ... they can't publicly acknowledge this since private mode prevents them from gather data to support that assertion.

I suggest that you also update this article. It has inaccuracies -- there was no security flaw in iCloud that was compromised, user passwords were guessed using a list of common weak passwords -- and is being linked to from many sources.

http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time

Anonymous

Although it turns out that iCloud backup and photostream are turned on by default soon after setting up an iCloud accounts, this articles shows clearly that users are aware of that given that the screen is right in the face.

http://gigaom.com/2011/10/12/how-to-set-up-icloud-on-your-iphone-or-ipad/

Sign Up for Breaking News