So why are we writing about it? Well it seems that the cloud service that held the photos is none other than Apple’s iCloud. This storage service is setup through your iPhone and can allow you to share your documents and photos or to simply make a backup to the cloud (you can still backup using iTunes). Android phones have a similar service through the play store to help avoid data loss. Both are actually pretty good ideas when you get down to it, if the services are secure and designed to prevent unauthorized access.
In the case of Apple’s iCloud security researchers are now pointing to a flaw in the Find My iPhone system that allows for a malicious individual to make as many attempts at a user’s password as they want. There is no lockout feature that stops them after a few failed attempts. This leaves the system open to dictionary attacks and more intrusive brute force hacks. In the stolen photo case it is more likely the individuals used a dictionary attack looking for simple or common passwords in use and grabbed the images of high-profile people that matched the set they pushed. A Python script was also found posted on Github that was designed just for this purpose.
Both Apple and the FBI are looking into the hack and the subsequent release of the stolen images. PR reps for one start called this “a flagrant violation of privacy” while some authors have described the theft, posting and the clamor of some people to view the images a form of digital rape.
The situation, while terrible, might actually be used for some good. In the past the push has been to force companies to do the right thing to protect people’s data when stored on their services. This push has often fallen on deaf ears (as we have reported on in the past). The reason is that too many lawmakers are very willing to sacrifice privacy for what they feel is security. By not enforcing basic checks and security measures on corporations they help create the environment that allows things like this to happen. Simply put, privacy is all about security.
Meanwhile Apple’s treatment of security researchers who are trying to help keep their services secure has not always been what it should be. They quite often ignore, ban or even try to go after researchers that find holes in their systems under the existing laws. There is simply no protection for researchers right now, though there should be. Instead Apple runs on the old plan of Security by Obscurity. This will not keep working for them as they are no longer a small player. The number of iPhones and other iDevices on the market have pushed them out of the shadows. They are in big boy country now and have to start acting like it.
Tell us what you think in our Forum