In the wake of the theft of the private data and photos of dozens of celebrities, there is at least one major culprit.
Not the alleged leakers, though obviously they’re to blame, but the company that has most prominently overstated its security in the first place: Apple.
Apple is currently delighted that people are talking about how you shouldn’t take naked photos of yourself in the first place, but make no mistake: Apple has been provably irresponsible with users’ security. It is currently unclear how the naked photos were gathered—most likely through a number of different methods and different servers over a period of months if not years.
What is clear is that Apple has had a known security vulnerability in its iCloud service for months and has been careless about protecting its users. Apple patched this vulnerability shortly after the leak, so even if we’re not sure of exactly how the photos got hacked, evidently Apple thinks it might have had something to do with it. Whether or not this particular vulnerability was used to gather some of the photos—Apple is not commenting, as usual, but the ubiquity and popularity of Apple’s products certainly points to the iCloud of being a likely source—its existence is reason enough for users to be deeply upset at their beloved company for not taking security seriously enough. Here are five reasons why you should not trust Apple with your nude photos or, really, with any of your data.
1. The vulnerability is Security 101 stuff.
Up until Monday, Apple had a significant and known brute-force vulnerability in its Find My iPhone service, where you type in your Apple ID and password on your computer in order to locate your iPhone on a map. Most services that use passwords, from Facebook to Google to banks, will lock your account or at least throttle logon attempts after a certain number of failed access tries to prevent a person who is not you from making endless guesses at common passwords.
Apple itself will do this in most places—but not through its Find My iPhone service, where hackers are allowed unlimited attempts at guessing passwords. You can endlessly try password after password as quick as you like. Once a correct Apple ID password is confirmed through Find My iPhone, a hacker then has access to your iCloud account. So a hacker could simply run an automated tool and knock on the door enough times with password guesses until he broke through. Even a decent password, like “[email protected]!” would still be vulnerable to this sort of attack. The Find My iPhone vulnerability doesn’t really rise to the level of a bug, since limiting brute-force attacks is part of the basic security design of any system—or should be.
2. The vulnerability was publicly known since May.
A Russian security group called HackApp released iBrute, a proof-of-concept tool to exploit this vulnerability, on Aug. 30. But don’t blame them, because the celebrity hacking probably took place quite a while before that. The Register publicized the lack of any sort of limit on iCloud logon attempts in May, and Apple did nothing about it, giving hackers plenty of time to bash away at accounts. Even after iBrute was publicly released, Apple didn’t patch the vulnerability until Sept. 1 and did nothing to secure accounts in the meantime. I cannot fathom how the company left this one out in the wild for months, and I suspect it will cost someone at Apple his or her job.
3. Apple defaults users into the cloud.
Clouds are wispy and ephemeral, the very opposite of secure, so why would you want to store anything in them? No one particularly does: Cloud storage has been forced on users because it suits tech companies, not because it’s what’s best for consumers. But Apple makes it very hard not to store photos in its cloud, nude or otherwise. Camera Roll automatically backs up photos (all photos) to the cloud by default, and Apple makes it difficult for average users to change the default. It’s worked. And it’s too bad, because whatever you store on the cloud has far less legal and security protection than what’s on your own computer.
Even deleting photos from your phone doesn’t delete them from the cloud, as security expert Nik Cubrilovic pointed out on Twitter. (The American Civil Liberty Union’s Christopher Soghoian has wisely suggested a “private photo” feature that doesn’t upload certain photos to the cloud.) Defaulting to the cloud is like checking baggage on an airline: People might look through your stuff, and even steal it. And like the airlines, Apple’s liability is strictly limited by the extremely generous (to Apple) agreement you sign when you purchase any of its products.
The false sense of security Apple creates by offering two-factor authentication and then not enforcing it is appalling.
4. Apple does not encourage two-factor authentication.
Two-factor authentication, in which physical possession of a particular device (like a phone) is necessary to log in to an account, is one of the most common and effective supplements to the problematic security of regular passwords. Google, Yahoo, Facebook, Twitter, and many other services offer two-factor, though rarely by default. Still, as the Daily Dot writes, “For reasons that defy all logic, Apple makes it extraordinarily difficult to enable two-step verification,” making users wait three days just to turn it on. (In other words, if you had found out about the vulnerability on Aug. 30, you couldn’t have protected yourself until Sept. 2.)
Apple barely publicizes its two-factor authentication and has not encouraged users to adopt it. Apple controls the default user experience for its products, and it has the responsibility for that default to be reasonably secure—which it currently is not.
5. Two-factor authentication wouldn’t have worked anyway.
Even if you were a celebrity who had enabled two-factor authentication, it wouldn’t have helped in this case because Apple doesn’t enforce two-factor authentication for iCloud logons even if you have it turned on as was reported by Ars Technica all the way back in May of 2013. Apple primarily uses two-factor to prevent credit card purchases, not to protect the privacy of your data. Though probably the least exploited loophole (due to the difficulty of using Apple’s two-factor in the first place), this is perhaps the most sheerly irresponsible security decision Apple has made. The false sense of security created by offering two-factor and then not enforcing it is appalling.
These are all problems Apple has known about for months, if not years, and did nothing to stop. Apple’s two-factor is still fundamentally broken, so even today Apple is still misrepresenting the security it can offer to its users. This is not to excuse any other services that may have been compromised, nor the hackers themselves. But whether or not any of these problems were directly responsible for the leak, Apple users, from Jennifer Lawrence to corporate executives to laptop musicians to you, should be out for blood, and other companies should use this as a lesson to double- and triple-check their own security stories. Apple will probably survive though. IPhones are so cool and pretty.
David Auerbach is a writer and software engineer based in New York.
© Slate 2014