Apple has a very large problem right now.
I’m not talking about legal liability over the nude celebrity photos and videos being posted all over the internet right now (dubbed “The Fappening”), although I think that’s also an issue. Celebrities tend to have aggressive attorneys, and the damages here are extreme – some celebrities have had careers ended from leaked photos (while others have benefited)
But a much larger crisis looms – everyone, and I mean everyone, now knows that everything private they’ve done with their iPhone, if they use iCloud, is not only vulnerable, but extremely vulnerable.
The Next Web says that a tool that allows brute force attacks against the Find My iPhone service gives hackers a way in to iCloud.
That may or may not be what’s actually going on. Hacker Nik Cubrilovic, for example, says it isn’t slowing people down from accessing new accounts:
Apple patching FindMyPhone API isn't slowing down the celeb pic groups – watching them attempt to break new accounts right now on a forum.
— nik cubrilovic (@nikcub) September 2, 2014
And it doesn’t really matter. Even if Apple fixes the problem, or has fixed the problem with the patch they just released, or even if all of this was caused by something else entirely, they’re still screwed. The damage, the massive damage, has already been done, and people associate it with Apple.
Because everyone now understands that their phones aren’t secure. Even things they thought they deleted are vulnerable. That’s something that will haunt Apple for a decade.
I’m not talking about people who trade their iPhones for Android devices. That isn’t a big issue, and Android isn’t any more secure than Apple anyway.
I’m talking about the fact that people won’t feel the same way about their phones after this. Your phone is no longer a part of you. It’s a weapon, pointed at you.
@stuartdredge @arrington My guess is Tim Cook’s script is being radically re-written for next week.
— Mike Butcher (@mikebutcher) September 2, 2014
I don’t think it’s going to pan out that way. The people who [truly] care about their phones being secure know darn well that it’s not, nor will it ever be. Same for their laptops, etc. On the other hand, the bulk of the population won’t give a flying “duck” (as Apple’s own autocorrect would put it) about it, just like they don’t care if their PCs get wrangled in a botnet because they couldn’t be bothered to press “OK” on the systems update prompt.
No hack or exploit was involved here. Poor security practices on the parts of the victims. This will be a monumental disappointment to Apple haters, but basically blaming Apple is like blaming the lock manufacturer when you decided to have multiple locks on multiple doors all with the same key and you left a copy under the doormat.
Agree, 90% of negative comments re: Apple security are based on Apple haters. We need to find exactly what happen (will we), but my bet is on poor user security practices.
Exactly what I mean. You can plaster that on the front of every newspaper, site, and news show on Earth, people aren’t going to care about security any more than they have so far.
Sure, totally glance over the fact that Apple is using weak security practices to protect their iCloud.
But Apple advertises their products width: “It just works!”. Why can’t they make a product that is just secure and doesn’t require you to be a security expert? Instead it looks like they compromised security for convenience. So even it is not their fault, it kind of is their problem anyway.
No, the analogy you propose is completely wrong. A better one is you having a door to your home that the manufacturer told you it’s safe to use, but somehow that door still resides inside the manufacturer’s compound and you enter your home through there everyday – and someone shows up with a gazillion keys and starts trying them one by one (the bruteforcing, if I’m being too subtle), but you can’t stop them as you don’t really own or control the door and even if you knew how, you still couldn’t really assess the real security of the system. And then the manufacturer comes out and says that even through your door was inside their compound beyond their systems, it’s still your fault since you didn’t order a better key that wouldn’t slowed down (not stop) the thief even though they could have (or at least should have) stopped the guy with many keys from keep trying to unlock your door.
Things is, not everyone can or should be an expert in information security. Everyone has their strengths and not everyone can be savvy in all the tools they use during their life. People choose a cloud exactly because it takes the weight of protecting their data away and onto someone else. That’s why I pay for the service. I want my data safe and available. If you can’t deliver then don’t offer me the service. How you keep my data safe and available? I don’t know and I don’t need to know. I don’t want to become an IT expert, I’m an expert in someone else and I know that reading random articles on the internet won’t give me that kind of knowledge.
It’s my fault if the system breach comes because I’ve refused a security system that you proposed. If those girls were directly offered something like a two-factor authentication system for iCloud and refused it (no, having it as an obscure option in the account doesn’t count) then maybe you can say it’s their fault. But Apple has started to offer that only this year and rather inconspicuously (I had to look it up and I also remembered an email I got – given that I’m not as busy as Lawrence, if I’m having trouble remembering when I got an email I’m pretty sure she doesn’t know whether it even existed).
Bottom line, the service is a tool. I pay the service so I don’t have to bother with data storage & security. They should tell me how secure my data is and what are the impacts of my choices on how to secure the account (is the password I chose ok? maybe prompt me a few times on two-factor authentication, etc). Many services I use reject outright easy passwords and if you asses the password strength then I’d like to know that have a green light on it means it won’t be brute forced (sorry, but if you don’t warn me at least on a different channel after the billionth attempt on my account, that’s stupid).
I have heard only one side of the story. Fairness requires that we hear what Apple has to say before reaching conclusions
This makes me feel all warm and fuzzy about the much touted iCloud Keychain. Or not.
This is particularly bad for the health initiative Apple is rolling out. People are not going to parse technology differences, they’re going to feel even more uncomfortable about having their health info on the phone, let alone medical records.
Not to mention NFC payments. I totally want to link my phone to every bodily function, and to my bank accounts!
Really good points.
mike – > http://9to5mac.com/2014/09/02/apple-confirms-very-targeted-attack-on-celebrities-denies-icloud-breach/
From what I’m hearing that may be accurate – “no they weren’t using it. can’t say 100% certain they weren’t using it, but almost all the “hacking” i’ve seen is using trojans, password resets, password reminders (to emails)…and that being patched isn’t slowing anyone down” It doesn’t change my analysis though. The fact is that there are nude photos from dozens of celebrities online, stolen from the cloud. Apple’s cloud.
sure but you could say that of any cloud service. even banking systems are not immune of security breach. we all know that.
I think the problem is that people thought their iCloud stuff was AT LEAST as secure as their bank. Otherwise they wouldn’t feel safe using it to store extremely personal photos and videos.
well i personally know that my bank and credit cards are not secure (remember recent episodes in the USA..)…i think people should be aware now that by default potentially nothing is private. it raises another issue: most people are not aware of what is needed to make something secure: eg most don t know about two key icloud authentication or even worse picking a non dumb password….
i think we should start there…
you’re talking about technical solutions. I’m talking about public perception.
But Michael, all the banks are being hacked too. Just JP Morgan Chase for example. You are right that this will wake up people, but only some. Security requires both sides active to work.
I don’t think anyone will wake up, I just think they’ll be afraid of their phone, and blame Apple.
Not just Apple phones but Android and even Blackberry… Is not an “Apple-only problem”, is a broad technological and security issue
As suspected… not Apple:
Apple has released a “media advisory” as follows, verbatim:
Update to Celebrity Photo Investigation
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
“And it doesn’t really matter.”
Not likely. People have very short memories and this will be quickly forgotten until the next leak.
For some, maybe.
Overall, who are we kidding? With the new Apple event coming soon, it won’t even be ten days, let alone ten years, before pretty much everyone stops mentioning this entire debacle.
It is a sad state of affairs, however, this reminds me of what the creators of the TV Series “Person of Interest” said regarding the (lack of) outrage when PRISM was revealed:
“We always imagined on the show that there would be a massive public outcry were the existence of the machine be discovered. It turns out that may be the only science fiction aspect of the show.”
“Being hacked” to a normal person is like having their house broken into. They know it could happen, but they hope it doesn’t happen to them, and they’ll deal with it when it happens. They also have a cognitive dissonance between people being “hacked” and their own security practices with their phones and computers. People knew their stuff could be hacked into for years, that hasn’t stopped them.
Do you think people stopped using PCs when viruses and malware arrived? Of course not. Same for phones and their online services.
I feel exactly the same way. Blown out of proportion, like everything else in the media.
They’re not screwed. This is purely on the backs of the celebs who choose shitty passwords. This should be a lesson to people to do the following;
1. Use STRONG/LONG passwords
2. Make sure your security questions can’t be answered by anyone with google and time
Seriously, make a pass phrase. It’s annoying to type, but it’s much more secure. Don’t reuse it amongst many sites. Answer security questions with stuff that’s literally only known to you. (What was the name of my friends cousin’s second dog?) Or answer the polar opposite to the question asked. (whats your favorite type of beer? Bartles and James)
Apple, iCloud, Youn Celebrities: You’d be surprised how many of these kids don’t even use passwords, or use 4444 or 1234 their year of birth… Once the bad guy gets into their smartphone, everything may be compromised. APPLE is surely not at fault if their iCloud users use simple hackable passwords, or give their passwords to other friends.
By using complex, irrevelent, passwords and changing them frequently, one’s data-safety in improved; however, even the Department of Defense and the NSA may be hackable, given enough desire, time and financing.
Bottom line, these young girls should not be capturing Nude-Selfies and placing them onLine or sending pics to their boy friends. Several years ago these girls were unknowns, waiting tables; a few years later if they are Lucky, and viola they Own the Restaurants. Once these young girls become Celebrities, with their simple-pasts and their “selfies,” those images become a lot more interesting and valuable. JimW
Since most people are not celebrities, and most people do not take nude photos of themselves, I don’t think it matters whether they think Apple is at fault (it’s not) or not.
Everyone has friends whose gmail accounts got hacked by someone in Nigeria, and it hasn’t hurt Google at all. In fact, you could even argue it has helped them, since it promotes their service of two-factor authentication. (Apple has that, too). The fact of the matter is, unless you’re Mat Honan, you know you have nothing much to worry about just as long as you don’t answer that email where “Pretend Bank LLC” is asking for your social security number, mother’s maiden name, first name of your favorite dog, grandfather’s necktie color, and grade in school in which you first had to stand up and give a talk. Dude! Don’t answer!!!
“most people do not take nude photos of themselves” – What’s funny is I didn’t think so either. But apparently a whole lot of celebrities take nude photos of themselves even knowing they’re a target.
People will be people… “””Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose. You are already naked. There is no reason not to follow your heart..””” ~/Steve Jobs
While it’s concerning that we’ll likely have bank accounts and medical information attached to our iCloud accounts and iPhones in the near future, I don’t think this recent event will have any long term impact on Apple. People have been hearing about security issues almost daily for years now; Home Depot reports a massive attack just today. The reports have been so frequent, regular (non-computer-industry) folks are immune to them and simply don’t pay attention any more.
Combine that with the fact that most of us are pretty boring. Of-course, someone gaining access to one’s bank account and stealing all of your money would be horrible, but someone stealing the typical persons photos would, at most, cause that person to be pissed off for a short while; it’d hardly be life changing and probably not worth giving up the convenience of a smart phone and cloud connectivity. Hell, most people still use simple passwords and hardly any “regular” person uses two-step authentication, it’s too much trouble for too little to lose.
That being said, why the hell are all these celebrities taking nude photos of themselves? And, isn’t there some celebrity-class IT consulting company out there that helps targets protect their information? Hmmm, could be a good business there; rich and beautiful clients, what more could you want?
Except Apple is not screwed because the truth is that the power of great usability and integrated systems will forever matter more to people than security will. Apple will push new updates and policies will change and they will talk about how they are more secure than ever before and people will feel safe with the little lock icon on whatever you put in front of them.
just remembered i need to check my torrent progress on the new releases
How exactly is Apple to blame for this? This could have happened to any company with a similar service. And it’s just ignorance to think that anything you save or store online is secure. Blaming Apple for this is like trying to blame Mcdonalds because you got fat from eating their food everyday, not their fault. You made the decision.
Apple offers 2 factor authentication. I bet none of these accounts used 2 factor authentication. They probably used poor passwords as well.
I don’t think it’s relevant to what happened here. http://www.tuaw.com/2014/09/02/think-iclouds-two-factor-authentication-protects-your-privacy/
Three words…two step authentication.
Hey hey hey back in the 90’s we never really took nudes of ourselves.. Everyone knows the risks!!!
I would say it is apples fault completely, I always jailbreak my device and know for a fact that in iOS 6 if you deleted call logs iMessages ,SMS they were not deleted from the internal databases and next time the user backed up there phones this ‘ deleted ‘ info was stored in the backup in a plain text file, It makes perfect sense that Apple did this for pictures as well, all this information that users delete and think it’s gone is only hidden from sight and next time the do a backup is stored in the backup
Adding to the whole “iPhone’s are not safe” issue is the white-wash, lawyer-nurtured response that Apple has provided. “Hey people, is not our fault!”…same answer they provided to antenna gate, battery gate, and every other big iPhone issue. Is not us, it’s you.
A friend ping me yesterday and told me that it takes 3 days for Apple to allow you to have access to 2-factor authentication on your iPhone. Does that sounds like a policy for a company that is “deeply concerned and committed to customer’s privacy”?
I’m sorry, but I’m sensing a lot of indifference from Apple. And I’m not the only one. A spin is a spin, doesn’t matter if it comes from Tim Cook, Al Gore or anyone at Apple’s Board of Directors.
Absolutely, this brush off shows Apple’s DNA prioritizes design, convenience, devices; Not privacy, sophistication, cloud.
Hard for the leopard to change its spots.
The “fix” is simple, do not put nude photos on the web or anywhere else. Do that and you will not have to ever see them pop up anywhere else. Apple-heads will defend Apple no matter what, Apple-haters will accept any reason to hate Apple. Me? I couldn’t care less about Apple, the iCloud, or any cloud service anywhere or in any way. What annoys me is stupidity and there seems to be an abundance of it these days.
I predict this will have exactly Zero impact on sales of the iPhone 6.
Apple like most technology companies haven’t grasped the ethnography of privacy controls changes over a lifetime.
Human nature creates a very narrow-ish window age about 20 till 30 when posting mature content increases the currency of attention. Apple’s devices capture this period, human nature is forgives over sharing indiscretions.
Still life changes, and feigned indignation turns to real anger the further away from this narrow-ish window, where people care deeply about privacy.
The blame lays squarely at Apple’s door. What level of stupidity must there be within a company that allows for an infinite number of password attempts on a users account? The fact that this problem was highlighted to Apple but not acted upon beggars belief. A fast internet connection, a fast graphics card and a ‘rainbow table’ is all that was needed to access any icloud account. A damming a shame upon an otherwise excellent tech company.
iOS 8 has also been a huge disappointment so far. Many apps constantly crash and are unusable. I can only imagine what other features are poorly implemented when event the basics aren’t functioning properly
Reblogged this on GadgetFreAk.
my friend was about to buy iphone 5c. i hope after reading this he should not