How to prevent the iCloud celebrity photo hack from happening to you

For most of us having intimate photos leaked to millions of people on the internet would be an absolutely horrifying event. Unfortunately this is exactly what happened to multiple high profile celebrities last week, not a great way to spend your Labor Day.

Now what people do with their significant others is of no concern to me, whatever makes you happy is what I always say. But there are some lessons to be learned here, not about the type of content you make but how to protect it and how to manage what we store in the cloud.


How did this happen?

Right, first things first, how did hackers gain access to these photos in the first place? According to a statement from Apple, the theft was caused by "a targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet." The hackers apparently used a nasty combination of social engineering, phishing, and using public information to gain access to their target's iCloud accounts. This was also made possible due to the fact that it is much easier to find public information on celebrities because of their highly publicized lifestyles.

Hackers then used Elcomsoft Phone Password Breaker to download the iPhone backups from Apple once they had the targets passwords. After that it was a walk in the park and they grabbed what they wanted.

Who is to blame?

There was a lot of backlash against Apple and the cloud after this intrusion. The blame isn't unfounded, but it isn't completely Apple's fault. There was no breach of Apple's code or cloud security, merely hackers exploiting human tendencies.

To access your iCloud account you need passwords and security questions, it is up to the user to create secure user names and passwords. Going back to our point earlier, it probably isn't a good idea for a public figure to have their password set to their dog's name, which anyone can find out with a quick Google search.

With this being said Apple could take some responsibility in providing awareness about these threats, as many users still don't understand just how at risk they are online. Apple CEO Tim Cook had some words on this subject when he spoke to the Wall Street Journal, "When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

Apple could also put some more research into tools such as the iPhone Password Breaker that was used. They need to understand how these work and how they can prevent them from accessing accounts.

How do I protect my sensitive files?

Say you want to take a sexy photo for your significant other that you don't want anyone else to see, ever. How do you go about doing that?

Well here are a few steps that will help, the main thing here is keeping information like this out of the cloud and in secure areas.

  1. Set your iPhone to Airplane Mode
  2. Turn off iCloud backups in the settings
  3. Turn off Photo Stream
  4. Take said sexy photos
  5. Connect the phone to your computer
  6. Launch a program such as Image Capture (OS X) that can read the camera roll
  7. Transfer the images to your computer
  8. Use the program to delete the files from your iPhone
  9. Place the images in an encrypted .zip file

The main thing to realize here is that cloud is secure, but our own laziness and false senses of security are our downfall. Once a picture goes to the iCloud, gets sent to another person or another app gets permission to access it, you give up security and run the risk of someone seeing it.

What needs to happen in the future?

As our lives become more and more entwined with the internet it is so important that security gets updated. Sadly despite all of the advancements in online technology the only security advances we've made in 20 years are passwords, secret questions and in some cases getting an SMS confirmation sent to your phone.

Apple needs to improve user level security for iCloud backups, its awesome that it is all encrypted in the cloud but what use is that when someones user name is their email address and the password is 12345. Two step Authentication is a step in the right direction but it still isn't enough.

Raising awareness is also something that Apple is moving forward with and that will be very helpful as half of the battle with security is on us, the users.

One thing you can do right now to help keep everything secure is to use those "secret questions" like what city were you born in, as another password field. The answer doesn't actually have to be that city, or a real word at all. So use one password to login, then use another password to answer your security question. If you make it inconvenient for a hacker to access your account they will most likely move on to someone else and look at their sexy photos instead.

Stay safe out there!

Written By: Sam Watkinson
Marketing Associate TOSS C3

Leave a comment!

You must be logged in to post a comment.