Be Angry About the iCloud Hack, but Not Surprised

Rob Pegoraro
·Contributing Editor
Updated
Jennifer Lawrence
Jennifer Lawrence

Jennifer Lawrence. (Associated Press)

Apple is in the news today for the wrong reasons: Instead of people speculating about what the next iPhone will be like, they’re speculating about how its iCloud service could have been hacked so badly.

The victims in this case were celebrities — actresses Jennifer Lawrence and Mary Elizabeth Winstead, for example — who had nude photos of them pilfered from their online backups. The hack has put some unflattering aspects of Apple and its “cloud” services in the spotlight.

See Yahoo Tech’s complete coverage of the Celebgate hacking scandal right here.

Here’s one of those aspects: Hacks happen. They’ve happened before, and they will again. Here’s another: It could happen to you, too. And there’s not much you can do about it without ditching some Apple services you probably like.

Here’s what makes Apple’s cloud services, in particular, such a juicy target for hackers.

The jobs of an Apple log-in
The username and password that controls access to an iCloud account governs a great many things: That same Apple ID log-in authorizes iTunes and App Store purchases, lets you find your iPhone and wipe it remotely if it’s stolen, syncs your text messages, and much more.

That’s also true of Google accounts — and, for that matter, Yahoo accounts. But think about how the Apple ID system has grown compared with those: Many people’s first encounter with it was probably buying songs off iTunes, a low-risk proposition that doesn’t warrant coming up with some fantastically complex password. Then consider how often you’ve had to type in that password, especially on an iPhone or iPad where every other app download seems to require verification.

As Johns Hopkins University cryptographer Matthew Green observed on Twitter, that combination pushes people to use short, simple passwords: “Of course people pick terrible iCloud passwords. You can’t enter a good password 50x per week on a mobile device.”

Apple isn’t taking security seriously enough
An online service shouldn’t expect its users to craft complex passwords — most of us don’t and can’t be bothered to change them after the discovery of a vulnerability. But Apple deployed the best alternative to the password, two-step verification, years after other services and did so in a clumsy and limited manner.

Apple’s implementation of this concept, where you confirm a login by typing in a one-time code, relies almost exclusively on text messages to deliver those digits. There is no equivalent to Google’s Authenticator app, which can compute unique codes without requiring a data connection itself.

Apple’s system is enough for anybody who travels internationally or strays out of signal range, but even if you turn on two-step verification, it governs access toonly some iCloud services. Restoring data from a backup — what looks like the key mechanism of this iCloud attack — isn’t among them.

Finally, and worst of all, Apple let the attackers keep guessing passwords instead of locking the target accounts after a set number of incorrect answers. That is a horrible and fundamental failure of security, and Apple deserves little credit for fixing it quickly, since it fixed it so late.

None of this is a major break from precedent at Apple. In 2012, it waited months to fix a vulnerability in its version of Oracle’s Java software, resulting in the Flashback Trojan infecting hundreds of thousands of Macs, then had such poor controls over iCloud account resets that a teenage hacker was able to convince Apple tech-support reps that he was Wired writer Mat Honan. He then took over Honan’s account and used it to remote-wipe his iPhone, iPad, and MacBook. Earlier this year, the company released versions of iOS and OS X with a critical site-encryption weakness, but then let days pass between fixing it in iOS and then in OS X.

Apple needs to act, and we should have, too
Apple needs to do better, and it’s capable of making the necessary changes. In a few years, it’s gone from denial about labor conditions at the Chinese factories that build its gadgets to setting a standard for transparency and accountability in its outsourced manufacturing. And some of its security is good: Those responsible for iCloud security, if they still have their jobs, could start by wandering across the Apple campus to sit at the feet of the iOS team, which has been remarkably effective at keeping malicious code from sneaking into an iPhone or iPad’s startup cycle.

Those of us in the press who devote so much ink and so many pixels to Apple could also do better. The problems with iCloud passwords and two-step verification have been obvious for years, and it shouldn’t have taken boldface names in the news for us to start warning people about them.

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.