Why Celebrities and Civilians Should Never Trust Apple With Naked Photos, or Any Data at All

Decoding the tech world.
Sept. 2 2014 3:55 PM

Blame Apple

Five reasons why celebrities and civilians should never trust Apple with nude photos, or any data at all.   

The Apple logo.
Even today Apple is still misrepresenting the security it can offer to its users.

Photo by Loic Venance/AFP/Getty Images

In the wake of the theft of the private data and photos of dozens of celebrities, there is at least one major culprit. Not the alleged leakers, though obviously they’re to blame, but the company that has most prominently overstated its security in the first place: Apple.  

David Auerbach David Auerbach

David Auerbach is a writer and software engineer based in New York. His website is http://davidauerba.ch.

Apple is currently delighted that people are talking about how you shouldn’t take naked photos of yourself in the first place, but make no mistake: Apple has been provably irresponsible with users’ security. It is currently unclear how the naked photos were gathered—most likely through a number of different methods and different servers over a period of months if not years. What is clear is that Apple has had a known security vulnerability in its iCloud service for months and has been careless about protecting its users. Apple patched this vulnerability shortly after the leak, so even if we’re not sure of exactly how the photos got hacked, evidently Apple thinks it might have had something to do with it. Whether or not this particular vulnerability was used to gather some of the photos—Apple is not commenting, as usual, but the ubiquity and popularity of Apple’s products certainly point to the iCloud of being a likely source—its existence is reason enough for users to be deeply upset at their beloved company for not taking security seriously enough. Here are five reasons why you should not trust Apple with your nude photos or, really, with any of your data.

1. The vulnerability is Security 101 stuff.

Advertisement

Up until Monday, Apple had a significant and known brute-force vulnerability in its Find My iPhone service, where you type in your Apple ID and password on your computer in order to locate your iPhone on a map. Most services that use passwords, from Facebook to Google to banks, will lock your account or at least throttle logon attempts after a certain number of failed access tries to prevent a person who is not you from making endless guesses at common passwords. Apple itself will do this in most places—but not through its Find My iPhone service, where hackers are allowed unlimited attempts at guessing passwords. You can endlessly try password after password as quick as you like. Once a correct Apple ID password is confirmed through Find My iPhone, a hacker then has access to your iCloud account.  So a hacker could simply run an automated tool and knock on the door enough times with password guesses until he broke through. Even a decent password, like “D0nM@tt1ngly!” would still be vulnerable to this sort of attack. The Find My iPhone vulnerability doesn’t really rise to the level of a bug, since limiting brute-force attacks is part of the basic security design of any system—or should be.

2. The vulnerability was publicly known since May.

A Russian security group called HackApp released iBrute, a proof-of-concept tool to exploit this vulnerability, on Aug. 30. But don’t blame them, because the celebrity hacking probably took place quite a while before that. The Register publicized the lack of any sort of limit on iCloud logon attempts in May, and Apple did nothing about it, giving hackers plenty of time to bash away at accounts. Even after iBrute was publicly released, Apple didn’t patch the vulnerability until Sept. 1 and did nothing to secure accounts in the meantime. I cannot fathom how the company left this one out in the wild for months, and I suspect it will cost someone at Apple his or her job.

3. Apple defaults users into the cloud.

Clouds are wispy and ephemeral, the very opposite of secure, so why would you want to store anything in them? No one particularly does: Cloud storage has been forced on users because it suits tech companies, not because it’s what’s best for consumers. But Apple makes it very hard not to store photos in its cloud, nude or otherwise. Camera Roll automatically backs up photos (all photos) to the cloud by default, and Apple makes it difficult for average users to change the default. It’s worked. And it’s too bad, because whatever you store on the cloud has far less legal and security protection than what’s on your own computer. Even deleting photos from your phone doesn’t delete them from the cloud, as security expert Nik Cubrilovic pointed out on Twitter. (The American Civil Liberties Union’s Christopher Soghoian has wisely suggested a “private photo” feature that doesn’t upload certain photos to the cloud.)* Defaulting to the cloud is like checking baggage on an airline: People might look through your stuff, and even steal it. And like the airlines, Apple’s liability is strictly limited by the extremely generous (to Apple) agreement you sign when you purchase any of its products.

4. Apple does not encourage two-factor authentication.

Two-factor authentication, in which physical possession of a particular device (like a phone) is necessary to log in to an account, is one of the most common and effective supplements to the problematic security of regular passwords. Google, Yahoo, Facebook, Twitter, and many other services offer two-factor, though rarely by default. Still, as the Daily Dot writes, “For reasons that defy all logic, Apple makes it extraordinarily difficult to enable two-step verification,” making users wait three days just to turn it on. (In other words, if you had found out about the vulnerability on Aug. 30, you couldn’t have protected yourself until Sept. 2.) Apple barely publicizes its two-factor authentication and has not encouraged users to adopt it. Apple controls the default user experience for its products, and it has the responsibility for that default to be reasonably secure—which it currently is not.

5. Two-factor authentication wouldn’t have worked anyway.

Even if you were a celebrity who had enabled two-factor authentication, it wouldn’t have helped in this case because Apple doesn’t enforce two-factor authentication for iCloud logons even if you have it turned on, as was reported by Ars Technica all the way back in May of 2013. Apple primarily uses two-factor to prevent credit card purchases, not to protect the privacy of your data. Though probably the least exploited loophole (due to the difficulty of using Apple’s two-factor in the first place), this is perhaps the most sheerly irresponsible security decision Apple has made. The false sense of security created by offering two-factor and then not enforcing it is appalling.

These are all problems Apple has known about for months, if not years, and did nothing to stop. Apple’s two-factor is still fundamentally broken, so even today Apple is still misrepresenting the security it can offer to its users. This is not to excuse any other services that may have been compromised, nor the hackers themselves. But whether or not any of these problems were directly responsible for the leak, Apple users, from Jennifer Lawrence to corporate executives to laptop musicians to you, should be out for blood, and other companies should use this as a lesson to double- and triple-check their own security stories. Apple will probably survive though. IPhones are so cool and pretty.

*Correction, Sept. 3, 2014: This piece incorrectly referred to the American Civil Liberties Union as the American Civil Liberty Union. (Return.

TODAY IN SLATE

Technocracy

Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

The Congressional Republican Digging Through Scientists’ Grant Proposals

The 2014 Kansas City Royals Show the Value of Building a Mediocre Baseball Team

The GOP Won’t Win Any Black Votes With Its New “Willie Horton” Ad

Whole Foods Is Desperate for Customers to Feel Warm and Fuzzy Again

The XX Factor

I’m 25. I Have $250.03.

My doctors want me to freeze my eggs.

The XX Factor
Oct. 20 2014 6:17 PM I’m 25. I Have $250.03. My doctors want me to freeze my eggs.
Politics

Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

I Am 25. I Don’t Work at Facebook. My Doctors Want Me to Freeze My Eggs.

These Companies in Japan Are More Than 1,000 Years Old

  News & Politics
The World
Oct. 21 2014 11:40 AM The U.S. Has Spent $7 Billion Fighting the War on Drugs in Afghanistan. It Hasn’t Worked. 
  Business
Moneybox
Oct. 21 2014 1:12 PM The Global Millionaires Club Is Booming and Losing Its Exclusivity
  Life
Lexicon Valley
Oct. 21 2014 1:36 PM Single Quotes or Double Quotes? It's Really Quite Simple.
  Double X
The XX Factor
Oct. 21 2014 1:12 PM George Tiller's Murderer Threatens Another Abortion Doctor, Claims Right of Free Speech
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
  Arts
Behold
Oct. 21 2014 12:05 PM Same-Sex Couples at Home With Themselves in 1980s America
  Technology
Technology
Oct. 21 2014 10:43 AM Social Networking Didn’t Start at Harvard It really began at a girls’ reform school.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.