Security researchers say Apple may not be directly at fault in what some have called an “iCloud leak.” Key new features depend on a safe and secure cloud.
Karl Mondon/Bay Area News Group / MCT
As the dust begins to settle on the initial image dump of nude celebrity pictures that began circulating Sunday afternoon, security researchers, law enforcement, and regular cloud-fearing phone users are looking for answers. And Apple, largely thought to be the weak security link, is silent.
Across the internet, the image leaks are being regularly referenced as an "iCloud hack," thanks to the original 4chan leaked photo posts, which alleged the photos were retrieved via Apple's cloud storage. And multiple sites have identified both notable vulnerabilities in iCloud (via Find My Phone) as well as well-documented communities of iCloud hackers, who can crack passwords with "brute force" programs (which allow for unlimited password guessing attempts) and download photos stashes in bulk.
However, three security researchers told BuzzFeed that it's too early to pin this security security breach on the Apple cloud service, suggesting instead that the photos were obtained through multiple, individual hacks over a long period of time and then assembled into a larger collection through trading on obscure online forums.
4chan
Bryan Hamade, one of the prime suspects in the leak told BuzzFeed on Monday that "it does seem the photos [were] passed around to multiple people before being leaked, so it may just be someone who has them and didn't hack to get them. They seem to have amassed a huge collection trading picture for picture and it's possible that whoever they sold it to started leaking the pictures yesterday."
Troy Hunt, an Australian security writer and expert, said the fact that fake photos have surfaced may undermine the severity of the breach. If that's true [that some photos are fake], it throws into question the legitimacy of the "hack," he wrote in an email to BuzzFeed.
"We may well find the attack vector is similar to that of an Australian scenario I wrote about, that is a separate attack (such as a phishing campaign) has successfully obtained credentials. That then of course is also predicated on other aspects of the victims' security being poor (such as missing two factor authentication), and that's entirely plausible," he said.
Hunt added that the nature of the leaked pictures — a variety of celebrities, many obscure, as well as barely any personal information besides photographs — means that a full-fledged breach of iCloud is also less likely. "One question worth asking is why celebrities are the "target"," Hunt said. "If there was a vulnerability in iCloud per se, you'd expect the "hack" to be pretty indiscriminate. Yes, there's a greater financial upside if an attacker obtains photos and videos of high profile individuals, but they're a tiny percentage of the broader Apple ecosystem and you'd expect to see more 'collateral damage' to everyday citizens."
And Johns Hopkins computer science professor and info security expert Matthew Green warned the New Yorker's Jay Caspian Kang that "there's still no proof of a large-scale iCloud break-in, or that the images were ripped from the servers all at once."
That said, Apple may still be partially at fault for at least some of the breaches. According to a report from The Next Web's Owen Williams, the Find My Friends vulnerability allowed "malicious users to 'brute force' a target account's password on Apple's iCloud." Williams goes on to say that "brute-force attacks consist of using a malicious script to repeatedly guess passwords in an attempt to discover the correct one."
With no password timeout, hackers would be able to guess passwords an unlimited amount of times, allowing them to possibly run programs and try millions of variations in order to gain access. If that's the case, this would be a major security flaw and, in the case of those accounts hacked through iCloud, would be entirely Apple's fault.
The timing is also less than ideal for Apple, which is most likely putting the finishing touches on next week's keynote, where the company is set to unveil a line of new products including new iPhones and a much-anticipated wearable device. Part of Apple's wearable strategy is to obsessively track personal health data, which would ostensibly be stored to Apple's cloud services — medical data so personal that Apple has, according to Morgan Stanley, hired blood researchers to help. With the questions about Apple's cloud security swirling, it's possible this and other new features could suffer.
0 Response to "Apple Silent As Blame For Nude Celebrity Leaks Remains Unclear"
Posting Komentar