SAN FRANCISCO – Apple Inc. has often displayed uncanny timing with its well-orchestrated end-of-year iPhone releases. But the leak of racy celebrity photos in the past few days put the company in the unusual position of having to mend its image just days before a highly anticipated product launch next Tuesday.
Nude photos of Hollywood celebrities, including Oscar-winning actress Jennifer Lawrence, were posted on Internet forums by unknown hackers, sparking condemnation from stars and their publicists and prompting a probe by the Federal Bureau of Investigation.
In the wake of the breach, cybersecurity experts and mobile developers have pointed out inadequacies in Apple’s cloud-services security and in the security of cloud services in general. Thousands of people have taken to Twitter to express their frustrations with the company.
Some security experts faulted Apple for failing to make its devices and software easier to secure through two-factor authentication, which requires a separate verification code after users log in initially. The process requires several steps and more than rudimentary knowledge of a phone’s workings.
Apple could also do more to advertise that option, they said. Most people do not bother with security measures because of the extra hassle, experts say, and the leading phone makers are partly to blame.
“Making things more private or secure by default instead of having ‘security options’ would go a long way. Most people won’t take those options, and they aren’t necessarily advertised as available,” said Matt Johansen, senior manager of the Threat Research Center at WhiteHat Security Inc. “Most sites with two-factor authentication, you need to go to some very obscure options menu, multiple clicks deep.”
To be sure, the inadequacies identified in Apple’s cloud and mobile security are also true for other online storage services, experts said. Official and celebrity Twitter accounts, for instance, have been routinely hacked.
“Every great innovation is convenient but also a big opportunity for the bad guys in the world,” said Marc Maiffret at security firm BeyondTrust.
Cybersecurity experts say the perpetrators possibly gleaned the celebrities’ email addresses and mounted a long-term phishing attempt — a relatively straightforward attack through which hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.
The photos were posted on image-sharing forum 4Chan, prompting Lawrence’s representatives to describe their release as a “flagrant violation of privacy” and contact law enforcement authorities.
Apple rushed to restore confidence in its systems’ security, saying the celebrity photo scandal, which also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more, was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems.
“We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” Apple said in a statement. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.”
That the hacking could hit Lawrence, who is one of the biggest names in Hollywood, the star of the hugely popular “Hunger Games” films and the best actress Oscar winner, came as a wake-up call to both the famous and non-famous.
“This feels like a brute-force attack and someone’s using bad passwords,” said Michael Fertik, chief executive of online image manager Reputation.com. “If you must take a nude photo, use a non-obvious password.”
Hackers use so-called brute-force software to cycle through large numbers of possible passwords during log-in attempts.
Fertike said hacked celebrities would likely have to live with the leaked photos remaining outside their management for the foreseeable future.
Apart from any criminal charges that might be pursued under federal or state hacking laws, Lawrence and the other celebrities could bring civil lawsuits against the alleged hacker or hackers and those who shared the photos.
“The way the celebrities were treating the photos, I don’t think there’s any doubt that the law will treat them as being private and the distribution of the photos was a violation of privacy,” said Evan Brown, a technology and intellectual property attorney at InfoLawGroup in Chicago.
The highly public affair remains potentially one of Apple’s worst public crises in years. Speculation continues to spread on blogs about flaws in the iCloud service, which lets computer and mobile users store photos, documents and other data so they can be accessed from various devices they own.
Brandwatch, a company that analyzes sentiment on social media, blogs and other sites, found that prior to the hack, Apple had received very few negative mentions on Twitter, a testament to its strong brand in the United States.
But in the past three days, 17,000 mentions on Twitter were related to the security breach; 7,600 of these tweets specifically mention Apple. Some of the negative words associated with mentions of Apple’s iCloud service include “violation,” “disgusting violation,” “criminality,” “failure,” “glitch” and “disappointment.”
Brandwatch spokeswoman Dinah Alobeid said Brandwatch differentiates between negative and neutral tweets by analyzing keywords. There were three times more negative mentions than positive mentions related to the incident.
Apple has dealt with several high-profile public faux pas in past years, including a map service that was criticized for lacking important geographic detail and “Antennagate,” when experts exposed how a flaw in the latest iPhone led to dropped calls.
Depending on how the hacks were carried out, this incident could be as damaging to its reputation, if not more.
“This could be a scary time publicly for Apple,” J.D. Sherry, vice president of cybersecurity provider Trend Micro, wrote in a blog post on Tuesday. “They haven’t had many, Antennagate and Apple Maps come to mind, and this would most likely trump those.”
The celebrity hacks underscore the longer-term risks for mobile users as smartphones increasingly become the repository for far more sensitive data on education, health care and banking. And the data increasingly get stored in personal cloud accounts hosted on the public and private Internet.
“We need to get to a point where security is the standard, (and) Apple could make it easier in the set up,” said Branden Spikes, founder and CEO of Spikes Security and former chief information officer of Space Exploration Technologies.
At its upcoming event, Apple is expected to announce the launch of a mobile payment service alongside its iPhone 6.
BeyondTrust security expert Marc Maiffret expects the phone will someday replace the wallet, storing sensitive payment information such as credit card accounts — data that would prove increasingly tempting to hackers. “How long after that does it make sense for your identity beyond your financial information to follow?” he said.
Apple has encouraged developers to use iCloud. But the leaks have left some app developers feeling uncertain.
“Things like this happen. And you wonder, can you trust Apple with other people’s data?” said Ruben Martinez, a developer building Apple software applications. Martinez said he considered using iCloud for an app he is building, but he may now explore other options.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.