Nude celebrity photo leak casts iCloud over Apple launch

For Apple Inc. , which is preparing to launch its next iPhone or iWatch or possibly iWallet, the timing of the nude celebrity photo hack is a significant embarrassment.

As Apple prepares to launch iPhone 6, its security draws scrutiny

Actress Jennifer Lawrence was one of the victims of a mass nude-photo hack. (Eric Gaillard/Reuters)

For Apple Inc., which is preparing to launch its next iPhone or iWatch or possibly iWallet, the timing of the nude celebrity photo hack is a significant embarrassment.

It appears the hack, which resulted in the leak of dozens of nude photos of celebrities such as Kirsten Dunst, Jennifer Lawrence and Kate Upton, was made via the Find My iPhone service, though Apple asserts it did not find flaws in the service.

It doesn’t matter that it’s silly to store nude photos of yourself anywhere in the digital realm — the incident has made Apple’s iCloud look compromised just as the company plans a major product launch.

Ultimately it doesn’t really matter if the hack is or is not Apple’s fault; the damage has been done.—Ben Thompson, Stratechery

“Ultimately it doesn’t really matter if the hack is or is not Apple’s fault; the damage has been done,” says tech analyst Ben Thompson at Stratechery.

“The ‘iCloud’ name is associated with this mess, which is bad enough; what is more distressing is that Apple is allegedly unveiling a new payment capability with the iPhone 6. That, obviously, requires a high degree of security and consumer trust, and now, every article about said payments will likely mention this hack,” he said.

It’s not known what Apple plans to launch Sept. 9, but whatever it is, there will be questions about its security.

One possibility is a new generation iPhone 6 with a big screen and a communications chip that will make mobile phone payments easier — an iWallet.

So prospective users will be asking how secure their financial transactions are.

The product could as easily be its much-forecast wearable device — an iWatch or similar gadget.

High-profile hack of 100 celebrities

That could lead to doubts about how secure the health information (heart rate, blood sugar) gathered on such a device might be.

Whatever the new product is, it will be dogged with security concerns because of the high-profile hack that broke this weekend affecting more than 100 British and American celebrities.

The supposed hacker claimed to have broken into the stars' iCloud accounts and searched for compromising photos before publishing them on 4chan, an image-sharing forum.

According to the website Engadget, hackers were able to create a tool to test thousands of passwords against a user's account until they found the correct one, without being blocked by the site.

This is called a "brute force" attack, says technology expert Shane Schick.

"Hackers use a computer to generate a whole bunch of commonly used passwords, and access the account that way," he told CBC News, adding that most internet services would shut down an account after one or two attempts at retrieving information.

Hackers also use Facebook and public information about celebrities to try to determine what words they might use as passwords, Schick said. The name of a pet or child might be likely passwords, for example.  

Apple says it has started an internal investigation into what happened.

Its public response today was a statement saying it wasn't at fault.

"When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us," the statement said.

"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. "

A very useful Cloud

The iCloud service unites Apple’s iPhones, tablets and desktop computers, letting users store contacts, emails, photos and other personal information on external systems they can access virtually.

Actress Kirsten Dunst was one of more than 100 celebrities whose account was hacked. She has been critical of Apple's role in the release of nude photos. (Columbia Pictures/Associated Press)

Tim Bajaran, president of Creative Strategies in Mountain View, Calif., says the incident points to the need for people to take responsibility for their own security.

"The fact that Apple was brought into this was intriguing, because Apple has some of the best privacy in existence. They use 128-bit encryption and very powerful tools," he said in an interview with CBC's The Exchange with Amanda Lang.

"Apple has said none of their systems were breached, neither iCloud nor Find My iPhone. The way these hackers got in is the old-fashioned way. They figured out the password and the security question," Bajaran said, adding that celebrities may be particularly vulnerable to this kind of hack as their personal background is easy to investigate.

But users still may be questioning the privacy of their personal photos, records and messages on iCloud.

“It calls into question the security of the networks that are hosting the photos — any personal information you put up there,” says Bloomberg’s Zeb Eckert.

That’s not necessarily a bad thing, as users should be more savvy about the security of their personal information, changing passwords often and not using the same password for multiple accounts.

Bajarin urges more robust passwords and says companies may soon be mandating two forms of ID before you get into an account. 

"Apple brings out another point which they do well, which they call double authentication. If you have an iPhone, if you turn it off and restart it, you actually have to put in a PIN number to launch it and from that point on, you have to use the fingerprint reader, so you have dual authentication," he said.

"What I expect will happen is, not just Apple, but every one of the Cloud services, will start pushing into dual authentication." 

Investors still love Apple

Investors don’t seem as chary of Apple’s security reputation, which is generally quite strong.

Stock in the company is up 29 per cent this year in anticipation of a new product launch and edged 80 cents higher today to $103.30.

Apple has long been a tastemaker, and its new product — whether a bigger display iPhone or wearable device — is likely to be a hot commodity for consumers.

Nor is the hacking incident likely to stop the advent of cellphone payment systems, a technology that is the logical next step in cellphone use. Apple's solution likely won’t be funnelled through iCloud.

But it could intensify the focus on security of Apple products or on mobile technology in general. Android is equally or even more vulnerable.

There have been multiple reminders in the past few months of the vulnerability of internet-based systems, with the major bank JP Morgan hacked just last week, the Finance Department, which may have been hacked by the Chinese and Target, whose credit card information fell to Russian hackers.