Apple Hack Points to Broader Vulnerabilities in the Cloud

SFAppleStore
The Apple store in San Francisco on January 27, 2014. Robert Galbraith/Reuters

Apple has issued a statement denying that a recent hack of celebrity iCloud accounts was the result of an internal security flaw. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find My iPhone," the company wrote. For the most part, Apple has been characteristically tight-lipped about the details of the hack. In the company’s statement, however, it did add that the accounts were breached by an attack on “usernames, passwords and security questions.”

Apple did not respond to Newsweek’s request to speak about the hack, but based on the company’s statement, it would appear hackers specifically took aim at the accounts of celebrities such as Kirsten Dunst and Jennifer Lawrence. Apple said it spent more than 40 hours investigating the breach and determined it was a “very targeted” attack, as opposed to one that exploited a broader security loophole.

According to security expert Bruce Schneier, such attacks are reasonably preventable if Internet users adopt sufficiently complex passwords. The problem, he says, is customers of cloud storage companies need to “stop trying to make memorizable passwords.” Anything you can remember, he adds, can be breached with a brute force attack—that is, an attack where hackers make a series of sophisticated guesses at an account's password.

“It’s not a story of Apple screwing something up,” Schneier says. Instead, he says, the attack articulates a broader issue with data security in the cloud—in particular people’s willingness to trust their information to Silicon Valley tech giants.

With the number of internet users set to grow by 60 percent in the next five years, cloud storage and computing is positioned to become an increasingly integral repository for sensitive photos, documents, videos and other private media. Services like Apple, Google, Amazon and Dropbox have continued to grow steadily in the past decade. In 2004, there were 900 million internet users. Today, there are 3 billion. Much of the information they access through sites are kept in one of the more than 3,200 data centers around the world (more than a third of which are in the U.S.) For a sense of scale, according to Greenpeace, if this collective “cloud” were a single country, it would rank sixth in the world, in terms of energy consumption, behind only Russia, India, Japan, the U.S. and China, in that order.

In many ways, that’s a good thing. The cloud is far more efficient than storing information on individual hard drives. But it makes Internet users' personal media vulnerable to attacks. As Schneier points out, iPhones sync with iCloud, meaning anytime a person takes a photograph it goes onto the cloud, where, with the wrong password, it’s open to a brute force attack.

“My worry about the cloud is not my password, it’s the company,” he says. “They are corporate entities out to make money.”