How did the apple iCloud fail?

11407095883_c29ebc0949_zUnless you’ve been living under a rock for the past few weeks, you’ll have undoubtedly seen the news that many famous celebrities recently have had their privacy compromised by some unscrupulous hackers. And, what’s more, the hackers weren’t trying to achieve fame by obtaining sensitive banking information or similar. These hackers, in fact, got their kicks out of exposing the celebrities in their barest form.

While the security breach is a gross invasion of privacy for the individuals involved, it is also hugely embarrassing for the cloud service provider from who they were stolen from. But before you rush to remove all of your data from every cloud service you use, you should understand more about the leak.

Cloud services aren’t at fault

After all, the majority of cloud solutions actually bolster security for individuals and businesses alike. For example, Mimecast’s cloud email archiving solution allows historic messages to be securely archived to a cloud environment, away from the threat of potential hackers.

However, if some reports are to be believed, the security breach stems from hackers infiltrating Apple’s iCloud service and successfully downloading the raunchy celebrity pictures. Apple are rigorously defending their iCloud service and stating that the photo leaks could just as likely have come from another source.

To be fair to Apple, their security protocols are among the best in the business – encryption both in-transit and in-situ, plus two-step authentication – and the recent celebrity hack is more likely to have been achieved through another means, rather than a direct attack on the Apple iCloud. However, that hasn’t stopped Apple bolstering its defenses against future attacks in the wake of this most recent one.

Bespoke software can leave the iCloud vulnerable

However, a very poignant revelation in this whole mess is the ease with which iCloud backups can be downloaded from the cloud servers they reside on – something which has been made a whole lot easier by a piece of software called EPPB, or Elcomsoft Phone Password Breaker as it’s otherwise known.

This software, which is apparently a stalwart in underground communities, allows individuals to download full Apple backups –even without a password in some instances, although this is much rarer.

With the relevant iCloud password in hand, anyone can seemingly download backed up data such as photos and messages with little trouble. But you may be thinking, how can you get hold of someone’s iCloud password? Well, in a number of ways if reports are to be believed.

iCloud passwords can be obtained in several ways

First, there’s the password reset feature (secret questions/answers) which can be exploited in obvious ways. Next, there’s the good old-fashioned phishing email that relies on unwitting individuals literally offering up their passwords to would-be hackers. The password recovery process is the third potential vulnerability, but it relies on an email account being hacked beforehand. Last, is the clever practice of social engineering, which plays on the natural human tendency to trust.

So, with the Apple email ID and iCloud password successfully secured, anyone can download sensitive information using the aforementioned EPPB software. Perhaps not quite the uber-geek way you were thinking, but an effective vehicle nonetheless.

The reality is that Apple’s iCloud didn’t necessarily ‘fail’ but was more a victim of some very determined and unscrupulous individuals’ desires. Hopefully, Apple’s decision to improve its iCloud security even further in the wake of this scandal will go some way to appeasing its users but for the celebrities who have been exposed, it might seem like little recompense.