The Independent's journalism is supported by our readers. When you purchase through links on our site, we may earn commission. 

Is Apple's iCloud safe after leak of Jennifer Lawrence and other celebrities' nude photos?

The iPhone maker's cloud service has been implicated in the leaks

James Vincent
Monday 01 September 2014 09:40 BST
Comments
(Rex)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The apparent leak of hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities has raised questions of the safety and security of digital services.

On Sunday night, images of 101 high-profile stars, including Jennifer Lawrence, Ariana Grande, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez, were posted on 4chan, an online image sharing forum, in an apparent hacking leak linked to the Apple iCloud service.

Although the involvement of iCloud has not been confirmed, anonymous users on 4chan (the image-sharing forum where the photos were first posted) claimed on Sunday to have taken them from the service.

If activated, iCloud automatically stores photos, email, contacts and other information online, allowing users to sync this data across different devices (for example iPhones and iPads) or access it from any internet-connected computer using a log-in and password.

Although Apple’s encryption on the data itself is considered robust, access could have been gained through more indirect means - such as guessing users' passwords or simply resetting their accounts by finding their email address and then answering traditional ‘security questions’.

(Worried iCloud users can turn off photo syncing through Settings > iCloud on their iPhone or iPad, or, for additional security, set up two-step verification by following these instructions.)

Former Apple CEO Steve Jobs talks about iCloud back in 2011.
Former Apple CEO Steve Jobs talks about iCloud back in 2011.

Jennifer Lawrence, who confirmed via her publicist that the photos were genuine, has previously said: "My iCloud keeps telling me to back it up, and I'm like, I don't know how to back you up. Do it yourself,” while metadata retrieved from the images shows that the vast majority were taken using Apple devices.

However, this doesn't confirm that iCloud itself was hacked - it might simply be down to individual users’ poor password choices - and other theories as to how the pictures were obtained are also circulating online.

Security experts have suggested that a second cloud service, Dropbox, might be involved and that the massive scope of the leak (posters on 4chan claimed that close to 100 celebrities are affected) implies that “an employee with access to data somewhere made a private stash” and was subsequently hacked by another opportunistic individual.

The anonymous user who first posted the images online claimed to have additional leaks including explicit videos of Lawrence and requested donations via PayPal and Bitcoin in exchange for posting them.

Since the images were first posted online, tech site The Next Web has discovered the code for an iCloud-focused hacking program posted to the open-source website GitHub.

The program apparently exploits a flaw (now fixed) in Apple's 'Find my iPhone' service to guess passwords over and over again without being locked out. This method of hacking known as a 'brute force' attack uses a database of commonly uses words and phrases to guess passwords.

The program's creator told The Next Web that although they had not seen any evidence that the software had been used in the celebrity hacks, they admitted "that someone could use this tool".

Apple declined to comment.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in