The naked truth about iCloud safety

By

Backup everything to iCloud.
Photo: Jim Merithew/Cult of Mac
Photo: Jim Merithew/Cult of Mac

By now you’ve probably heard about the avalanche of celebrity nude photos that slammed the Web on Labor Day. But amid the chaos of FBI investigations, celeb denials and Apple PR releases that say basically nothing, understanding how the attackers executed the hack — and how to prevent it from happening to you — hasn’t been so clear.

Apple recommended that all users enable two-step verification “to protect against this type of attack,” but the truth about iCloud’s two-step security is a little more complicated than Apple’s letting on, and turning it on probably wouldn’t have prevented the celebrities’ pics from getting hacked in the first place.

To help sort through the confusing mess, we’ve broken down everything you need to know about iCloud’s security and how you can use two-factor authentication and other security steps to keep some perv named 4chan from blasting your nips all over the Internet.

Should I turn on iCloud two-factor authentication?

Yes. Adding two-factor authentication to your Apple ID account will give you an extra measure of protection against simple password theft. This will require you to enter a code sent to your iPhone or iPad that confirms that, yes, it’s totally you trying to log in.

How do I turn it on?

Our man Joshua Smith will take you through the entire process of setting up two-factor authentication in just 90 seconds in this how-to video:

Once I have two-factor activated, will the scandalous pics in my Photo Stream be safe?

Nope. There are only three things that two-factor really secures: 1) Signing into My Apple ID. 2) Making iTunes purchases from a new device. 3) Receiving Apple ID-related support from Apple. There have been rumors that iCloud’s two-factor security will expand to other services, but for now it does not protect iCloud backups, Find My iPhone data or documents stored on iCloud.

So an attacker could download my entire Photo Stream and iCloud won’t double-check that it’s really me?

Nope. This is one of the biggest flaws in Apple’s incomplete two-factor authentication. iCloud backups are not protected, so all an attacker has to do is get your Apple ID, hack your password and then siphon all your data completely undetected using the same forensic tools as the police.

Just because some celebrities got hacked, that doesn’t mean I’m at risk too, right?

Wrong. Jennifer Lawrence might be getting all the headlines, but few have mentioned that these attacks are happening every day to ordinary people. An entire 4chan offshoot exists for the soul purpose of stealing nudie pics using anyone’s Apple ID they can get their hands on. The pervs have refined the process down to a science so easy any horny 14-year-old could do it.

Is this all Apple’s fault then?

No, but kinda. Apple left the door open, but the greatest celebrity hack of all time was aided by factors aside from iCloud’s incomplete two-factor authentication. The AnonIB rippers were able to get passwords easier thanks to iBrute, an app that took advantage of a Find My iPhone bug to allow unlimited password attempts. The attackers also used tools like Elcomsoft Phone Password Breaker to download entire backups, allowing them to swipe old photos celebs might have deleted from their Camera Roll months before.

What could Apple do to prevent this from happening again?

A simple notification email any time your iPhone backup has been downloaded by a computer would be a nice start. Requiring users to enter another ID code when restoring a device or logging into an iCloud account from a new device or location would also help. Releasing a statement that celebs just aren’t using their iPhones right isn’t enough. Apple needs to make solutions that allow users to play a more active role with their data and how it’s managed long-term.

What else can I do to protect my data?

Create a complex password for iCloud (and consider using a powerful tool like 1Password that will manage all your strong passwords). Use a private email address to sign up for cloud services. Encrypt your pictures. Make up random answers to your password-reset questions. Don’t share personal info on the Internet. And if you really want to make sure the world doesn’t get a peek at your nude selfies, take RZA’s advice and don’t put your naughty bits on a screen.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.