BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

UK And Germany Double Down On Joint AI, Clean Energy R&D Efforts
Decarbonizing Heavy Transportation: Quantron's Michael Perschke On Pioneering Hydrogen Solutions
Bridging The Digital Divide In The AI Era - The UNDP Way
Big Tech Ramps Up Content Moderation Amid EU Pressure
Spain's Successful Miura 1 Launch Reignites Europe's Hopes For Space Exploration
UNESCO And The Netherlands Launch Initiative To Ensure Ethical Oversight Of AI
Edit Story
ForbesTech

What Apple's Changing After Massive Celeb Hack

Kashmir Hill
Former Staff
Welcome to The Not-So Private Parts where technology & privacy collide
This article is more than 9 years old.

Apple CEO Tim Cook spoke with the Wall Street Journal about some changes the company is making in response to the massive celeb hacking of 2014. Apple has stressed that the hack was not a "breach" of iCloud, which Cook reiterated, but that's a matter of semantics. No, there wasn't some kind of magical backdoor into iCloud. The hackers were able to phish some celebrities' credentials, according to Cook, as well as correctly answer their security passwords in order to get access to their accounts. Many reports also say that hackers simply cracked celebrities passwords with a tool called iBrute, but Apple refuses to confirm it. Either way, once in the account, an intruder could download the entirety of a person's Apple messages, photos, contacts, and on and on with a $200 tool.

So what's changing?

Cook says Apple has historically alerted users by email on their iDevices when someone tries to change their password, or when a new iDevice logs into their account for the first time. Moving forward, more alerts will be coming at Macheads. Via WSJ:

Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.

Not just email anymore. If you're in the middle of watching a Netflix show on your iPad, and someone is attempting to reset your password, your show will be interrupted with a push notification.

Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for restoring iCloud data.

That's just crazy. Apple is very late to the game in realizing it's a good idea to let people know that their photos, messages, contacts, and call data were being downloaded, and to confirm that the accountholder is the one doing the downloading. Given that the tool hackers were using to rip people's accounts is one used by law enforcement, I'm curious if this is going to make things difficult for police who were previously downloading people's iPhone information without their knowing it.

Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account, or alerting Apple's security team.

I'm assuming this means people will get alerts before the actual downloading of their iCloud begins so they can stop it if it's an unwanted intruder. Otherwise, that alert is not super helpful. Cook does not talk about how long that time delay would be.

But Mr. Cook said the most important measures to prevent future intrusions might be more human than technological. In particular, he said Apple could have done more to make people aware of the dangers of hackers trying to target their accounts or the importance of creating stronger and safer passwords.

While this is true, it kind of sounds like Cook is again blaming the victims for not realizing the dangers out there. And it doesn't even make sense. If they were phished, as Cook claims, then it wouldn't matter how strong and safe their passwords were because they gave it up to an attacker who presented them with a fake Apple log-in screen or an official looking Apple email or something like that. If they weren't phished, then the attackers got in through either breaking their security questions -- which Apple made easy by allowing people to repeatedly refresh them til they got two they could answer -- or guessing their password. Perhaps some celebs had a weak password such as Hung3rG@mez, but it's more likely if an attacker came in this way, that they used a brute force tool, which tries lots of different combinations until it gets the right one. And according to many security experts, Apple made that technique possible on its platform because it was not rate-limiting the number of password attempts until this week, despite the flaw being known about since at least May.

"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."

True. Apple should follow Facebook's lead, and do privacy and security check-ups with users.

Apple said a majority of users don't use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS.

Great! Apple might also consider showing people a list of the IP addresses that have logged into their account, so they know to be alarmed if they spot one they don't recognize. Both Google and Facebook allow users to review that information but Apple has "actively refused to share that info in the past," tweets security technologist Einar Otto Stangvik.

Here's to hoping these changes actually result in fewer nude photos of iPhone users leaking onto the Internet.

Kashmir Hill
Kashmir Hill