Apple’s issued a statement relating to the hacking of celebrity iCloud accounts, stating that there was no breach to iCloud or Find My iPhone. It’s an interesting statement — but I’m not sure that it means what a lot of people think it means.
Here’s the statement in full, sourced from Apple’s PR release library.
Update to Celebrity Photo Investigation
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
I wrote about passwords, 2FA and for some reason Bert Newton yesterday., although as has been pointed out by more than a few, Apple doesn’t push 2 factor authentication in every access case, which means its particular interpretation of it is still quite weak.
There’s a few key takeaway factors here, because the language at first glance seems to wash Apple’s hands of all liability. I’m certain that’s what they’d want in any case, but it’s not quite that precise. The news of no widescale breach — that is, attacks that opened the floodgates on iCloud — is indeed encouraging, because that would be a security problem of an entirely different scale.
Equally, the statement implies that the theory that Find My iPhone may have been hammered with repeat brute force attacks may not have been correct, because, hey, no breach right?
Except it doesn’t quite say that. What it says is that it was “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
It doesn’t say what that attack was.
I suspect that’s quite deliberate, if only due to US liability laws, because Hollywood does have a few good lawyers on its side, and Apple’s presumably frantically working with law enforcement to bring the culprits to light and limit its own liability, if there is any.
A targeted attack on security questions does suggest that passwords were reset in order to gain access, rather than, say, a phishing attempt or leak from a celebrity employee or some other such matter. To give Apple credit, it could be any of a number of other factors, and I’ve put a query through to Apple’s PR department to see if they can provide any further detail.
Apple reportedly patched the hole that allowed mass brute force attempts at password resets over the weekend, but by then the damage was done, and in any reasonable sense that was a remarkably poor bit of security planning, to put it politely.
Or in other words, there was a breach, because the ultimate aim of these kinds of cloud systems is to be secure.
Breach still means breach, even if it’s (thankfully) not as widespread as some first feared.
Update: Apple PR advises me that “We have no further details beyond the media advisory.” Which could mean many things; on balance there is still an ongoing criminal investigation to take into consideration, but equally it still doesn’t say all that much.
Update: There’s some fascinating analysis of the security side of matters in this article if you’re particularly keen