Apple is beginning to come under increased scrutiny. By now, you have likely heard about the massive celebrity hacking dubbed as “The Fappening.” An interesting choice of title for the ordeal considering the sensitive nature of the contents leaked from 100+ celebrities.
An apparent group of hackers spent months targeting celebrities’ Apple iCloud accounts. Once the hackers gained access to a targeted celebrity account, intimate and personal photos and/or videos were compromised.
While it’s still unclear what exact methodology the hackers used to gain access to the iCloud accounts, it has been theorized to be due to a vulnerability with Find My iPhone password recovery tool. Apple only recently patched a vulnerability that would let hackers commence textbook attacks against known email addresses with no rate limiting or account lockout, which likely may have been what the hackers utilized.
As Evan Blass suggests, it may have only taken a handful of successful account compromises to gain a window into a plethora of others. Besides nude photos/videos the hackers likely gained access to address book contacts. Celebrities are usually friends with other celebrities, which allowed the attackers to continue connecting the dots and breaching additional accounts.
The number of overall breached accounts is still unknown. However, Apple issued this incredulous statement on the matter:
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”
Apple’s public relations team certainly worked diligently to craft their statement’s verbiage. However, no matter how the company tries to play words and save face, the truth is there was a security breach in their services. Apple negligently handled its security practices by not rate limiting password attempts for Find My iPhone or locking accounts after a limited number of bad login attempts, which the company only now silently added as this ordeal hit the media airwaves.
Many have said that the only reason BlackBerry doesn’t suffer the same fates is due to security through obscurity. In other words, security through obscurity (STO) is the belief that a system of any sort, BlackBerry in this case, can be secure so long as nobody outside of its implementation group is allowed to find out anything about its internal mechanisms.
Though, it’s a fairly weak argument against BlackBerry. Security and privacy have always been BlackBerry’s staple-point features — even with consumer focused products. At one point, BlackBerry’s defining security was in no way due to obscurity. BlackBerry’s past security protocols didn’t fizzle out over time with slowing sales. The company has continued its focus on customer data loss mitigation and continues to win government certifications and awards.
In the same way the Blackphone was criticized as ‘Consumer-Grade Privacy That’s Inadequate for Businesses’, BlackBerry should extend it to celebrities and emphasize Apple’s negligence. The iCloud breach is a big enough blunder for Apple that it will certainly hinder its reputation as offering services that are secure.
The ball is currently in BlackBerry’s court. Brand ambassadors should be actively reaching out to celebrities and offering new BlackBerry 10 smartphones. It’s a common marketing practice, and one that’s allowed a company like Beats by Dre to garner a massive marketshare as you regularly see their headphones around almost every celebrity. BlackBerry has a golden opportunity to use “The Fappening” and get users turned on to security.