The Washington Post

After nude celebrity hacking, Apple’s Tim Cook says company will improve security


In this Oct. 22, 2013 file photo, Apple chief executive Tim Cook introduces the new iPad Air in San Francisco. (AP Photo/Marcio Jose Sanchez, File)

In the wake of the naked celebrity photo hacking, Apple chief executive Tim Cook says the company could have done more to make people aware of security measures and will introduce ways to better protect user accounts.

In an interview with the Wall Street Journal, his first since the photos of Jennifer Lawrence and others went public, he said celebrities’ iCloud accounts were compromised because they either fell prey to a phishing scam to obtain their login information or hackers guessed the answers to their security questions.

He denied that the celebrity photo hack was due to a security failure on Apple’s part. He said none of their user IDs and passwords leaked from the company’s servers.

To make future breaches less likely, Apple will start sending e-mail alerts and push notifications to users any time an account password is changed, iCloud data is restored to a new device or a device logs into an account for the first time. Previously users were not notified when data was restored to iCloud, where users can back up photos, music and other data.

The new measures, which take effect in two weeks, will allow users to take immediate action to protect their account by changing their password or contacting Apple.

However, users won’t know until after the fact if their account has been hacked. At that point, private photos or personal data could be making its way around the Web.

Cook acknowledged the company could have done more to educate users. “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he told the Journal. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”

He also said Apple will do more to encourage users to enable two-factor authentication, which requires a special code in addition to a username and password to access an account. The feature is designed to protect users when their usernames and passwords are stolen.

On Apple’s new iPhone, due out later this month, the feature will also cover access to iCloud accounts from a mobile device, Cook said.

Currently, two-factor authentication only protects three things: signing in to My Apple ID to manage an Apple account; making iTunes, App Store, or iBookstore purchases from a new device; and getting Apple ID-related support from Apple.

That wouldn’t have protected the celebrities whose photos were stolen, according to TechCrunch, because hackers can exploit the fact they don’t need a verification code to restore a device from an iCloud backup, one of many iCloud services not currently protected by two-factor authentication. That means, if a hacker steals your username and password, he can export the data using an application called the Phone Password Breaker. A security researcher who works for the company that created Phone Password Breaker actually talked about the vulnerability at a security conference last year. It has also been widely covered by the Tech press: Ars TechnicaZDnet and TUAW, to name a few.

Apple said its working with law enforcement to identify the hackers.

Gail Sullivan covers business for the Morning Mix blog.

The Freddie Gray case

Please provide a valid email address.

You’re all set!

Campaign 2016 Email Updates

Please provide a valid email address.

You’re all set!

Get Zika news by email

Please provide a valid email address.

You’re all set!
Comments
Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read

national

morning-mix

Success! Check your inbox for details.

See all newsletters

Close video player
Now Playing

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.