subscribe: Daily Newsletter

 

Demystifying the celebrity iCloud hack

0 comments

On 31 August, anonymous users of infamous forum 4chan leaked nude photos and videos of several female celebrities by hacking their iCloud accounts.
They claimed they had had access to those pictures – and some videos – via hacking iCloud accounts. One 4chan user requested bitcoin or monetary donations to a PayPal account before releasing more images and videos of over 100 celebrities.
Guillaume Lovet, senior manager of FortiGuard Labs Threat Response Team at Fortinet, discusses the issue.

Following the attack, some celebrities (such as Jennifer Lawrence and Mary Elisabeth Winstead) confirmed the pictures’ authenticity while others (for example Victoria Justice, Ariana Grande, McKayla Maroney) reported they were fake.
At this point, Apple has not confirmed iCloud was hacked, merely stating an investigation is on-going.

Who is behind this hack?
The list of hacked celebrities was released by anonymous 4chan users with ID ffR+At7b and UggsTju5. Their identity is unknown yet. We don’t know either if there are more users behind this breach or not.

One of them could be a 26-year-old living in Lawrenceville, Georgia, whose identity was made public. Reached out by the media, he admitted to having tried to sell some of the nude photos for $100 each on Reddit, under the nickname BluntMastermind, but denies being at the origin of the leak. However, he seems to have the necessary skills (he’s a server admin) and posted screenshots with strong resemblance to those on 4chan (he says the pictures are Photoshop work).
Also, the 4chan board where the information was posted is the /b/ Random board used for artistic works of fiction and falsehood.
The board’s description also states “Only a fool would take anything posted here as fact”. This board is said to be used by Anonymous.
Twitter accounts (such as @Callux) posting uncensored pictures of the celebrities have been suspended, and some celebrities warned they would prosecute them.

How did they access those pictures?
At this stage, nobody knows how the pictures were accessed. There are only rumours and assumptions.
Assuming an iCloud breach, the following scenarios can be hypothesised:
* Cross-site breach – e-mail addresses and passwords got harvested from a breach / leak on another Web site. They just happen to share the same credentials on iCloud, which lead to the compromise. This is the most plausible hypothesis.
* Hack of the core iCloud infrastructure – with direct access to the unencrypted photos, or flaw in another Apple service like password recovery. We are not specifically aware of any such flaw.
* Bruteforcing iCloud accounts – Two researchers, Andrey Belenko and Alexey Troshichev, proved this was possible and released a tool named iBrute. Apple patched the vulnerability on Sep 1, 2014. This hypothesis, while appealing due to the patching timing, is however not the most plausible – indeed it implies that attackers had access to the targets’ AppleID (i.e. e-mail address) in the first place. Celebrities, like any other end-user, probably do not always use strong passwords to protect their accounts, however, they will usually keep their e-mail addresses private, so as not to be spammed by fans.
* Wifi of Emmy Awards getting hacked – This hypothesis would imply compromised certificates, or an unknown SSL flaw exploited by the hackers (on top of the ability to hijack the Wifi system). It is the least plausible scenario.
It is also possible that there is no such iCloud breach at all, or at least not the only breach involved.

It indeed seems more plausible that several different hackers gathered the pictures on various sites such as Dropbox, Google Drive, iCloud:
* Some pictures appear to have been taken with an Android device or a webcam. Those pictures have no reason to be on iCloud, apart from if they were specifically moved there by their owner afterwards.
* Apple’s PhotoStream only keeps the photo you upload in iCloud for 30 days. This does not match with the fact some celebrities mentioned the pictures were very old.
* Beyond photos, some videos were leaked. iCloud does not sync videos.

Wasn’t there another iCloud attack earlier this year?
Yes indeed. You are referring to a vulnerability exploited in March 2014, where an attacker used Apple’s Find My iPhone feature to lock phones and ask for a ransom.

What could Apple do to prevent this attack?
Currently, there is no two-factor authentication for iCloud accounts, only for My Apple ID (which is another Web site).
Again, should two-steps authentication been available for iCloud as well, this might have prevented at least part of the leak: ID/password combinations harvested from previous database breaches would have not been enough to log in iCloud and download the targets’ photostream.
Note that Dropbox, on the other hand, does offer two-factor authentication, as an opt-in service.

What could a user do to avoid getting hacked?

Generally speaking:
* Use different passwords for different accounts or services. If you do already share passwords between accounts, change your Apple password now.
* Use a strong password.
* Remember that the cloud is not an inviolable safe, and as such, enable two-factor authentication wherever possible.
Regarding iCloud specifically, one can prevent photos to be uploaded from her Apple device to the cloud by disabling Settings → iCloud → Photos → My Photo Stream.