Subscribe & Follow

Advertise your job vacancies

Safeguarding against an Apple iCloud hack

10 Sep 2014

In August, anonymous users of infamous forum 4chan leaked nude photos of several female celebrities. They claimed they had had access to those pictures, and some videos, via hacking iCloud accounts. One 4chan user requested bitcoin or monetary donations to a PayPal account before releasing more images and videos of over 100 celebrities.

Guillaume Lovet

Some celebrities (e.g. Jennifer Lawrence and Mary Elizabeth Winstead) confirmed the pictures' authenticity while others (Victoria Justice, Ariana Grande, McKayla Maroney) reported they were fake.

At this point, Apple has not confirmed whether iCloud was hacked, merely stating an investigation is ongoing.

Who is behind the hack?

The list of hacked celebrities was released by anonymous 4chan users with ID ffR+At7b and UggsTju5. Their identity is, as yet, unknown. We don't know either if there are more users behind this breach or not.

One of them could be a 26-year-old living in Lawrenceville, Georgia, whose identity was made public. Reached out by the media, he admitted to having tried to sell some of the nude photos for US$100 each on Reddit, under the nickname BluntMastermind, but denies being at the origin of the leak. However, he seems to have the necessary skills (he's a server admin) and posted screenshots with strong resemblance to those on 4chan (he says the pictures are Photoshop work).

Also, the 4chan board on which the information was posted is the /b/ - Random board used for artistic works of fiction and falsehood.

The board's description also states: 'Only a fool would take anything posted here as fact.' This board is said to be used by Anonymous.

Twitter accounts (e.g. @Callux) posting uncensored pictures of the celebrities have been suspended, and some celebrities warned they would prosecute them.

How were those pictures accessed?

At this stage, nobody knows how the pictures were accessed. There are only rumours and assumptions.

Assuming an iCloud breach, the following scenarios can be hypothesised:

Cross-site breach: Email addresses and passwords were harvested from a breach/leak on another website. They just happen to share the same credentials on iCloud, which led to the compromise. This is the most plausible hypothesis;

Hack of the core iCloud infrastructure: with direct access to the unencrypted photos, or flaw in another Apple service like password recovery. We are not specifically aware of any such flaw;

Brute-forcing iCloud accounts: Two researchers, Andrey Belenko and Alexey Troshichev, proved this was possible and released a tool named iBrute. Apple patched the vulnerability on 1 September, 2014. This hypothesis, while appealing due to the patching timing, is, however, not the most plausible: indeed it implies that attackers had access to the targets' AppleID (i.e. email address) in the first place. Celebrities, like any other end-user, probably do not always use strong passwords to protect their accounts; however they will usually keep their email addresses private, so as not to be spammed by fans; and

Wi-Fi of Emmy Awards getting hacked: This hypothesis would imply compromised certificates, or an unknown SSL flaw exploited by the hackers (on top of the ability to hijack the Wi-Fi system). It is the least plausible scenario.

It is also possible that there is no such iCloud breach at all, or at least not the only breach involved. It indeed seems more plausible that several different hackers gathered the pictures on various sites: Dropbox, Google Drive, iCloud:

Some pictures appear to have been taken with an android device or a webcam. Those pictures have no reason to be on iCloud, apart from if they were specifically moved there by their owner afterwards;

Apple's PhotoStream only keeps the photo you upload in iCloud for 30 days. This does not match with the fact some celebrities mentioned the pictures were very old; and

Beyond photos, some videos were leaked. iCloud does not sync videos.

Wasn't there another iCloud attack earlier this year? Yes, indeed. You are referring to a vulnerability exploited in March 2014, when an attacker used Apple's Find My iPhone feature to lock phones and ask for a ransom.

What could Apple do to prevent this attack? Currently, there is no two-factor authentication for iCloud accounts, only for My Apple ID (which is another website).

Again, should two-steps authentication been available for iCloud as well, this might have prevented at least part of the leak: ID/password combinations harvested from previous database breaches would have not been enough to log in iCloud and download the targets' PhotoStream.

Note that Dropbox, on the other hand, does offer two-factor authentication, as an opt-in service.

What could a user do to avoid getting hacked?

Generally speaking:
1. Use different passwords for different accounts or services. If you do already share passwords between accounts, change your Apple password now;
2. Use a strong password; and
3. Remember that the cloud is not inviolably safe and, as such, enable two-factor authentication wherever possible.

Regarding iCloud specifically, one can prevent photos to be uploaded from an Apple device to the cloud by disabling Settings ? iCloud ? Photos ? My Photo Stream.