Share with your network!
The recent leak of celebrities personal photographs demonstrates just how weak our defenses are against determined attackers. From the internal evidence and the chatter on 4chan and Reddit, it does not look as if this was the result of a single attack or a single hacker. Various sources say that there was a ring of collectors who were attempting to obtain and trade intimate celebrity photos, and that this had been going on for months or years. Just as a scammer wishing to join a 'carder' forum must provide stolen credit card details to administrators, it's said there was a requirement to provide new content in order to join the inner circle of celebrity nude collectors. As a result, quite a lot of the photographs being distributed are fakes, either photoshopped or lookalikes, though some are genuine.
Though most of the photographs did not have any EXIF header information, those that did indicated that the pictures had been taken using an iPhone. While this is not absolute evidence, it did suggest that some of the photographs may have been stolen from Apple's iCloud storage. Apple later stated that, "we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions."
One vector for these compromises may have been a brute force attack on the Find My iPhone API. Interestingly, the code to do this was checked into GitHub on August 30th, just one day before the celebrity photos were leaked. This seems too close to be coincidental. I think it's quite possible that one of the underground photo traders recognized that now this vulnerability was published they were no longer going to be able to use it to steal any more private photos, and decided to go public with their collection.
Apple has since added the relatively easy fix to prevent too many different password attempts being made against a single account. However, this should have been part of their system from the start. Part of the problem is that the Apple Id has grown up from something that you just use to download songs from iTunes to a password to all your personal data, backups, and iMessage messaging. The level of security appropriate for music downloads is not as high as is necessary when that password may also give access to all your most private data. I hope this will be a wake up call for Apple, and they will make sure their customer data is better protected in future.
Of course, if only Jennifer Lawrence had been reading this blog regularly, she would have seen my advice to turn on dual factor authentication for iCloud or even to use a Blackphone instead of iPhone. But it's too much to ask that A-list celebrities, or even regular consumers, read computer security blogs in order to keep their personal data safe from hackers. Vendors owe it to their customers to provide them with an environment that encourages security from the ground up.
While iCloud is receiving bad publicity over this, it’s unlikely to be the sole source of these images. In one of the distributions of the celebrity nudes files available via The Pirate Bay, the Kate Upton folder contained a Dropbox "Getting Started.pdf" file. It's not clear if these photos were originally stolen from a Dropbox folder, but they almost certainly resided in one at some point in their travels, and someone just grabbed the whole folder. Others pictures may have come from compromised desktop machines or from credentials acquired though spear phishing attacks or social engineering.
iCloud phishing is not just for celebrities, though. This year we have seen a significant upturn in phishing attacks on iCloud in both email and SMS spam. This is not limited to English speaking users, as we are seeing attacks in other languages. As well as accessing personal data, compromised accounts can also be used to send iMessage spam or to hold the account owner to ransom using the Find My iPhone remote locking feature. The more services we get from a single account, be it from Apple, Google, Amazon, or Yahoo!, the more danger we are in when that account gets compromised, and therefore the more responsible the vendor is to keep that account secure, and to minimize the damage when the account is compromised.