FBI, Apple Probe Account CompromisesCelebrity Photo, Video Breaches Raise Cloud Questions
(This story has been updated.)
See Also: The Global State of Online Digital Trust
The U.S. Federal Bureau of Investigation and Apple are investigating the release of hundreds of celebrities' nude photographs and videos, which security researchers suspect is tied to compromises of iCloud, Dropbox or other cloud service accounts.
The stolen images - some of which have been confirmed as authentic - first appeared Aug. 31 on the anarchic 4chan image-sharing website. Numerous information security experts suspect attackers obtained the images after compromising iOS device backups stored on iCloud, which is Apple's cloud-based storage and content-sharing service. New Apple devices prompt users to allow automatic backups to the service, which will also store copies of their 1,000 most recent images.
"The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high-profile individuals, and is addressing the matter," FBI spokesman Joshua Campbell tells Information Security Media Group. "Any further comment would be inappropriate at this time."
In a statement issued Sept. 2, Apple notes: "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
Apple also says that to protect against this type of attack, "we advise all users to always use a strong password and enable two-step verification."
Some of the individuals allegedly shown in the released images say the photographs have been faked. But that's not the case for every image. A spokesman for Oscar-winning actress Jennifer Lawrence confirms in a statement that the images of her are genuine, and calls their release a "flagrant violation of privacy." Similarly, an attorney for model Kate Upton, whose photos were also allegedly published, offers the following statement: "We intend to pursue anyone disseminating or duplicating these illegally obtained images to the fullest extent possible."
Actress and singer Mary E. Winstead, meanwhile, has criticized anyone who searches for the images. "To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves.
"Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this," she adds, raising the possibility that either the images were stolen some time ago, or else a copy of the images persisted somewhere, and were only recently obtained by attackers.
As that suggests, to date it's still not clear how attackers obtained the images, or what sorts of technical barriers they may have evaded. "As of now, the manner of compromise is as yet unknown and remains speculation," says Boris Gorin, head of security engineering at Israeli cloud app security startup FireLayers.
More Than One Attacker?
So far, some of that speculation has focused on the possibility that more than one attacker was involved. "My personal thinking is that someone hacked desktops, and someone else hacked the hacker. No evidence though," says Dan Kaminsky, chief scientist of malware detection firm White Ops, via Twitter.
Another possibility is the passwords were intercepted using a rogue wireless hotspot, perhaps at an awards event where a number of celebrities gathered, such as the Emmy Award ceremony, Gorin says. "The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan - making it reasonable to believe they were not part of a single hack but of several compromises that occurred over time."
Attackers could have also just guessed poorly chosen passwords. "Based on the information available to us, I believe the attack may have been due to weak passwords being used by the victims on iCloud or other cloud services such as Dropbox," says Dublin-based cybersecurity consultant Brian Honan. If that's the case, then the attacker - or attackers - that stole the images would only have needed to know the e-mail address tied to a person's iCloud or Dropbox accounts, and then could have brute-force-guessed the password until gaining access.
Such an attack would have been possible against iCloud, in part because the Apple "Find My iPhone API" reportedly wasn't rate-limiting the frequency with which passwords could be used to attempt to log into an iCloud account, and Apple wasn't notifying users of failed attempts or otherwise warning of signs of illicit activity. As digital forensics researcher Jonathan Zdziarski says via Twitter: "'You have logged in from a new network. We have sent a validation code to your iPhone to verify your identity' - said no one at Apple ever."
But it's not even clear if the stolen images were obtained from iCloud, according to research published by the person behind the Twitter account "InfoSec Taylor Swift," or "SwiftOnSec," which first started an information security-themed parody of the eponymous actress and singer. The account has since turned serious, decrying the release of private information and images related to women, and undertaken a close examination of the Exif data attached to some of the alleged photographs of model Kate Upton. Exif, which stands for exchangeable image file format, refers to a series of file tags that record the properties of an image when it's taken. Early indications from the published data, which "Swift" uploaded to Pastebin, are that the images were stolen not from Upton, but from her boyfriend.
The data also suggests that not all of the images appear to have originated on iOS devices, as would most likely have been the case in an iCloud breach. "I'm not sold on the idea of iCloud being the only service that was hacked here. Some of the Exif data didn't look consistent with iCloud," says Zdziarski via Twitter. In particular, he found that some of the images were viewed using Windows Viewer, and also that the most recent images appear to be from Aug. 17, 2014.
Brute-Force Tool Eyed
Suspicion about how attackers obtained the data has also centered on a proof-of-concept app called iBrute, which is available via GitHub. "It uses Find My iPhone service API, where bruteforce protection was not implemented," to guess usernames and password combinations, starting with a seed list of the top 500 most-used passwords that were leaked from the breach of RockYou.com in December 2010, according to the app's read-me file. "Before you start, make sure it's not illegal in your country," it adds.
But on Sept. 1, "hackapper" - the developer behind the app, who appears to be white-hat hacker Alexey Troshichev - updated the read-me file to read: "The end of fun, Apple have just patched."
At a recent meeting of the St. Petersburg, Russia-based Defcon Russia group, Troshichev and viaForensics senior security engineer Andrey Belenko presented "iCloud Keychain and iOS 7 Data Protection", a presentation that detailed some of the weaknesses exploited by iBrute. The researchers said they disclosed the weaknesses to Apple, but to date have received no reply.
Just one day after their talk, the stolen celebrity images began appearing on 4chan, leading some commentators to suggest that attackers used iBrute to obtain the images. But Defcon Russia has dismissed that suggestion, saying it's highly unlikely any attackers could have put the tool to use in less than 24 hours, and noting that the related attacks appear to predate the presentation. The group also defended the reputation of the researchers, describing them as "good" information security professionals, "not evil hackerz."
The researchers likewise say their research is theoretical, not applied, and meant to expose the degree to which "data from 'smart' devices" could be accessed via the Internet - as the resulting breaches have now proven. "We only described the way how to hack AppleID. Stealing private 'hot' data is outside of our scope of interests," they say in a blog post.