iCloud or not iCloud: What Really Happened in the Nude Selfie Breach?

You’ve seen it on the internet, even on TV news shows: a number of A-list celebrities had nude selfies swiped from their phones, or their iCloud accounts. Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud. This exploit found that Find My iPhone wasn’t rate limited; that it didn’t block users after a certain number of failed password attempts. So the exploit used a list of the 500 most commonly used passwords, and tried them against any Apple ID. If your password was weak, well, you’d get owned. Apple patched iCloud to fix this issue two days later.

But Apple came out with a public statement, saying, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame, and cast aspersion – well, pizza turd – on the company:

Safari001.png

But evidence suggests that if iCloud was to blame for some of these breaches, it was not the case for all of them. Some of the stars claim the photos are fakes, while others point out that they don’t use iPhones. According to Apple, their iCloud security questions – the ones you answer to reset a forgotten password – were too easy to figure out. (Though I haven’t seen any suggestions that any of these stars found themselves locked out of their accounts, which would have happened if their passwords were reset.)

There’s lots of speculation, and one of the more interesting theories comes from Boris Gorin of FireLayers. As PC World reports, Gorin said, “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan–making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.”

The PC World article goes on to say:

“Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That’s not a security flaw with iCloud and having a strong or complex password wouldn’t offer protection against transmitting that password in clear text on a public Wi-Fi network.”

So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers. (Of course, they may not want to admit that.) And in that corner, security researchers are looking at old-school man-in-the-middle hacks on public wifi networks.

What seems likely is that, as Gorin says, these were images that were slowly leaked, and that one person decided to dump all at once, to suggest that they all come from the same exploit or hack. And if so, why? Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?

Put your tinfoil hat on, dear reader. We will probably never know the answer to this one.

One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.

Update: We now know much more about this breach. There was no one single incident grabbing all the photos, a number of techniques were used, from simple figuring out the answers to security questions to forensic software, which anyone can buy for $400 (or simply torrent). Part of the fault is Apple’s, for those accounts that were accessed using the brute-force script, but not all of the accounts whose photos have been leaked were accessed in that manner.

8 thoughts on “iCloud or not iCloud: What Really Happened in the Nude Selfie Breach?

  1. Ugh. The stupid here, Kirk. It hurts.

    “Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud.”

    The Register first wrote about the lack of rate limiting for Find My iPhone in May.

    Indications are that it was known before that.

    “So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers.”

    This isn’t “he-said-she-said”. This is “Apple lying”.

    Just as Apple is lying in saying that 2FA will protect users from iCloud attacks.

    “Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?”

    Pretty much all the evidence discovered points against that particular aspersion, if you look at the reports from folks who’ve reported on the hackers’ trail.

    “So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame”

    Well, pretty much all the evidence discovered so far indicates that given Kirsten Dunst has an iPhone and had personal info released, then Apple was indeed to blame. She wasn’t jumping the gun. She was correct.

    “Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards.”

    Given the widely dispersed dates on the acquisition of the material, but following the hackers’ trail, this seems a genuinely idiotic “theory”.

    “One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.”

    It’s certainly not complicated in theory. Simply don’t back up anything to iCloud. Unfortunately, there are multiple default settings on an iPhone that do back up to iCloud, and disabling all of them is somewhat complicated in practice.

    And given that celebrities are obviously not the only potential victims, not to mention that celebrities are among Apple customers, this all is a matter for Apple to solve, not their users.

    —–

    So, given that the stupid in this post still burns, the question here is Kirk: ignorant or shilling?

    Stipulating it’s the former, you might want to read a few actual security researchers, rather than PC World and dubious commercial ‘security’ companies. Quite a bit has already been uncovered already that would make you rewrite almost everything in this post.

    • @Chucky

      Wow, the stupidity in your post is far worse than that of the original author.

      First, no one in the media is on the trail of the hacker. No one. Nada. No one has claimed responsibility.

      “This is “Apple lying”.

      No, this is you refusing to believe anything from Apple because you’d never believe anything from Apple. Prove to me this is a lie! Yeah, you can’t, can you?

      “…then Apple was indeed to blame.”

      ORLY? How so? Because someone brute forced their way into her account Apple is to blame. These are celebrities we’re talking about, and Kirsten Dunce isn’t the sharpest tack. Any 14-year-old with an Internet connection could have hack this dimwit’s account. She’s to blame for using simple passwords and publishing every bit of personal data (demographic and such) about her on the web. It’s easier to hack a dimwitted narcissist than and introverted nerd. Kirsten Dunce is the poster child for this.

      Apple doesn’t get a pass, but neither do the users. Percentage-wise, how many people were affected by this breach?

      And, of course, it’s very, very interesting that this breach announcement was timed so closely to Apple’s upcoming announcement. Why is that do you think?

  2. Ugh. The stupid here, Kirk. It hurts.

    “Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud.”

    The Register first wrote about the lack of rate limiting for Find My iPhone in May.

    Indications are that it was known before that.

    “So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers.”

    This isn’t “he-said-she-said”. This is “Apple lying”.

    Just as Apple is lying in saying that 2FA will protect users from iCloud attacks.

    “Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?”

    Pretty much all the evidence discovered points against that particular aspersion, if you look at the reports from folks who’ve reported on the hackers’ trail.

    “So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame”

    Well, pretty much all the evidence discovered so far indicates that given Kirsten Dunst has an iPhone and had personal info released, then Apple was indeed to blame. She wasn’t jumping the gun. She was correct.

    “Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards.”

    Given the widely dispersed dates on the acquisition of the material, but following the hackers’ trail, this seems a genuinely idiotic “theory”.

    “One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.”

    It’s certainly not complicated in theory. Simply don’t back up anything to iCloud. Unfortunately, there are multiple default settings on an iPhone that do back up to iCloud, and disabling all of them is somewhat complicated in practice.

    And given that celebrities are obviously not the only potential victims, not to mention that celebrities are among Apple customers, this all is a matter for Apple to solve, not their users.

    —–

    So, given that the stupid in this post still burns, the question here is Kirk: ignorant or shilling?

    Stipulating it’s the former, you might want to read a few actual security researchers, rather than PC World and dubious commercial ‘security’ companies. Quite a bit has already been uncovered already that would make you rewrite almost everything in this post.

    • @Chucky

      Wow, the stupidity in your post is far worse than that of the original author.

      First, no one in the media is on the trail of the hacker. No one. Nada. No one has claimed responsibility.

      “This is “Apple lying”.

      No, this is you refusing to believe anything from Apple because you’d never believe anything from Apple. Prove to me this is a lie! Yeah, you can’t, can you?

      “…then Apple was indeed to blame.”

      ORLY? How so? Because someone brute forced their way into her account Apple is to blame. These are celebrities we’re talking about, and Kirsten Dunce isn’t the sharpest tack. Any 14-year-old with an Internet connection could have hack this dimwit’s account. She’s to blame for using simple passwords and publishing every bit of personal data (demographic and such) about her on the web. It’s easier to hack a dimwitted narcissist than and introverted nerd. Kirsten Dunce is the poster child for this.

      Apple doesn’t get a pass, but neither do the users. Percentage-wise, how many people were affected by this breach?

      And, of course, it’s very, very interesting that this breach announcement was timed so closely to Apple’s upcoming announcement. Why is that do you think?

  3. Is that you John Gruber? Or Apple PR? Or just a standard propaganda troll? Whichever, I do agree with you that you smell. And not in a good way.

    “First, no one in the media is on the trail of the hacker. No one. Nada.”

    Multiple highly reputable infosec folks reported on the hacker fora within 24 to 48 hours of the news breaking.

    And from this reporting, there was no singular “hacker”. There were a horde of hackers ‘busting iClouds’ for many months, and trading the booty among themselves, going back perhaps a year to at least the massive Norwegian break-in of teen girl accounts that Apple chose to entirely ignore.

    “Prove to me this is a lie! Yeah, you can’t, can you?”

    Which lie? That the bulk of the accounts were stolen by weak security questions rather than the Elcomsoft tool or lack of rate-limiting? Or the lie that using 2FA solved the problem? Cursory perusal of the reporting would show both of these to be clear lies.

    “Because someone brute forced their way into her account Apple is to blame. These are celebrities we’re talking about, and Kirsten Dunce isn’t the sharpest tack.”

    Well, given that Apple chose not to rate-limit password guesses, I’d say that Apple was indeed fully at fault.

    And you can slut-shame Kirsten Dunst all you want, but she seems pretty intelligent to me. More to the point, the best password and security questions in the world wouldn’t have protected her account.

    “And, of course, it’s very, very interesting that this breach announcement was timed so closely to Apple’s upcoming announcement. Why is that do you think?”

    Again, even casual perusal of the reporting would show you that the release was triggered by the public release of iBrute tool 3 days before the the public breach, which set off a frenzy among a few of the traders who feared they were about to be swamped by new folks able to reassemble their stash, and who wanted to (stupidly) try to monetize the stash before it became widely available.

    But there’s been no reporting of any of this, right? So I must just be stupid….

  4. Is that you John Gruber? Or Apple PR? Or just a standard propaganda troll? Whichever, I do agree with you that you smell. And not in a good way.

    “First, no one in the media is on the trail of the hacker. No one. Nada.”

    Multiple highly reputable infosec folks reported on the hacker fora within 24 to 48 hours of the news breaking.

    And from this reporting, there was no singular “hacker”. There were a horde of hackers ‘busting iClouds’ for many months, and trading the booty among themselves, going back perhaps a year to at least the massive Norwegian break-in of teen girl accounts that Apple chose to entirely ignore.

    “Prove to me this is a lie! Yeah, you can’t, can you?”

    Which lie? That the bulk of the accounts were stolen by weak security questions rather than the Elcomsoft tool or lack of rate-limiting? Or the lie that using 2FA solved the problem? Cursory perusal of the reporting would show both of these to be clear lies.

    “Because someone brute forced their way into her account Apple is to blame. These are celebrities we’re talking about, and Kirsten Dunce isn’t the sharpest tack.”

    Well, given that Apple chose not to rate-limit password guesses, I’d say that Apple was indeed fully at fault.

    And you can slut-shame Kirsten Dunst all you want, but she seems pretty intelligent to me. More to the point, the best password and security questions in the world wouldn’t have protected her account.

    “And, of course, it’s very, very interesting that this breach announcement was timed so closely to Apple’s upcoming announcement. Why is that do you think?”

    Again, even casual perusal of the reporting would show you that the release was triggered by the public release of iBrute tool 3 days before the the public breach, which set off a frenzy among a few of the traders who feared they were about to be swamped by new folks able to reassemble their stash, and who wanted to (stupidly) try to monetize the stash before it became widely available.

    But there’s been no reporting of any of this, right? So I must just be stupid….

  5. From ElcomSoft in Feb 2013, which makes the tool used in much of the current iCloud breach, back after a similar iCloud breach a year and a half ago of lots of (non-famous) Norwegian teenage girls which Apple felt it didn’t have to address since it didn’t involve famous celebrities and the resultant press fallout. They offer ten pieces of advice Here’s the first and last:

    1. Avoid using iCloud services to back up information from the phone. As ElcomSoft demonstrated multiple times, information stored in the iCloud is NOT secure, and is prone to eavesdropping and spying upon without the user even knowing.

    10. Finally, do not use iCloud.

    (Their bolding.)

  6. From ElcomSoft in Feb 2013, which makes the tool used in much of the current iCloud breach, back after a similar iCloud breach a year and a half ago of lots of (non-famous) Norwegian teenage girls which Apple felt it didn’t have to address since it didn’t involve famous celebrities and the resultant press fallout. They offer ten pieces of advice Here’s the first and last:

    1. Avoid using iCloud services to back up information from the phone. As ElcomSoft demonstrated multiple times, information stored in the iCloud is NOT secure, and is prone to eavesdropping and spying upon without the user even knowing.

    10. Finally, do not use iCloud.

    (Their bolding.)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.