toggle

AAPL Stock: 118.93 ( -0.07 )

Printed from http://www.macnn.com

Apple 'investigating' if leaked celebrity pics came from iCloud

updated 06:00 pm EDT, Mon September 1, 2014

Further evidence undermining claims pictures were stolen from Apple's servers

Even as Apple on Monday issued a terse statement saying only that "we take user privacy very seriously and are actively investigating this report," concerning the leak of compromising images from 101 celebrities, the 4chan poster who released the compromising images and video has now admitted that the pictures come from a variety of sources. In the meantime, Apple has patched a potential security flaw that could have allowed attackers to brute-force their way into obtaining weak iCloud passwords.

Some of the celebrities pictured shot their "selfies" using non-Apple smartphones, further diluting the claim that iCloud played much -- if any -- role in the leaks, reports AppleInsider. There is a long history of image leaks that were claimed to be result of "hacks," but were later found to be the work of more conventional data-stealing techniques such as easily-guessable passwords or social-engineering trickware that revealed the credentials.

That the leaked images were all of female celebrities and from a small pool of said persons would further suggest that no mass-leak of individuals' private photos or other data has actually occurred, and that the new files are more likely the result of other methods targeted at a specific pool of celebrities. A number of the photos seem more likely to have been acquired from services that claim to delete sent images after a short period, but can often be captured anyway, such as Snapchat.

While Apple's iCloud service may or may not have any role in the capture of the private images, the publicity of the case has unearthed a possible vector of attack that Apple has since fixed. Prior to last night, it was possible for hackers to use "brute-force" guessing techniques to uncover the Apple ID and password of specific targets, particularly if said targets had "weak" passwords.

While some have speculated that this could have been a source for at least some of the images released, there is as of yet no evidence of the brute-force method having been successfully used. Apple should be able to determine if that technique was used through records of login attempts on the accounts of any of the celebrities, at least some of whom do use iPhones and iCloud.

Further undermining the claims of iCloud involvement, however, is the fact that iCloud content is stored in an encrypted format, specifically to guard against unauthorized individuals obtaining access to Apple's servers. In addition, the company uses a minimum of 128-bit AES encrypting for the data even while it is in transit, making the content encrypted from end-to-end.

Apple has also been requiring the use of "stronger" passwords with iCloud and iTunes accounts for some time. Though this does not entirely rule out the possibility that some of the victims of the attack still relied on "weak" passwords and thus had their accounts compromised, it does essentially eliminate the possibility of a hack of Apple's iCloud servers as a method to obtain the data.




by MacNN Staff

toggle

Comments

  1. pastusza

    Mac Enthusiast

    Joined: 11-01-99

    I'm going to guess that this is going to come down to weak passwords.

    Either way, I expect a lot of celebs to be buying Android phones when their contract is up.

  1. Charles Martin

    MacNN Editor

    Joined: 08-04-01

    Except that -- as the article states -- some of the leaked photos clearly come from Android users. As Android is the leading mobile platform for malware anymore (now that Symbian is dead), that would be THE LAST platform one should consider if one is in the habit of taking nude selfies.

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    There are current discussion online that these pics are the tip of the iceberg from a celeb pic ring in the "darknet", where the only way to get in is to provide a unique picture that nobody else has.

    This explains a great deal, but we'll see what's true this week, I expect.

  1. Inkling

    Mac Enthusiast

    Joined: 07-25-06

    Why the silly scare quote around "investigating" in the headline? Does 'MacNN' really 'think' Apple 'might' only be 'pretending' to be 'investigating' this 'matter.' Scare 'quotes' like 'that' one 'are' silly.

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Not a scare quote - an actual quote.

    "Apple is investigating"

    Seriously. That's what we were told. Just as simple as that. Over-reacting to quotation marks is silly too! :D

  1. pairof9s

    Mac Enthusiast

    Joined: 01-03-08

    I'm more amazed how this all got associated with iCloud with little to no evidence of the such. To say someone "hacked" a celebrity's smartphone could mean many possibilities...nothing short of watching them enter their password, for example. And some have already been identified as Android users!

    No, the conspiracy theorist in me chalks this up to Google, or better yet, Samsung tactics prior to a major event by Apple...an attempt to deflate what undoubtedly will be a highly successful launch of new Apple devices that can neither be matched in product or hype by anything Samsung has to offer.

  1. DiabloConQueso

    Fresh-Faced Recruit

    Joined: 06-11-08

    It sounds like Apple did have something of a security "issue" with regard to their iCloud service. Some reports say that Apple had little-to-no protections against brute-force attacks for some iCloud services, allowing a hacker to create a script that simply tries different passwords as quickly as the iCloud servers would respond without ever tarpitting (slowing down the requests) or banning (blocking the IP temporarily) due to X number of failed attempts.

    If true, that's kind of "Web Security 101" material -- there isn't (or shouldn't be) an IT professional in the world worth a hill of beans that would put an internet-facing server online without some kind of protection against brute-force attacks like this. Anyone responsible for this type of thing knows that when you bring a, say, new web server online and it has a public IP address, that the attacks from China and Russia and the world begin within hours -- lots of log entries about automated computers trying different SSH passwords, or looking for SQL servers or phpMyAdmin servers or what-not. It's fairly easy to protect against, and should be done by default to any server with a public internet IP address.

    If those reports aren't true, though, then this seems to simply be a case of people either having picked poor/weak passwords, or falling victim to social engineering hacks, like phishing -- neither of which Apple can do much about, other than require strong passwords ("password must contain an uppercase and lowercase letter, a number, a symbol, must be 10 digits in length, cannot be the same as any previous password, etc.") or implement more burdensome multi-factor authentication schemes.

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    There was an issue, and most venues were quick to jump on it as the ├╝berhack that caused the whole thing. We don't think it is, and we've said so. There are just too many other devices, things, etc in the pictures!

  1. DiabloConQueso

    Fresh-Faced Recruit

    Joined: 06-11-08

    Well, it is completely possible that the iCloud security issue described above allowed access to iCloud photos for some of the celebs who used Apple devices, while a different attack vector was used to get the photos from non-Apple devices, yes?

    In other words, there might be more than one "uberhack" out there -- one for each platform?

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Sure, its possible that the hack was used in the three days it was available to glean pics.

    Its just not the omnisolution. Weak passwords, lack of user knowledge, and social engineering seem way more likely to me. As with all this stuff, we'll all find out together.

  1. Grendelmon

    Mac Enthusiast

    Joined: 12-26-07

    Originally Posted by pastuszaView Post

    I'm going to guess that this is going to come down to weak passwords.

    Either way, I expect a lot of celebs to be buying Android phones when their contract is up.



    My understanding is that yes, it was most likely a weak password issue for the iCloud breakins. The python script utilized an iCloud API that does not lock the account after 5 failed attempts, so a brute force attack could be effective.

    Apple 'Actively Investigating' Possible Hacking of Celebrity iCloud Accounts - Mac Rumors

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Or, you know, our article on this, since this is all on the home page.

    Python script attacking Find My iPhone may be behind celebrity leaks | Electronista

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

IDrive cloud backup and sync service

There are a lot of cloud services out there, and nearly all of them can be used for backing up key files and folders. A few dedicated ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

MaxUpgrades 512GB Retina MacBook Pro SSD

Apple's Retina line of MacBook Pro notebooks have been impressive, right from their debut in 2012. Thinner than the previous model, t ...

toggle

Most Commented