On September 2, 2014

On By Martin MacDonald 2 comments

#iCloudHack: Cloud Storage a More Likely Source

(NOTE: the article below goes for ANY remote file backup service, NOT just DropBox).

For the last couple of days the internet has been awash with stories of celebrities phones getting hacked en-masse, and personal photos being distributed through 4chan and other such forums.

The current explanation doing the rounds in the press is that the Apple iCloud Photo Stream is the source of the security leak, having discussed this with fellow internet marketer & security expert Dave Naylor, other possibilities piqued my interest so I’ve done some preliminary research based on whats freely available.

There is plenty of evidence to suggest it was NOT an apple hack.

Here are my reasons for doubting the current story:

Image EXIF data & Handset used

Some of the photos distributed have correct EXIF data for iPhones, however most don’t.

Yes, in many images you can see clearly that they are taken with iPhone variants. Equally, there are some where the photo is taken clearly with an android device , and one or two with BlackBerry’s (yep, really).

, and one or two with (yep, really). Image resolutions don’t match with the iPhone resolutions at all megapixel/quality levels – there are a couple above the maximum possible resolution of an apple device of 3,264×2,448.



Composition & Filetype

Some of the images are screenshots, clearly not of an apple device.

Some of the media types simply would not be on the photo stream, for instance screengrabs of skype chats.

Victim selection

Sure, there are lots of celebrities that have been affected by this breach – but its a strange list if your intent is anything other than trolling.

If your ultimate goal was extortion of any type, Im guessing there are a lot more A-list celebs with iphones who would have been better targets.

It also feels like a lot of these victims demographically would be inclined to be au-fait with technology and therefore would be a good fit for a secondary backup service like a dropbox.

A more Likely Scenario:

Syncing your Photostream with Cloud Storage

One of the key uses for DropBox and its competitors, is syncing your phone data, including your images from your camera roll (iOS).

Many people will have elected to do this (myself included), and while it serves a valuable purpose, it also adds another security point of failure.

There have been many, many, many, many, (I could go on, but won’t) examples of lack security from DropBox AND its competitors in the online cloud storage vertical.

While there was a vulnerability in the iCloud brute force attack defenses revealed in the last couple of days, the file storage companies have had this issue for many years.

To try and brute force, or compromise in any other way a file storage account, you’d only need the victims email address. I’m guessing these wouldn’t be too tough to get ahold of, possibly easier than bruteforcing their apple accounts.

So was it DropBox?

To be clear – its absolutely not possible for me to say. It’s not possible for anybody to say, without clear access and usage logs from wherever this media came from, unless you’re the opportunistic hacker (/scriptkiddie) that perpetrated this hack.

What I can say though, is that there does appear to be a weight of evidence that this was NOT an apple specific issue. To suppose it was any file storage service above another is nothing but conjecture, Im merely citing DropBox as the leaders in the field.

Would I use DropBox?

ABSOLUTELY! Yes, I currently am a happy DropBox user. It has had proven security issues in the past, but then I have nothing highly confidential stored on the service.

I have my camera phone syncing with their service, and if it gets compromised then someone will end up with a lot of photos of family events, sunsets & expense receipts.

But then I dont lead a busy celebrity lifestyle.

CREDITS FOR THIS POST:

Dave Naylor for the inspiration to research the non-apple potential, & anonymous parties for sharing the EXIF dumps and pointing out non-apple devices.