Here’s What We Know So Far About The Celebrity Photo Hack

UPDATE: Clearly this post was written very early on in this incident and information has since come to light which suggests Apple has majorly dropped the ball.

Original post:

As you will by now have probably read, around 100 women celebrities (including Jennifer Lawrence, Ariana Grande, Victoria Justice and Kate Upton) have had naked and explicit pictures seemingly hacked from their iCloud accounts and published online, first on 4Chan and now all over the place. As a reminder, iCloud automatically stores photos, email, contacts and other information online, allowing users to sync this data across different devices. Many of the photos have been confirmed as being genuine, most notably by Lawrence.

The anonymous hacker who originally posted the images first on 4Chan claimed they were taken from iCloud accounts. They demanded donations via PayPal and Bitcoin in exchange for posting them, but only received 0.2545 BTC in donations, which is verifiable at this address: 18pgUn3BBBdnQjKG8ZGedFvcoVcsv1knWa

While it’s highly unlikely to be a security issue with iCloud, the incident has served to remind us all of the issues around internet security in general.

So what do we know about the celebrity photo hacks?

THE MEDIA

The mainstream media is reporting the phones were “hacked”. As usually, this is rarely defined.

Lawrence has previously said she uses iCloud, once saying: “My iCloud keeps telling me to back it up, and I’m like, I don’t know how to back you up. Do it yourself.” Metadata in the images shows that the vast majority were taken using Apple devices.

THE ‘HACK’

There is a suggestion that iCloud has been “hacked”. There has been absolutely no confirmation of this from Apple.

It’s highly unlikely that the “hacker” (or it may have been a group of hackers) was not able to breach Apple’s security in general, but instead targeted specific victims using a combination of social engineering, cracking the password or using Apple’s “Forgot my password” route. They could also have used other less technical methods (it’s usually the non-tech method that turn out to be the culprit, btw).

GUESSING EMAIL ADDRESSES AND PASSWORDS

Jennifer Lawrence was once quoted in a Time article about her email address containing a key word. Not a wise move. Never give clues in the public domain. Once an email address is known, a hacker could email the target person purporting to be something else (Apple’s iTunes for instance). The target puts their email and password into the hacker’s fake page. Voila.

This phishing attack is emerging as a likely culprit.

Also, having the same password for multiple products (such as eBay and Amazon) means a hacker, if they can get one account right, could use the same password to access your email or iCloud.

Also, Apple’s “Forgot my password” system means that if you know the victim’s birthday and the answers to some security questions, you might gain access to their account. There is a LOT of information out there on celebrities, so coming up with ideas for passwords is entirely possible.

Once inside it’s not possible to see photos or videos which are automatically uploaded from your iPhone to iCloud but you can use software to download it all. Again, voila.

iCLOUD’S SAFETY MECHANISM

To gain access to Photostream, you would need to login with the iCloud user name on a new OSX or iOS machine. If you do that, iCloud sends you an e-mail that a new machine has logged in. You also get a notification on all the other machines using your iCloud account (iPhone, iPad, Mac) telling you a new machine is logged in. So, basically, when you get both mails and notifications, the normal reaction would be to realise you were being hacked and to change your password immediately. Since the notification is almost instant, changing the password very quickly would mean Photostream wouldn’t be able to sync to the Hacker’s machine fast enough for it to download 30 days of photos.

This is one of the main reasons why most experts don’t suspect this incident to be a hack of iCloud.

A PROPER HACK

Another method might be a ‘brute force attack’ on an iCloud account via an automated program. This is hard on iCloud, though theoretically possible.

The Next Web suggests that a Python script on Github (and shared on Hacker News) recently allowed malicious users to ‘brute force’ a target account’s password on Apple’s iCloud, thanks to a vulnerability in the Find my iPhone service. Apple appears to have already patched the hole, however.

There’s no official confirmation this is the culprit though.

WAS IT VIA ANOTHER SERVICE?

Since many of the images appear to have been taken with Android devices and webcams, the leaked images may not have originated from the iCloud photo backup service at all. Many services have automatic backup tools, and could be accessed in similar ways to iCloud (as above).

SNAPCHAT?

Some of the photos had text overlaid. Were they from Snapchat? Probably not. These are most likely screen shots on someone’s phone.

VIA Wi-Fi?

Were phones hacked via WiFi, perhaps at a celebrity event? This is also not known or confirmed.

AN INSIDER?

Personal assistants and bodyguards often have access to celebrity phones. It’s a possibility. Was this hack an employee with access to data somewhere? Again, there’s on confirmation of this (and no suggestion it happened).

A STOLEN DEVICE?

There is aways the physical theft of a phone or laptop of a celebrity or belonging to someone well-connected to celebrities.

SHOULD YOU BE WORRIED?

No. iCloud is almost certainly safe. This looks like targeted attacks on well-known and ‘high value’ celebrities using some of the above methods. UPDATE: Clearly this post was written very early on in this incident and information has since come to light which suggests Apple has majorly dropped the ball.

HOW TO BETTER PROTECT YOURSELF

The best way is to turn on two-step (or ‘two factor’) verification for your iCloud account (or any online account), meaning a hacker would also need physical access to your phone AND your phone’s password to get in, via a text message sent to your phone with a temporary PIN. All the other services, like Google, also have two-step authentication. Check out TwoFactorAuth.org

Make your security questions more complex (e.g. not your date of birth, your pet’s name etc). ‘qwerty’ or ‘123456’ are the dumbest passwords ever.

Still really, really, really worried? Then completely turn off iCloud photo syncing through Settings > iCloud. Or any similar automatic backup service. Then the photos will only ever be on your phone or the computer you back them up to. Then you have to worry about the phone or laptop being stolen and losing your photos…

BE CAREFUL OUT THERE

This is not the first time private celebrity images have been compromised. In 2011 many celebrities had images compromised by hacker Christopher Chaney who got into email accounts simply by guessing passwords. Chaney was caught and sentenced to 10 years in prison.

But guys like that are rarely caught. So use better security for your personal stuff.

And remember: Taking naked photos of yourself is not a crime and you have nothing to apologise for. It’s the hacker in all these kinds of cases that is the criminal.