We all know that sex sells, but the media circus following the release on Sunday of hundreds of explicit photographs of almost a hundred (mainly female) A-list celebrities such as Jennifer Lawrence, Avril Lavigne, Kim Kardashian, Rihanna, Kirsten Dunst, Aubrey Plaza and Winona Ryder, was truly something to behold. Tawdry stuff indeed.
Dubbed The Fappening (we still have no idea why), within hours of the photos being released the Fappening subreddit had over 40,000 readers (many of whom made extremely crude comments), newspapers went into shock-horror mode (while at the same time spamming the headlines lascivious details) and #TheFappening continues to trend on Twitter at the time of writing.
So what happened?
As the over-hyped furor begins to die down, more serious questions are being asked about how the hackers (who first released the images on 4Chan) obtained the photos.
The finger of blame initially pointed to Apple’s iCloud service, where it is believed many of the photos were stored, and particularly to the iCloud Photo Steam feature, which auto-uploads snaps taken on iPhones and iPads to user’s iCloud account.
Attention soon began to shift towards the affected celebrities’ (presumed) failure to implement strong passwords for their accounts, and also their failure to turn on two-factor authentication (both of which are excellent general security practices, although turning on 2FA for Apple accounts may have only provided partial protection in this instance, as this does not in fact fully secure iCloud accounts).
Apple is back in the spotlight again however, following investigations uncovering a large and sophisticated gang (or collective) of internet trolls who have over a number of years devoted considerable time and resources to ‘ripping’ iCloud accounts, using a combination of brute force attacks, social engineering, and intensive scrutiny of celebrities’ personal lives to exploit Apple’s password reset system.
This allows users to access their Apple account and change their AppleID password using only three things: their date of birth, their email address, and the ability to answer two out of three security questions, chosen from a pool of 21 questions. Examples include,
- What was the first car you owned?
- What is the name of your favorite sports team?
- Where was your least favorite job?
- What was the first name of your first boss? and
- What is the name of the first beach you visited?
While questions such as these may provide sufficient protection for many ‘ordinary’ users, celebrities often have a great deal of personal information available in the public sphere, a fact that was likely heavily exploited by the hackers.
In addition to this, it is thought the hackers used various forms of social engineering to discover further details about the celebrities. These include making bogus phone calls, phishing attacks, and perhaps even obtaining positions of trust, such as being employed as personal secretaries and bodyguards to the celebrities.
It should be noted that two-factor authentication, if turned on, does prevent such exploitation of the AppleID reset process. Apple responded to criticisms with the following statement,
“CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”
Apple has, however, come under additional criticism following news that the hackers may have also used a simple Python script posted on GitHub to ‘brute force’ target’s passwords. This may have worked, as Apple sets no limits on the number password guesses permitted when signing into an account. As Christopher Soghoian of the American Civil Liberties Union notes,
“If the celebs’ iCloud account passwords were brute forced, the problem seems to be lack of rate limiting by Apple, not lack of crypto.”
Some commentators are now keen for Apple to be sued over the data breach, although similar suits have had little success in the past, despite Apple users suffering a history of successful hacking attempts (including having iPhones hacked by the NSA).
David Vladeck, former director of the FTC’s Bureau of Consumer Protection and a professor of law at Georgetown University, however, thinks that as other tech companies have improved their security (e.g. Google), regulators and courts are increasingly likely to side with the consumer in such cases. When it comes to two-factor authentication, for example, professor of information security law at Indiana University, Fred Cate, argues that,
“Apple’s argument will be: ‘We’re not responsible. Somebody else got the credentials.’ But it’s Apple that decides what the credentials can be.”
Users wishing to protect themselves against similar data breeches should use strong passwords for all their important accounts, and turn on two-factor authentication. Instructions on doing this for iCloud are available here, although remember that this provides only partial protection (though it does protect against hacking attacks on AppleID reset). Protecting yourself against social engineering is a much more difficult thing to do, but Lifehacker has published some tips which may help.
Although it seems iCloud Photo Steam has been de-implicated in this case, it remains a potential security weak point (as do other similar services such as Dropbox photo auto-upload), so turning this feature off may be a good idea.
Hopefully the storm of publicity this story has attracted will encourage Apple (and other cloud providers) to review and tighten up their security procedures, ensuring that a similar incident will not happen again…