This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find My iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.
A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.
In a statement issued today, Apple said:
When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.
One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.
Either way, brute-forcing would require knowing the email address of the target, he says.
It's not surprising that most consumers and celebrities don't opt for the second factor of authentication since it's not required, experts say. And weak passwords most likely played a major role in the attack, they say.
"This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts. This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password," says Vijay Basani, CEO of EiQ Networks. "Since numerical code always changes, it makes it difficult for the hackers to gain access [and breach the account], even if they can guess the password."
The plot thickened over the weekend with a brute-force password hacking tool for Find My iPhone posted on GitHub. The creators of the iBrute proof-of-concept tool -- which came out of a presenation by researchers at Chaos Constructions, a hacker conference in Russia -- said the tool used Find My iPhone's service API, which didn't include brute-force protection, was not the culprit behind the celeb breaches. They also posted yesterday that Apple had patched that flaw in Find My iPhone.
"The end of fun, Apple have just patched," they wrote on their GitHub page.
They also later denied that their tool was behind the breach: "In justification I can only mention, that we only described the way HOW to hack AppleID. Stealing private 'hot' data is outside of our scope of interests. We discuss such methods of hacks in our's narrow range, just to identify all the ways how privacy can by [sic] abused," the researchers blogged.
Some security experts are also skeptical that the brute-force hacking came via the Russian researchers' iBrute tool.
But that doesn't mean no one tried the tool, of course. "From the comments on GitHub, it looked like people had been successful using [iBrute] to a certain point," Trend Micro's Ferguson says.
Vinny Troia, CEO at Night Lion Security, examined the stolen celebrity files and found DropBox files as well, which he says seems to indicate that reused passwords were part of the problem with some of the victims. "They had a lot of generic Dropbox files in the directory structure. It's very plausible these celebrities were specifically targeted, but if they weren't, it might be like the StubHub [breach] with someone going down the list [of stolen credentials] and saying, why not try Dropbox and see what I can find there?" Troia says.
Phil Lieberman, president and CEO of Lieberman Software, says the attack came in two waves, starting with getting the email addresses of the celebrity targets. "The second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or alerting," he says, so the attackers were able to ultimate brute-force the password.
He says Apple should have logs of the IP addresses of the attackers, and should be able to identify them.
"Crunching multiple login/password combinations on Apples infrastructure, in a manner that goes unnoticed, even over time -- perhaps few people were involved in this over few month -- would require either complexity of execution, a lot of luck or significant negligence on Apple’s part, or a combination thereof," says Boris Gorin, head of security engineering at Firelayers.
The FBI reportedly told NBC News that it is investigating the breaches.