Apple iCloud Hacked, Celebrity Nudes Leaked. But How?
Jennifer Lawrence. Kirsten Dunst. Kate Upton. Hope Solo. Victoria Justice. The biggest celebrity nude photo hack in history went down over the weekend, with hackers on online forums claiming that they had over 60 photos of Lawrence alone, along with nude photos of over 100 actresses.
How? The hack appears connected to Apple's iCloud. While there was some speculation that it was the result of "brute force" password cracking via a now-patched hole in Apple's "Find My iPhone" feature, Apple instead pointed to lucky guesses by determined hackers.
Find My iPhone Brute Force Hack
Shortly after the celebrity photo leaks became public, The Next Web highlighted a Python script (a basic program) available online that reportedly allowed users to use brute force tactics to break into iCloud accounts using Apple's "Find My iPhone" feature.
The hack was relatively simple: The program tries to log in to a user's account with a list of the 500 most common passwords. Many other brute force attacks will then try every conceivable combination of letters, numbers, and special characters, though this tool doesn't seem to have gone that far.
Most online services will automatically lock down a user's account after a few failed login attempts, but Apple's "Find My iPhone" feature didn't -- at least until Monday morning.
However, according to a statement released by Apple on Monday evening, brute force was not to blame here. While Apple did patch the Find My iPhone bug, the company points to social engineering as the culprit.
Social Engineering
The other most common tactic for breaking into accounts is to exploit the human element. With a few biographical details, a savvy individual may be able to either guess the answers to security questions to access an account or failing that, convince a telephone support representative that he or she is the account holder.
While a social engineering hack seemed unlikely with such a long list of high-profile victims, Apple said that this was exactly what happened here -- really good guesses.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," the company's statement reads. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud® or Find my iPhone."
"To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232."
Protect Yourself
To protect against a brute force exploit, you can reduce the chance of becoming a victim by using a stronger password. The exploit mentioned above used the RockYou hacked password list -- avoiding common passwords that appear on these hacked lists is a great place to start.
You'll also want to avoid words that appear in the dictionary -- more exhaustive tools will go through the entire dictionary until something works.
Finally, check out our password myths and tips, which we passed along after there was a massive WordPress brute force hack.
However, for social engineering hacks, the culprit is likely to be someone who knows intimate details about your life -- a loved one, an ex, or someone who has dug through your trashcan. Apple makes a great point about two-factor authentication -- even if they crack your password, the use of a second factor (typically an app on a smartphone or a code sent via text message) is far more secure than a password protected by questions like, "What was the name of your first girlfriend?"
Join the discussion on Facebook at FindLaw for Legal Professionals.
September 2, 2014 Editor's Note: this post has been updated with additional information and a link to a statement from Apple, as it became available.
Related Resources:
- The Jargon-Free Basics of Wireless Network Security for Lawyers (FindLaw's Technologist Blog)
- Wait, Now USB Devices May Be Unsafe Too? (FindLaw's Technologist Blog)
- Warning: eJuror Email Scam Hits Federal Court Districts Nationwide (FindLaw's Technologist Blog)