We’re all familiar with the recent data hacking scandal that affected a range of celebrities, from A-listers to up-and-comers. While this happens frequently, in this instance, the hackers targeted something far more damaging and lucrative than credit card details and bank codes: private pictures and videos, most of which included nude images.
Although the full extent of the scandal will probably never be known, the evidence we do see has done enough reputational damage to many celebrities to last them a lifetime. Other potentially incriminating and financially valuable information will be traded over the black market on the deep web, and the impact this will have may never be made public by the hackers, the celebrities, or their representatives.
A variety of hacking scenarios
While there are an almost unlimited number of ways for hackers to gain access to personal data if it is stored online, the methods that were most likely used in the celebrity hacking scandal included a simple script called iBrute, a commercial tool called Elcomsoft Phone Password Breaker (EPPB), some social engineering and phishing, and the findings of the most popular passwords hacked from the social games site RockYou in 2009. Many of these passwords are still popular online today.
Scenario 1: In the case of Apple iCloud users, a vulnerability in Apple’s Find My iPhone API was used to match Apple IDs with correct passwords, which was assisted by a very simple script posted on Github called iBrute.
Scenario 2: Another weakness in Apple’s security procedures, which was exploited in the hacking of Mat Honan two years ago, is their laughable security questions like, “What was your first car?” or “Where were you born?” The answers to questions of that kind are frequently available online for discovery by dedicated hackers. Hackers may have used this option to reset a victim’s password from information they phished or discovered online through social media or documents easily purchased online, like credit reports.
Scenario 3: If a password reset failed, then a hacker could attempt to force the account using the list of common passwords hacked from RockYou in 2009. These could potentially shorten the password cracking step, but if it failed to find a correct password then the hacker would resort to an exhaustive key search. This method is sheer guesswork by a software program until it gets lucky and breaks the password – it’s very time consuming.
Scenario 4: Using their victim’s password, the hacker could perform a complete restoration of the targeted user’s full backup: a much more complete set of information than just the user’s backed up iCloud media, including contacts, text messages, app data and videos.
Scenario 5: A cascading flow of information could follow from the data gathered, including other celebrities’ email addresses and phone numbers (to use for phishing).
Unsecured and rogue Wi-Fi hotspots
Another method of hacking users’ data is through unsecured and rogue Wi-Fi hotspots. Most public spots such as malls, restaurants, airports and bars offer free Wi-Fi as a service to their patrons, and most do not take security very seriously, leaving the networks wide open for hackers to exploit users.
Many Wi-Fi hotspots do not require password authentication and data that travels between devices and the router is easily accessible by other users connected to the same network. Even in the case of Wi-Fi networks that are password-secured using WPA, hackers with the password can snoop packets that travel between users and the network router, and discover passwords and data sent from users’ devices.
Wi-Fi hotspots that are encrypted using enterprise encryption are also easily overcome by hackers, who simply set up a man-in-the-middle trap: an access point with the same name as the network they are hoping other users will be connecting to. If a user mistakenly connects to the fake hotspot, the hackers have access to any information sent over their network. This may include login details for any online services that the victims access. Rogue access points set up by corporate employees or university students are also a prime example of a breach in corporate policy, since these allow hackers a back door into the network and the ability to easily exploit users’ data.
Arrow in the Apple
Apple users seemed to be the primary targets of the hacking to date, and a representative from Apple said in a statement on their website that, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
We can only take Apple’s word for it, but they say the iCloud accounts that were hacked were not due to a security vulnerability with their system, which seems rather unlikely after the above research. They also make the sweeping statement that this type of practice “has become all too common on the Internet,” and they neglect to mention that their security practices are well behind many other organizations. Apple does not run a rewards or bounty program for people who expose vulnerabilities in their systems, and take the approach of “it’s not our fault that your password got hacked.” And only 40 hours of investigation? That’s all they could spare?
This may be their way of avoiding the topic of their Find My iPhone API bug, which allowed unlimited password guesses, and therefore a brute force approach to hacking users’ passwords.
Security researcher Andreas Lindh said, “I think Apple is lagging way behind on security in general… Apple has invested a lot of efforts in making iOS secure, but all the things around it (like iCloud) are nowhere near that standard.”
Slowly closing the gap
The bug in the Find My iPhone API was supposedly closed in early September 2014, after its public announcement at The Def Con Conference in Russia in late August, but the hacking, or at least the release of previously-hacked celeb pictures, continued. This supports the theory that the pictures were not all hacked recently, but occurred over a significant period of time and were traded in private until someone decided to release them publicly.
Wired received communication from a ripper on Anon-IB, an anonymous image-sharing site, in which he detailed his methods:
“Dunno about others but I am too lazy to look for accounts to hack. This way I just provide a service to someone that wants the data off the iCloud. For all I know they own the iCloud. I am not hacking anything. I simply copy data from the iCloud using the username and password that I am given. Software from elcomsoft does this.”
Further ramifications of hacking celebrities
Many online conversations ask why the hackers have not released further personal details from their victims’ phones, and some speculate the hackers themselves did not release the pictures, but that a third party who purchased the pictures did the leaking.
Either way, the media-hyped celebrity hacking serves as a firm reminder about the importance of online security, especially if you store sensitive information in the cloud. Two-factor authentication is highly recommended, and a strong passphrase for every online account, perhaps managed by Keepass or 1Password, is essential.
Find John on Google+