Following the recent high-profile exposure of several celebrities’ personal photos on the 4chan bulletin board, Apple on Tuesday announced that the photos did not represent a widespread breach of iCloud.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all to common on the Internet,” Apple said in a statement.
“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” the company added.
The Next Web had suggested that the hacker or hackers may have leveraged a Python script recently released on Github, which enabled an attacker to brute force a victim’s iCloud account password, leveraging a vulnerability in the Find My iPhone service that allowed account passwords to be guessed repeatedly without being locked out.
Later, The Next Web noted that Apple’s announcement did not specifically address the Find My iPhone vulnerability, allowing for the possibility that the hackers were able to guess the celebrities’ account passwords an unlimited number of times.
(eWeek’s Sean Michael Kerner notes that this isn’t the first time that hackers have leveraged Find My iPhone — in May 2014, an attacker held Australian iOS devices for ransom after apparently gaining control of their iCloud accounts.)
Still, it’s worth noting that there are countless ways the photos could have been exposed. Boris Gorin, head of security engineering at FireLayers, told PCWorld that the celebrities could also have been hacked while connected to an open Wi-Fi network at the Emmy Awards.
The Guardian reports that a hacker called “OriginalGuy,” who claimed reponsibility for the breach, stated on the AnonIB photo sharing site that the breach was “the result of several months of long and hard work” and that “several people were in on it.”
Independent security researcher Jonathan Zdziarski told the Guardian that a Bitcoin address used by OriginalGuy to seek donations belonged to the owner of a Dutch photo hosting site that’s offering an “original version” of the stolen celebrity photos.
In a blog post analyzing the breach, Zdziarski noted that, despite Apple’s advice that its users enable two-factor authentication in response to the breach, two-factor authentication would not have prevented the exposure of the photos, since it only kicks in for iCloud if a user attempts to make changes to an account or to purchase content.
“Apple might … consider better educating users about the risks involved in use of Photo Stream and iCloud backups, and avoid having them turned on by default and without notification,” Zdziarski added. “Victims may not have even been aware their content was ever sent to iCloud, or still remained in it.”
Chris Boyd, malware intelligence analyst at Malwarebytes Labs, said by email that the breach serves as a stark reminder of the risks of storing sensitive material in the cloud, particularly with the type of automated backup that Zdziarski describes.
“With today’s devices being very keen to push data to their own respective cloud services, people should be careful that sensitive media isn’t automatically uploaded to the Web, or other paired devices,” Boyd said.
Perspecsys CMO Gerry Grealish said by email that organizations should respond to this incident by placing greater emphasis on data control in the cloud. “Companies should use the strongest encryption techniques possible and maintain sole ownership of the keys that bring sensitive documents and information back into usable form,” he said. “Moreover, they should encrypt data throughout its ‘lifecycle’ — from transmitting [to] storing and processing data in the cloud.”
Still, a recent Bitglass study found that few companies are using single sign-on (SSO) to protect data in the cloud, noting that SSO gives IT control over password requirements, along with the ability to enable or disable employee access across all company applications in a single step.
And a recent Alert Logic report warned of significant increases in brute force attacks and vulnerability scans in the cloud. “Companies have traditionally spent time, money and man hours implementing in-depth security solutions within the corporate space, using multiple tools like antivirus, forensics, netflow collection, routers and firewalls,” Alert Logic director of threat research Stephen Coty said at the time. “Our data shows a need for the same kind of approach within the cloud.”