sciencetech-blog

comments

Following reports of more than 100 private celebrity photos being stolen and leaked online, experts have voiced their concern over how hackers managed to access the images.

The hackers claim they stole the photos from the iCloud accounts of the celebrities involved, which includes Jennifer Lawrence, Kelly Brook and Rihanna.

Now reports suggest that a specific flaw in the 'Find My iPhone' service may have been to blame.

These images were reportedly stolen from iCloud accounts and include private images of Jennifer Lawrence and Kelly Brook. It is not clear how the hacker gained access to the images, although reports state a flaw was discovered in the Find my iPhone service that would have left it open to a 'brute force' attack

The phone photos, reportedly obtained through the widely-used online service, were published on 4chan, the anonymous image-sharing forum.

A list of the alleged victims - 101 in total - posted by the hacker has also appeared.

Apple has not commented on the leak, but has previously stressed how important its customers' privacy is.

The firm's iCloud service secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication.

This means that data is protected from hackers while it is being sent to devices and stored online.

This suggests the hackers were able to obtain the login credentials of the accounts, and pretend to be the user, in order to bypass this encryption.

Earlier today The Next Web spotted code on software development site Github, that would have allowed malicious users to use 'brute force' to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.

In a six-letter attack, the hacker will start at 'a' and end at '//////' 

The flaw was spotted by The Next Web on Github (screengrab pictured). Brute force, also known as brute force cracking, is a trial-and-error method used by to get plain-text passwords from encrypted data. It was live for two days before Apple patched the vulnerability 

Actress Mary E Winstead confirmed photos on 4Chan were hers, but stressed that she had deleted them 'long ago.' But, when photos that have been uploaded to iCloud are deleted from a phone, they are not necessarily deleted from the online storage. They would also appear on the photo streams of any synced devices

Find My iPhone helps users locate and protect their iPhone, iPad, iPod touch, or Mac - if it's ever lost or stolen.

The hackers may have also used 'social engineering' techniques to obtain Apple IDs and passwords based on other information they could find.

This includes email address, a mother's maiden name, a date of birth, and more - all of which is easier to find out about celebrities than the everyday user.

If a celebrity uses the same password across accounts, this would be then make it relatively easy for someone to hack if they had the right information.

But, the sheer number of names on the list makes this unlikely – unless a large number of hackers were taking part, and a large number of celebrities had poor password management.

Rob Cotton, CEO at web security experts NCC Group said: 'People often point the finger at technology when they've been the victim of a cyber attack, but poor password choices or naivety in the face of a seemingly innocent email is regularly to blame."

Human error, in a variety of ways, said Mr Cotton, often play a part.

'Last year NCC Group successfully compromised the iCloud account of a journalist as part of an authorised demonstration using a mixture of social engineering techniques and subterfuge - and the amount of information we were able to access was shocking,' he continued.

Separately, Wired reporter Mat Honan had his iCloud account breached and his devices wiped after hackers used a mixture of public information and social engineering when contacting Apple technical support, in order to gain access.

In May, iPhone and iPad users were being targeted by hackers who were remotely locking their devices and demanding ransom money in return. 

Ransomware attacks, in which criminals remotely gain access to a device and hold it hostage, aren't new, but they have traditionally targeted laptops and PCs.

In this latest mobile attack, the hackers were controlling gadgets by breaking into customers' iCloud accounts and remotely locking the devices using the Find My iPhone feature. 

The victims included actress Jennifer Lawrence (pictured) who was said to have had 60 nude selfies stolen from her account. A spokesman for Lawrence confirmed the photos were genuine and said 'the authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence'

iCloud secures data by encrypting it when it is sent over the web, storing it in an encrypted format when kept on server, and using secure tokens for authentication (explained above). This suggests the hackers were able to obtain the login credentials of the accounts, and pretend to be the user, in order to bypass this encryption

Stefano Ortolani, security researcher at Kaspersky Lab told MailOnline: 'The leak is still under scrutiny, so it is not clear at this stage if cloud services are to blame, or if those are just files somehow leaked from a private collection.

'The security of a cloud service depends on the provider.

'However, it's important to consider that as soon as you hand over any data, including photos, to a third-party service, you need to be aware that you automatically lose some control of it. This is also the case for when you upload something online.

'In order to make your private data more secure, you should cherry-pick the data you store in the cloud and know when the data is set to automatically leave your device.'

For example, iCloud's My Photo Stream feature uploads new photos to the cloud as soon as the device is connected to Wi-Fi; this is to keep photos synchronised across all your devices.

Disabling this option prevents photos automatically being uploaded.

Actress Mary E Winstead confirmed photos on 4Chan were hers, but stressed that she had deleted them 'long ago.'

But, when photos that have been uploaded to iCloud are deleted from a phone, they are not necessarily deleted from the online storage.

Apart from iCloud, the photos also remain on the user's Photo Stream, which would also be available on other devices with which the photos streams were share, such as an iPad or iPod touch, or devices synced with the same iCloud account.

If the leak didn't come from compromised iCloud accounts, they may have originated from other cloud services such as Google Drive, Dropbox or similar.

If the leak didn't come from iCloud accounts, they may have originated from other cloud devices such as Google Drive. In June, Google announced its Drive service had a flaw that meant private information was at risk. The flaw was patched, but the large number of 4chan victims suggests the hack may have begun months ago

In June, Google announced its Drive service had a flaw that meant private information was at risk from hackers.

The security flaw occurred when a file was uploaded to Google Drive, was stored in its original format and contained links to third-party websites.

In this instance, if a user clicked on the embedded link, the administrator of that site could potentially obtain information about the URL of the original document – exposing it to hackers.

Google patched the flaw in June, but the large number of victims in the 4chan leak also suggests that the hack may have begun months ago – at the time of this flaw.

Similarly, in May, a flaw was found in Dropbox accounts that could have given unauthorised access to accounts.

The publication of the photographs calls into question the safety of uploading personal data to iCloud, which was launched by Apple in October 2011. 

Despite the story breaking last night, Apple is still yet to confirm or deny whether the service was the target of the hacking.