On Sunday, hundreds of revealing photos of celebrities were stolen and shared around the world on the Internet. Apple, which is preparing to launch a new iPhone next week, says it was the result of targeted attacks on accounts storing personal data and not a direct breach of its systems. Regardless of how it happened, the hacking underscores the risks for all who use smartphones to store sensitive material, from photos to health-care records.
Early indications are that the massive theft of private information was the result of a targeted attack on the accounts of various celebrities. But so far, Apple Inc. has released very little information on the technical details behind the incident. The hack also comes at a time when security researchers are raising serious questions about the robustness of the company’s cloud security.
Last Saturday, two researchers named Andrey Belenko and Alexey Troshichev gave a presentation at a computer security conference called Defcon Russia. Independently, each man had discovered a different weakness in Apple’s technology infrastructure.
The first issue is related to an Apple service called iCloud Keychain. The Keychain is essentially a storage locker for a host of sensitive user data, including usernames, passwords and credit-card information. It is used to keep this information synchronized across multiple devices (for example, a user’s iPhone, iPad and Mac computer). When users first set up a Keychain account, they are asked to create a security code. The code allows them to connect the Keychain to more devices in the future. However, that code, by default, is set by Apple as a simple four-digit number, making it relatively easy to crack using a method called brute force. Essentially, a brute-force attack is a relatively unsophisticated strategy in which malicious actors simply try every conceivable password combination until they find the right one. Using even a modestly powerful computer, a hacker could very quickly try every one of the 10,000 possible four-digit combinations of the default iCloud security code.
“The default choice of four digits is, in my opinion, not sufficient,” said Mr. Belenko, a senior security engineer with the computer security firm viaForensics. “If iCloud is compromised, it can be brute-forced.”
Usually, brute-force attacks are easily thwarted because most systems will lock a user out if they enter too many incorrect passwords. However, the researchers discovered another flaw in the Apple infrastructure that makes such attacks possible. An iCloud service called Find My iPhone, Mr. Troshichev found, has no limits on how many times a user may guess a password, making it a prime target for a brute-force attack.
It is likely that whoever is responsible for the massive iCloud hack took advantage of one or both of these security weaknesses. On Monday, Apple scrambled to fix the Find My iPhone vulnerability, but the company has denied the hacking incident is related to the issue.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on usernames, passwords and security questions, a practice that has become all too common on the Internet,” the company said in a statement on Tuesday. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud or Find My iPhone.”
Apple did not specifically explain what the company considers to be a breach of its system, and whether a brute-force attack would meet that definition. It is also unclear which of the cases Apple has already investigated, and which remain. An Apple spokeswoman did not respond to a request for comment on Tuesday.
What is the cloud?
When software developers say “the cloud,” they really mean computers full of data that users can access from anywhere using an Internet connection. In effect, the cloud is marketing shorthand for the reality that a lot of computing activity now happens in third-party data centres instead of an individual user’s phone or desktop computer.
In recent years, the cloud has become one of the biggest and most lucrative branches of the technology industry. The research firm IDC reports that IT spending by companies on cloud services reached nearly $50-billion in 2013, and could rise to more than $107-billion by 2017. Tech heavyweights such as Microsoft Corp., Google Inc. and Amazon.com Inc. have spent billions trying to gain a foothold in the cloud market, and the massive database company SAP recently invested in a cloud-services data centre in the Toronto area.
Cloud customers range from massive corporations to individual users. Netflix Inc., for instance, doesn’t own much of its server infrastructure and instead relies on a part of Amazon.com called Amazon Web Services (AWS). AWS is one of many companies that builds and operates many, many rooms filled with banks of powerful, Internet-connected computers to host things such as movies, TV shows, your shopping history and even software tools you can access without having to download anything on your personal machine.
Even if they don’t know it, many regular consumers use cloud services every day. Google’s Gmail is cloud-based e-mail, and even “ephemeral” photo-sharing services such as SnapChat host images in the cloud. Most mobile phone software, from music streaming apps to Instagram, will keep user data in the cloud. Many users also rely on the cloud for tasks such as data backup or large-file sharing online (using services such as Apple Inc.’s iCloud, Dropbox and Microsoft’s OneDrive).
Privacy and the law
There is no doubt that the large-scale theft of personal information constitutes a violation of the law. In the U.S., the FBI has confirmed it is looking into the case, but offered few details. Apple also said in a statement that it is working with law enforcement to try to identify the people responsible for the breach.
Because it appears someone broke into many celebrity users’ accounts and stole personal information (much of it in the form of nude photos), the illegality of the act is not in dispute. However, in most cases involving the collection and dissemination of compromising personal photos, the victims are not celebrities, and the law is far from clear.
In recent years, a cottage industry of illicitly shared photos has cropped up under the moniker “revenge porn” – the premise being that an aggrieved partner looks to enact “revenge” by making private photos of their former partner available for all to see on the Internet. In the U.S., the extent to which such acts can be prosecuted varies wildly from jurisdiction to jurisdiction, depending on who took the photo, where the person who disseminated it lives, and myriad other factors. In some states, revenge porn is effectively not classified as a crime.
In Canada, the federal government recently tried to crack down on revenge porn with Bill C-13, the Protecting Canadians from Online Crime Act. The bill would make it a crime, punishable by up to five years in jail, to distribute, sell or make available an intimate image without the consent of the person depicted in that image. However that bill has faced resistance in part because it also includes a host of proposed measures that would give authorities greater online surveillance powers.
In the case of the iCloud hack, there is no doubt about illegality, but technical issues might still prevent the hackers from facing justice. It is not yet clear where in the world the hackers reside, and what methods they used to conceal their identities. And despite efforts to combat the dissemination of the stolen images, they have cropped up in many corners of the Web. A spokesperson for Jennifer Lawrence, one of the celebrities whose personal information was stolen, said in a statement that authorities would prosecute anyone who posted the photos online. But given the sheer number of people who have already done so, such a task may prove difficult.
What is 4Chan?
It is, depending on whom you ask, the Internet’s Wild West or its open sewer – a simple message board that has become, over the past decade, infamous for its chaotic influence on the Web.
Founded primarily as a forum for fans of Japanese animation, 4Chan has grown to encompass virtually every conversation topic under the sun. The site itself has often been criticized for posting offensive and arguably illegal content, but is largely a destination for such content because of its deliberately lax registration rules. In effect, virtually anyone can post on the site without registering any information, making 4Chan almost totally anonymous. Partially as a result, the site has built a dedicated and massive following.
The iCloud hacking incident is hardly the first time a sensational and likely illegal act made its digital debut on 4Chan. In 2008, a 4Chan user managed to hack into the private e-mail account of Sarah Palin, who was the Republican vice-presidential candidate at the time. Users of the site have also been the subject of numerous investigations and arrests relating to everything from child pornography to school shooting threats.
OMAR EL AKKAD AND SHANE DINGMAN
The Globe and Mail
Published Tuesday, Sep. 02 2014, 8:40 PM EDT
Last updated Wednesday, Sep. 03 2014, 7:55 AM EDT