The Theories, Possible Techniques, and Motives Behind the Celebrity Photo Scandal and How You Can Protect Yourself

iBrute and How It All Got Started

On August 30, savvy developers discovered a flaw in Apple’s FindMyIphone feature where brute-force protection (preventing users from making multiple password guesses) was not implemented.  A brute-force script called iBrute was developed and released to the public.  A day later, an anonymous user on 4chan offered nude photos of famous celebrities like Jennifer Lawrence, in exchange for Bitcoin donations.  The timing seemed to indicate a correlation between the photos, and the iBrute security flaw. Since then, hundreds of photos have been released.  Apple has since patched the flaw, and released a statement about their investigations, finding no evidence of breaches to the iCloud service.

It’s Not Just iCloud

Although many victims are iPhone users, some use Android and file remnants point to other cloud services such as Dropbox.  The timing of the scandal immediately after the release of the ibrute exploit may just be coincidental.  Blogger and hacker Nik Cubrilovic has done his own amateur, but thorough investigation, tracing back the timeline and the parties involved.  The stolen content does not appear to have been gathered all at once, but collected over a long period of time.

Most security experts also agree that the specific exploit was highly unlikely to be the only, or even the main method of penetration.  As we’ve seen with previous leaks, most occur out of social engineering or simple, misplaced trust.  How often have we seen a celebrity sex-tape released by a former lover?  A friend could have been invited to a celebrity’s house, noticed an open laptop, and just copied files onto a flash drive.

A celebrity could have been at a party, logging into an account, and someone looked over their shoulder to see the keystrokes for the password.  Once into that celebrity’s account, it would be easy to retrieve their contact list with email addresses that could then be sold to other hackers who can then attempt traditional techniques such as phishing, and password resets.

How Celebrity iCloud Accounts Were Hacked

Who Did It

Initial reports credited a single anonymous hacker, but mounting evidence points to a long-standing group of individuals, sharing and exchanging personal data with each other.  The high profile nature of being a celebrity made actresses like Jennifer Lawrence valuable targets.   The private photos and videos became commodities that were traded and collected.

An enterprising hacker decided to sell some photos and videos for real money (or Bitcoin) on 4chan, which may have caused other hackers – each with their own private collection of photos – to try selling what they had as well, leading to an outpouring of available content.

There are even rumors that a wealthy individual made a large monetary offer for all the content available.  A single person may have been responsible for the initial leak, he/she is unlikely to be the mastermind behind all the hacks, and, like most leaks of this nature, the motives are far more likely to be monetary than altruistic reasons to serve the “community” or fans.

How To Guard Yourself

Ultimately, this can happen to anyone, and an upside to this scandal is how it has shone a very big spotlight on personal data security.  Misappropriated photos and sensitive data occur everyday to normal people like you and I.  You may not be a high-profile target like a celebrity, but perhaps you are an attractive female, or run a successful business with sneaky competitors.  There may be someone interested in your private information.

Here are some basic steps everyone should take:

Be careful storing sensitive data on cloud services.  When in doubt, keep it offline.  Google, Apple, Facebook – these are online services that in theory could be accessed by anyone and subject to terms and privacy agreements which change all the time.  Remember that you are storing your data, on someone else’s server

Don’t use the same password for everything

Pick passwords that mix letters, numbers, and characters in unusual ways

If available, use multi-stage logins

Pick a username that is unique.  Everyone wants to be the first and only “superman” on a forum or service, but it becomes an easy target since it is one less thing for hackers to guess.  Try Bob66Fries as a username.

Clear all personal data from your devices when you bring them in for repairs.  Not every technician is a pervert, but if you have naked photos on your iphone when you bring it in for repairs at the Apple Store, it makes a very tempting prize for at least a peek.



Written by Michael Chan

UPDATE: Apple has since released a statement that the accounts were hacked via a password reset.

Comments are closed.