How Did Jennifer Lawrence's Nude Pics Get Hacked?

Since dozens of nude celebrity photos were leaked, security experts are trying to understand whether the source was iCloud, though Apple remains mum.

AP

The web is astir again with leaked nude photos of dozens of celebrities, among them Jennifer Lawrence, the model Kate Upton and Kirsten Dunst.

According to the hacker who released the photos, he obtained them all through the victims' leaked Apple iCloud accounts. However, security experts believe iCloud is not the only source of the photographs.

Apple refused to comment on the Independent's report of the hacking.

It all started on forum website 4Chan, which is considered one of the untamed corners of the Web. An anonymous surfer claimed he had photos of numerous celebrities and asked for Bitcoin donations to publish them.

According to Business Insider, he received just 0.2 Bitcoins (nearly $100), but other surfers on the forum teased him and he relented. He released some of the photos – many of them of Lawrence – whose publicist confirmed their authenticity.

Leaking naked pictures of famous people is nothing new, but Shahar Tal – head of the Malware and Vulnerability Research team at Checkpoint – believes that the current incident is exceptional.

"I remember very few instances of real break-ins and thefts of private pictures," he said. "It is not a photo of a celebrity who posed for a magazine or fashion photographer that surfaced. These are really private photos that were sent between couples."

According to Tal, the character of the pictures is exceptional compared to previous incidents.

Apple's iCloud serves as an automatic backup for photos, emails, contact and other files of iPhone, iPad or Mac users. The service is considered relatively safe, and many expressed doubt about the hacking claims and speculated about other ways the images may have been stolen.

Some surmised that someone hacked into the Wi-Fi system at the Emmy Awards ceremony, thereby stealing celebrity passwords. But Checkpoint's Tal supports the theory raised on the Next Web website that at least some of the hacking was accomplished through a script allowing a brute-force attack on the Find my iPhone service.

A brute-force attack is a strategy of making an exhaustive key search against encrypted data, based on running a combination of passwords to find the right one. "Hacking is pretty simple," explained Tal. "They found one place allowing multiple identification attempts without locking the account. Locking the account after a number of failed attempts is one of the most basic defenses against brute force – which in this case did not exist."

The Next Web reported a new tool that locks the account after just five attacks, a development which suggests that Apple was quick to put a stop to the hacking.
But Tal believes iCloud was not the only source of the photos.

"There are also certain theories that are supported by evidence that it was simply a private collection of a hacker who used a variety of ways to obtain the photos," said Tal. For example, it is highly likely that Kate Upton's photos were stolen from a Dropbox folder, and there are different pictures that were photographed with Android devices.

"It could be, and even likely, that after they obtained the password via the Brute Force in question, they used the same password and managed to enter different accounts."

People may be wondering where the attackers obtained the celebrities' private email accounts from, but Tal say it's not a problem. "I invite you to search on Google the private address of the celebrity of your choice," said Tal. "The answer will often be on the first page."

In contrast, Tal was quick to quash any fears about iCloud. "I don't think we all need to become hysterical because of this incident," he said. "There will always be a theoretical risk of hacking any content, be it saved in the Cloud, on a company server, your PC or a telephone. The chances of hacking decline the more you invest in layers of security and are aware of the risk. I actually rely on Apple, which is usually very serious about data security – and let's remember that we still haven't seen the smoking gun revealing the guilty party."