FBI, Apple investigating celebrity photo hacks
A spokesperson for Apple confirmed that the company is investigating whether an alleged vulnerability in the company’s “Find My iPhone” service and other possible vulnerabilities in its iCloud cloud storage service for Apple devices were used in the hacking of the personal photos of a number of celebrities. The FBI is also investigating whether the accounts of the celebrities were hacked.
Some of the photos, which were leaked through the “/b/” discussion forum on 4chan over the weekend, were apparently taken from iPhones—though it remains unclear when the hacking took place, or even if the same attackers are responsible for all of the leaked images.
“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Nat Kerris in a statement sent to the Wall Street Journal.
In a statement to the Associated Press, FBI spokeswoman Laura Eimiller said that the FBI “is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.”
Jennifer Lawerence’s publicist Liz Mahoney has said that Lawrence is pressing for a criminal investigation of anyone involved in the spread of the images. “The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” Mahoney said in a release.
As Ars reported on September 1, there are suspicions that a weakness in Apple’s “Find My iPhone” service was used to launch a brute-force password attack against celebrity accounts. A proof of concept attack, called iBrute, was posted to GitHub days before the attack; the poster reported yesterday that the vulnerability it exploited has now been patched by Apple. The attack would have been directed against a specific list of Apple accounts and not the service itself; the vulnerability, however, allowed attackers to continue to throw guesses at passwords from a dictionary file at the service—if it actually ever worked.
Similar cases of theft of images from mobile devices in the past have relied on using the password-recovery feature of cloud services, exploiting publicly available information about celebrities to answer the security questions associated with their accounts. In the 2011 case of the hacking of cloud accounts of Scarlett Johannson, Christina Aguilera, and Mila Kunis, the man found to be responsible—Christopher Chaney—was sentenced to 10 years in prison.