At the start of the month, a bunch of naked photos stolen from the iPhones of celebrities were posted online.
There seems to be a widespread misunderstanding of how that happened.
A serious allegation
Late Wednesday night, news outlet The Daily Dot posted a story headlined: “Apple knew of iCloud security hole 6 months before Celebgate.”
The story is based on several claims made by Ibrahim Balic, “a London-based software developer.”
To understand Balic’s claims, first you have to know about a type of “hack” called a “brute force attack.”
Basically, the hacker sits there and tries to log into a victim’s account by guessing over and over what the victim’s password might be.
There is a very standard defence against this kind of attack, used by most service providers — be they online banks, email services, or online storage providers. After a handful of wrong guesses for a password, the service provider freezes access to the account for some amount of time.
In his comments to The Daily Dot, Balic says he found away to ping Apple’s iCloud servers with 20,000 password guesses for a single iCloud account. His conclusion: Apple’s iCloud storage service was vulnerable to a “brute force attack.”
In The Daily Dot article, Balic says he brought Apple’s attention to this perceived flaw six months ago.
After explaining Balic’s allegations, the Daily Dot’s Dell Cameron implied there might be a connection between the supposed security flaw Balic uncovered six months ago and the “Celebgate hack.” Cameron wrote: “A security hole in Apple’s cloud storage service was initially blamed for the Celebgate hack”
By yesterday evening, more than 15 news outlets had followed Cameron’s lead, and posted stories making a connection between the security flaw Balic says he discovered and the nude celebrity photos.
In some of those those headlines, the implicit connection hinted at by Cameron between the flaw Balic says he found and the celebrity hack becomes an explicit narrative — a cause and effect.
The narrative: Apple knew about the security flaw that led to Jennifer Lawrence’s private naked photos getting plastered all over the Internet.
It’s a useful, simple, juicy narrative.
The problem is, it seems to be a false one.
The final headline on Techmeme is from ITProPortal. It asks: “Did Apple know about ‘celebgate’ iCloud flaw in March?”
The answer to that question is probably no, and it’s for two reasons.
Reason #1: Good luck brute forcing a token prompt.
We did some homework on Apple security protocols — specifically, the one highlighted by Ibrahim Balic. After this research, we’re comfortable saying that Balic did not find what he thought he found.
Balic believed he found, in Apple’s iCloud code, a prompt for a user’s password that he could respond to 20,000 times without being booted from the system.
He did not find a prompt for a user’s password.
Balic found a prompt for something else — something called a “token.”
“Tokens” are complicated, and how they work is very nuanced.
Here’s a basic description.
It turns out that when you log into iCloud and other Web services, you and your computer provide more information than just a password and a username.
You also provide a third piece of information that identifies you, or rather, your computing device.
This is called a “token.”
On Apple devices, the “token” is a very long string of digits. We don’t know how long, other than “very.”
The bottom line is this: Balic was entering possible passwords into a field that was asking for something else.
Further: Even if if Balic were guessing possible tokens, it would take him an extremely long time to guess the correct string of digits.
Here is screenshot Balic sent to The Daily Dot. Examining, we guess that Apple tokens are 64 digits long.
A top of the line Intel processor maxes out at around 32,000 instructions per second.
If a computer were able to guess 32,000 64-digit strings in one second, it would be able to guess 1.0098208e+12 strings in a year.
It take 9.9027471e+51 years to guess all 9999999999999999999999999999999999999999999999999999999999999999 combinations of 64 digit token strings.
You can’t “brute force attack” a token prompt, is the point.
Reason #2: That’s not how Apple screwed the pooch.
The second reason the narrative that Balic warned Apple of the flaw that would cost J-Law her privacy is wrong is that Apple has already explained the reason hackers were able to access celebrity iCloud accounts, and it has nothing to do with brute force attacks.
Because Apple updated its FindMyPhone software shortly after the scandal broke — and because a supposed vulnerability in FindMyPhone had been recently published on a site for developers — many reporters and commentors assumed that the celebrities were victimized by a hack that took advantage of a flaw in Apple’s software.
Apple allowed this idea to fester when it posted a vague “Update to Celebrity Photo Investigation” on its site, and provided little other information.
But, buried in an extensive interview with Charlie Rose, Apple CEO Tim Cook said that Jennifer Lawrence and her fellow celebrities fell victim to something called a “phishing scam.”
A “phishing scam” is called that because it’s like fishing.
Here’s how it works.
An hacker creates an email that looks like it is from some online service that a victim belongs to — perhaps an online bank, a storage service, a social network.
In that email, the hacker asks the user to go to a website and enter their user ID and password for their service.
The victim is fooled by the email, and does as its asked.
The hacker takes the user ID and password access the victim’s account. The hacker also takes the ID/password combination and tries it on a ton of different Web services to see if the victim has the same user ID and password elsewhere.
It’s easy to think that Jennifer Lawrence and the other celebrities (or their handlers) were dumb to fall for a phishing scheme. That of course Apple is saying that’s what happened, because it divorces them from culpability.
That’s another incorrect narrative.
For starters, phishing schemes can be incredibly sophisticated.
Look at this fake email a hacker sent:
The second reason a “celebs are dumb/Apple is blaming phishing to get out of trouble” narrative is wrong is that Apple could have done more to make it harder for iCloud users to fall victim to phishing schemes.
One system Apple could have had in place is something called two-step verification for iCloud. Apple had two-step verification for AppleIDs, but not for iCloud.
How two-step verification works is, whenever a user logs into an Internet service from a device they have used before or from a location they do not usually log on from, the Internet service prompts the user to enter a second password. Then the service sends that password to a device that it knows belongs to the user (because the user previously told them so).
Here’s an example of two-step verification from Google:
For some reason — probably user convenience — Apple did not have two-step verification on iCloud before all those celebrity photos ended up on the Internet. Shortly after the scandal, that changed.
Conclusion: a narrative you can believe
Now that we’ve dismissed all sorts of narratives around the celebrity hacking scandal, let’s summarize one you can safely walk away with — at least until Apple does the super smart thing and explains all this in detail, themselves.
Photos of naked celebrities (probably) did not end up on the Internet because Apple ignored a security flaw that was reported six months ago.
What was reported wasn’t really a security flaw.
Photos of naked celebrities (probably) ended up on the Internet because those celebrities were tricked into giving up their user IDs and passwords — and Apple did not have industry standard security measures in place, measures which would have protected those celebrities.
We reached out to Apple and Balic for this story. Apple declined to comment. Balic maintains he found a way to check passwords.