#iCloudHack: Cloud Storage a More Likely Source

This site is 100% free, please consider sharing if it's useful to you!Share on Facebook0Tweet about this on TwitterShare on LinkedIn5Email this to someone

(NOTE: the article below goes for ANY remote file backup service, NOT just DropBox).

For the last couple of days the internet has been awash with stories of celebrities phones getting hacked en-masse, and personal photos being distributed through 4chan and other such forums.

The current explanation doing the rounds in the press is that the Apple iCloud Photo Stream is the source of the security leak, having discussed this with fellow internet marketer & security expert Dave Naylor, other possibilities piqued my interest so I’ve done some preliminary research based on whats freely available.

There is plenty of evidence to suggest it was NOT an apple hack.

Here are my reasons for doubting the current story:

Image EXIF data & Handset used

  • Some of the photos distributed have correct EXIF data for iPhones, however most don’t.
  • Yes, in many images you can see clearly that they are taken with iPhone variants.  Equally, there are some where the photo is taken clearly with an android device, and one or two with BlackBerry’s (yep, really).
  • Image resolutions don’t match with the iPhone resolutions at all megapixel/quality levels – there are a couple above the maximum possible resolution of an apple device of 3,264×2,448.

Composition & Filetype

  • Some of the images are screenshots, clearly not of an apple device.
  • Some of the media types simply would not be on the photo stream, for instance screengrabs of skype chats.

Victim selection

Sure, there are lots of celebrities that have been affected by this breach – but its a strange list if your intent is anything other than trolling.

If your ultimate goal was extortion of any type, Im guessing there are a lot more A-list celebs with iphones who would have been better targets.

It also feels like a lot of these victims demographically would be inclined to be au-fait with technology and therefore would be a good fit for a secondary backup service like a dropbox.

A more Likely Scenario:
Syncing your Photostream with Cloud Storage

One of the key uses for DropBox and its competitors, is syncing your phone data, including your images from your camera roll (iOS).
Many people will have elected to do this (myself included), and while it serves a valuable purpose, it also adds another security point of failure.

There have been many, many, many, many,  (I could go on, but won’t) examples of lack security from DropBox AND its competitors in the online cloud storage vertical.

While there was a vulnerability in the iCloud brute force attack defenses revealed in the last couple of days, the file storage companies have had this issue for many years.

To try and brute force, or compromise in any other way a file storage account, you’d only need the victims email address.  I’m guessing these wouldn’t be too tough to get ahold of, possibly easier than bruteforcing their apple accounts.

So was it DropBox?

To be clear – its absolutely not possible for me to say.  It’s not possible for anybody to say, without clear access and usage logs from wherever this media came from, unless you’re the opportunistic hacker (/scriptkiddie) that perpetrated this hack.

What I can say though, is that there does appear to be a weight of evidence that this was NOT an apple specific issue.  To suppose it was any file storage service above another is nothing but conjecture, Im merely citing DropBox as the leaders in the field.

Would I use DropBox?

ABSOLUTELY! Yes, I currently am a happy DropBox user. It has had proven security issues in the past, but then I have nothing highly confidential stored on the service.
I have my camera phone syncing with their service, and if it gets compromised then someone will end up with a lot of photos of family events, sunsets & expense receipts.

But then I dont lead a busy celebrity lifestyle.

CREDITS FOR THIS POST: 
Dave Naylor for the inspiration to research the non-apple potential, & anonymous parties for sharing the EXIF dumps and pointing out non-apple devices.

This site is 100% free, please consider sharing if it's useful to you!Share on Facebook0Tweet about this on TwitterShare on LinkedIn5Email this to someone
MartinMacdonald
Founder of WebMarketingSchool.com and a career professional in SEO and web marketing. Experienced in travel, gambling & entertainment niches. Former head of SEO for Omnicom UK, Inbound Marketing Director at Expedia & current Senior Director for SEO at Orbitz Worldwide.
MartinMacdonald

@searchmartin

Fortune 500's digital marketing consultant, travel marketing consultant. Former Head of SEO & content marketing for Expedia / Orbitz / Omnicom. English/Español
My good friend and fellow old time search geek @demib, wrote a great piece here on the pitfalls of correlation: https://t.co/U0MsvRg3NV - 54 mins ago
MartinMacdonald

Latest posts by MartinMacdonald (see all)