When naked pictures of Scarlett Johansson hit the internet, take notice — but not for that reason.
If the wave of other possible leaked pics obtained from “hacked phones” is any indication — Jessica Alba, Vanessa Hudgens and Blake Lively, among others — ScarJo is not the only one using her phone to capture her private-now-public moments. How exactly does a phone get “hacked” though, its rawest inner bits ripped out and scattered across the web?
It’s still not clear precisely how pics of ScarJo’s backside were swiped from her phone, but that kind of makes it worse, since there’s about as many ways to skim a phone as there are to skin a ginger seal. Which is like, a lot.
For instance, clicking on a malicious link from her phone could have caused ScarJo trouble, explains Gabriel Landau, a principle analyst at Independent Security Evaluators. It’s obviously not a good idea to click on links from people you don’t know, but it’s especially difficult to sniff out a bad url when an email appears to be from a friend — particularly with the ubiquity of URL shorterners, which effectively mask the true URL. Say someone forges the email header and ScarJo thinks she’s getting an email from Charlie Sheen-it’s easier for that link to escort her to a site that’s up to no good. Well, maybe not Charlie Sheen, but you get the idea.
Once directed to the malicious site, the phone’s web browser and operating system can be silently compromised. Imagine something like jailbreakme.com, which swiftly frees your iPhone of Apple’s customisation restrictions. Except instead of inviting a program into your phone to help you free it from Apple’s beautiful bondage, you’ve actually invited in a Trojan horse filled with horribleness. A maliciously crafted file creeping from the site to your phone could add code to your phone’s web browser and operating system. That code could persuade it to do things it usually wouldn’t want to do, like shipping out photos to unintended recipients.
This website-delivered program could also just sit on your phone, waiting to do things more frightening than simply observing your photo-documented life. “Once they have this malware running,” Landau explains, “they can monitor your location, and even record with your phone’s cameras and microphone.” Terrifying. The bright side: This attack is less common because it’s much tougher than spoofing an email header or guessing a low hanging security question. Us normal people also lack the goods and the interest of celebrities, so we’re less likely to get hit.
More likely, though-and more applicable to you and me-security experts suspect that someone broke into an online service that stored the pictures, not the phone itself. (In other words, no Swordfish antics here. Your BlackBerrys and iPhones are safe!) If she emailed the pics to the person she intended to please, or used a photo-syncing service to send her photos to the cloud for sharing, a simple compromised password or a lame security question is all it took to give the hacker entry. Which is exactly how the probable hackers, Hollywood Leaks, have hacked the 50 or so celebrities they claim to have targeted.
Photo and life syncing services only expand the amount of data that a compromised password can give an intruder. “On the surface,” says Chester Wisniewski, a Senior Security Advisor at Sophos, “it sounds like best idea ever, but the cloud is absolutely a double-edged sword. The quantity of stuff gathered — how many places you want to listen to your music, for instance — makes our lives easier, but ease for ourselves makes it easier for others to gain access.”
Just look at Sarah Palin’s 2008 Yahoo mail break in, where getting into the vice presidential candidate’s private correspondence was as easy as guessing her security question during a login reset attempt. “The password reset is basically a lower security password,” explains Landau. “If you pick a strong password but your password reset is your pet’s name…” Your private photos are suddenly not anymore.
Vulnerability in cloud-based services themselves can also let intruders in. Remember when that MySpace hacker downloaded half a million photos by getting backdoor access to private profiles? The dude told Threat Level’s Kevin Poulsen he did it “simply to prove that it could be done.” Then he pointed out, “It is ridiculous to think that there is privacy on public websites.” If the people stealing the photos don’t believe our online services can protect our privacy, perhaps we shouldn’t either.
Rachel Swaby is a freelance writer living in San Francisco. Check her out on Twitter.
Photo: Cheon Fong Liew/Flickr