Following the flood of nude celebrity photos posted online last year, the FBI traced hundreds of hacked iCloud accounts of celebrities to a single IP address, according to a federal search warrant and related affidavit that were unsealed this week. The affidavit from FBI special agent Josh Sadowsky fills in several holes in the sordid story, detailing both how the photos were likely stolen and how the FBI was able to trace the crime back to a single IP address registered to a Chicago man named Emilio Herrera. His electronics were seized in October.
It’s the story of a not terribly talented criminal targeting an arguably even less competent security team. A story that, depending on your predilection, offers lessons in how to compromise accounts—or how to protect them.
The FBI investigation of the stolen photos centers on a single IP address, 220.127.116.11, registered to Herrera through his AT&T subscription. The address was used to access 572 unique iCloud accounts 3,263 times between May 31, 2013, and Aug. 31, 2014. During that same period, a computer connected to Herrera’s IP address attempted 4,980 password resets related to 1,987 different iCloud accounts.
These numbers raise two related questions: How could Herrera—or whoever was connecting from his IP address—have failed to mask that address? And how could Apple have failed to notice an IP address logging into hundreds of accounts and attempting thousands of password resets?
Both the criminal and Apple could have done a much better job at their respective goals. But to really understand these questions, it helps to know a little about IP addresses and why they make for problematic online identifiers—even in cases like these where they appear to provide such thorough and damning evidence.
In the affidavit, Sadowsky describes Internet protocol addresses as “unique numeric address[es] used by computers on the Internet” to direct traffic between computers. What he does not mention is that IP addresses are not necessarily unique to an individual computer; often, a single IP address is shared by a number of machines all using the same connection to the Internet. To share a single IP address across multiple computers, we use a technique called network address translation, or NAT, to map several machines to a single public IP address. Your wireless router is, more likely than not, also a NAT box—so the different devices connected to your Wi-Fi network appear to the outside world to share a single IP address and are only differentiated within your home network.
The prevalence of NAT in today’s Internet is important here, because essentially all of the evidence provided in the affidavit relies on IP addresses. For one thing, the fact that the originating IP address was registered to Herrera does not necessarily mean he’s the perpetrator. The account access attempts and password resets might have been initiated by Herrera or one of the three other people Sadowsky lists as possible residents of the house. But they could also have been made by someone else with a device connected to his wireless network, or even by someone who had successfully compromised another person’s device connected to Herrera’s network.
That’s likely why the FBI wanted to seize the devices and try to uncover more conclusive evidence about who was responsible. (The FBI reportedly retrieved from Herrera’s residence three computers, two cellphones, two micro-SD cards, two floppy disks, a San Disk Sansa media player, and a Kindle Fire. If stolen photos were actually being stored on floppy disks and the thief failed to cover his tracks by varying the IP address, then he was even more technologically inept than it first seemed.)
The way IP addresses are shared across networks and institutions also complicates the picture for Apple and other companies trying to protect accounts from these sorts of breaches. Accessing 572 different iCloud accounts over the course of a year is certainly suspicious activity for an IP address shared by a few people in a 1½-story house. But an IP address being shared by hundreds of people at the same college or working in the same building could perfectly legitimately be used to access that many accounts—or more! AT&T can easily identify whom an individual AT&T IP address is registered to and whether it’s likely to be shared among three or four people or 400—but Apple does not have access to those detailed records.
That doesn’t mean that Apple shouldn’t monitor anomalies or high volumes of activity from a single IP address. In fact, it probably does—as do many companies. The challenge lies in defining what constitutes high volumes of activity.
For instance, the charges against Aaron Swartz for downloading millions of articles from academic journal repository JSTOR began with the site flagging an IP address that was unusually active. Between 5 p.m. on Sept. 25, 2010, and 4 a.m. the following day, the IP address 18.104.22.168 downloaded more than 450,000 articles from JSTOR. This was anomalous even for an IP address that JSTOR knew was shared across hundreds of MIT users. (At MIT, IP addresses often correspond to individual buildings.)
As soon as JSTOR blocked downloads from that address, of course, Swartz changed his, pointing to another problem with defensive measures based on IP addresses: They’re easily manipulated. So, too, are the MAC addresses that identify specific devices (which Swartz also changed in order to evade JSTOR’s attempts at blocking his downloads). Even if Apple had been zealously monitoring IP addresses and restricting how many accounts could be accessed from one—or flagging those that seemed to access too many or reset an unusually large number of passwords—a computer-literate criminal could have dodged those safeguards with little difficulty.
In fact, a study on Google account hijackings last year found that, on average, manual hijackers used individual IP addresses to access only 9.6 distinct accounts each over the course of two weeks. This low volume made “their activity extremely difficult to distinguish from organic traffic,” the authors noted.
The attempts to access iCloud accounts from Herrera’s IP address fall somewhere between the studied low-volume efforts of the Google account manual hijackers and the large-scale, automated downloading activity that alerted JSTOR to Swartz. And figuring out how to detect the misbehavior that falls in that large activity gap between 9.6 and 450,000 is not an easy job.
The number of accounts accessed from Herrera’s IP address is not obviously suspicious, until you know that that IP address is registered to a single-family house in Chicago—something Apple could not easily have determined. Perhaps the more clearly anomalous behavior is in the password resets—why should an IP address that is used to access 572 accounts over the course of 14 months be initiating password resets for 1,987 accounts during that time?
Apple has been criticized before for allowing users too many attempts at guessing iCloud passwords. It might also do well to pay a little more attention to when, and how often, user passwords are being reset. Changing your passwords regularly is a good—and recommended—computer security practice, but changing too many too often may be just the opposite.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.