The police tool that hackers use to steal nude photos from Apple’s iCloud

“As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place,” Andy Greenberg reports for Wired. “But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.”

“On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups,” Greenberg reports. “That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.”

“The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods,” ‘Greenberg reports. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,’” he says. ‘You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.'”

Tons more in the full article here.

Related articles:
Elcomsoft forensic tool snags iCloud backups without an Apple ID; only works under certain conditions – June 18, 2014

Celeb nudes: Comprehensive review of forum posts reveals no mention of ‘Find My iPhone’ brute force technique – September 2, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

24 Comments

  1. “The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous…”

    And we know this FACT how? Because someone said so?

    1. But most users have no idea what is going on with their iStuff anymore, and all of the behind the scenes stuff is turned on by default. It’s like the new thing with an app wanting to know your position. The choices are to ‘allow the app to get your position when in the background’ and ‘never’. How about ‘only when I’m using the app?’ Apple is just going in the wrong direction.

  2. EPPB only allows downloading of an iPhone or iPad backup with the user’s login credentials. iBrute and other brute force attack methods can crack a user’s password – IF the user has a weak password. A strong enough password could be virtually uncrackable using this method.

    1. *DING* Ideally, virtually, best we can hope for.

      But Apple makes a second factor of authentication available anyway. Eventually, at this rate, we’ll move on to three-factor authentication, which would probably include the fingerprint scanner.

        1. I posted a link around here yesterday to the Wikipedia article on authentication. The ideal is currently considered to be three-factor authentication. It includes:
          – Something you have, like a cell phone with a code Apple sends you via SMS.
          – Something you know, like a password.
          – Something you are, like a fingerprint.

          Apple hasn’t added fingerprint authentication of Apple accounts yet. But it is expected they will. What of course holds them back is the fact that not all Apple users have an iPhone 5S (or 6) with a fingerprint scanner. But they may well add it nonetheless.

          1. Nothing actually stopping Apple from offering that level now for iPhone5S owners.. Don’t think Apple will wait for all older device owners to stop using their older than 2yr iPads/iPhones, which may take years yet.

            1. I agree. If you’ve got the fingerprint scanner, Apple should provide further ways to use it right now. If anything, it will provide incentive to get an iPhone 5, or presumably 6. Meanwhile, Apple provide two other authentication methods.

    2. “In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.”—Wired Article claim

      Apple has investigated the breeches of the users’ accounts in question and they were not accomplished by the means described in the Wired article. IBrute was not used through the flaw in FindMyiPhone. EPPB may have been used to get information after the invaders finessed access to these accounts by merely doing biographical research on their very public targets histories, but it wasn’t necessary.

      The Wired article waxes shocked at the perverted “hackers” who with their arcane skills and secret hacker tools, will for a fee, offer the “service” of downloading the information and photos from anyone’s iCloud account for anybody who brings them the account owner’s Apple ID and password! What? A six year old can do that with any browser. Anyone can access data given the owner’s user name and password! That’s the way it’s supposed to work!

      Talk about spinning the normal, EVERYDAY accessing of user files into something sinister. . . as I mentioned elsewhere, it is indeed FUD Season.

    3. Actually you can’t use on an Apple iCloud backup. Apple locks the account after five failed password attempts. The only way IBrute could get into these accounts is if they used on of the five most commonly used passwords: “password,” “123456,” “qwerty,” “abc123,” and “letmein.” If they used any of those, then, the attacker would have gotten in before the account would have been locked.

  3. The bigger picture of this article to me isn’t the security breaching software side of things it’s that these hackers apparently have all the phone numbers, text message history, email history, phone records, etc… that were on these celebrities devices. That could prove to be just as damaging over time as the pictures are now.

    I would be surprised if Apple didn’t mention this in passing at Tuesdays iPhone 6 launch and didn’t announce improved security measures. Regardless of the company, hackers will always hack and so far there is no such thing as a hacker proof system. If there was, everyone would use it. All cloud services are equally vulnerable.

      1. What I mean is that there is no such thing as a hack-proof could or everyone would be using it. The fact is Apple is a big target, so they are getting the hackers attention. it doesn’t mean that DropBox, or Google Drive, or Azure, or any of the other Cloud services are impervious to hacking.

        Essentially every online computer is vulnerable to hacking simply because it’s on the internet and any good hacker can connect to any computer online in the world and try to hack it.

        Hell, even the government has had to admit that their computers have been hacked. Everyone is vulnerable. That’s not meant to scare anyone, it’s mean to help them make themselves as secure as possible. 2-step verification and secure strong passwords go a long way to helping.

        Of course not being a celebrity, public figure, or large corporation also helps.

        1. The old saw in the computer security community is that the only secure computer is the one that is turned off, RAM and hard drive removed, placed together in a hole in a concrete slab and then crushed… maybe.

          But I think it doesn’t do justice to companies like Apple that are providing very strong barriers to hacking to say that “all… are equally vulnerable.” Caveat emptor, to be sure, but there are a lot of “cloud” providers out there that do little to safeguard your data on their servers. Well, perhaps you are saying that because social engineering targets the softest of targets (the human) and humans are the users of cloud services, then all cloud services are equally susceptible to social engineering. My prediction there is that Apple will require two-factor authentication going forward, no exceptions.

    1. It’s a good point that once someone accesses your iCloud login, they have access to everything (messages, contacts, calendar, photos, keychain?, etc.)

      What gets clouded in all this confusion is that, from what we know so far, the celebrities in question were hacked because 1) they used weak passwords and/or 2) they did not have 2-factor authentication and their security questions were easily guessable. In other words, if they had selected a strong password and used 2 factor authorization, they would not likely have been victims in this case.

      Personally I think “security questions” are a joke, and Apple should do away with them or at the very least allow users to customize the questions instead of giving them choices that are not that hard to guess.

      The other part of this story (though so far not directly related) is the revelation that Apple didn’t have a rate limiter for failed login attempts for their Find My iPhone online login. That was a serious screwup which they’ve thankfully patched, but it raises concerns about how such a basic element of online security could be missed by a company with as much attention to detail as Apple.

      The flip side of this story is that the more secure you make something, the more complicated and less convenient it becomes. I just converted my Gmail account to 2-step verification and it took quite some time to set it up on all my devices and apps – something I would wager the vast majority of users could not be bothered with. A more secure cloud solution would encrypt all data at the source and keep all keys with the user – but this would also destroy any sort of seamless, automated cloud sync features.

      1. The questions aren’t the problem: It’s the habit of answering them truthfully that is the problem.
        What is your mother’s maiden name? Seriously? A quick scan on the internet is very likely to find that. So answer it nonsensically and keep a Keychain Secure Note of which questions you pick and what your answer was.
        Q: What is your mother’s maiden name?
        A: Moon pen
        Q: What’s your favorite place to vacation?
        A: back flip tumbleweed
        etc.

  4. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.’

    This opens a whole new chapter in the book of unconstitutional US government spying on We The People. I think it’s HILARIOUS. Steal the traitorous tools from the Police State and use it against THEM and everyone else.

    The phrase ‘Pandora’s Box’ comes to mind.

    HAHA! Shouldn’t have opened that box, government and law enforcement, dummies. 😯

    In any case, all of this points out once again (chant along with me!) that: Modern coding is beyond the comprehension of any one human being. The fatality is software security, typically in the form of bad memory management. Apple knows this as well as any other coding company and suffers the consequences. If Apple’s Swift programming language can really kick bad memory management in the dangly bits, that would be a remarkable feat of progress. *fingers crossed*

  5. One problem I am having with this ‘breach”. The reports are about “photos targeting more than 100 U.S. and U.K. celebrities” over the weekend. Everyone is talking about the access to these passwords was by using the “forgot my password” process. That would be a huge amount of research on all the celebrities to be able to answer the two questions needed to reset the password. And all this just to get some nude photos? Really?

    The breach has to be something much simpler. The hackers obtained a list of celebrity email accounts then did a brute force attack on their iTunes account. The cracker app would just spin through the emails and try the ten(?) most popular passwords and save off the successful hits. Now the manual labor comes in where the hackers view the photos in photo stream.

    Yes, the photos maybe an embarrassment but I would be more concerned about other information saved to iCloud like my keychain. MDN keeps saying use keychain to store passwords but if that was breached then I would have the same security exposure as if I used 123456 for my bank password.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.