A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …
Effectively, an attacker can restore an iPhone to a folder, allowing them more convenient access to everything they would get by restoring to a new iPhone.
Although the $399 EPPB software created by a Moscow-based forensics company is intended to be sold only to law enforcement agencies, no credentials are required to purchase it, and pirate copies are also available on torrent sites.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB to download their victims’ data from iCloud backups.
There are even forum members who offer to obtain iPhone data for other people.
Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it a lot easier if you have the password,” writes one hacker.
A report in the Daily Mail (via Business Insider) suggests that the man responsible for most of the leaked photos – who uses the handle OriginalGuy – was indeed a collector rather than a hacker.
“Guys, just to let you know I didn’t do this by myself. There are several other people who were in on it and I needed to count on to make this happened (sic). This is the result of several months of long and hard work by all involved. We appreciate your donations and applaud your excitement.”
The post above makes it clear that the naked celebrity photographs were assembled over a period of months by a team of collectors who specialized in valuable celebrity pornography.
The software still requires the hacker to obtain the Apple ID and password of the target. Apple has denied suggestions that a vulnerability in Find My iPhone was used for brute-force password attacks, but obtaining further celebrity email addresses would be easy once the contacts of one well-connected celebrity have been accessed. It is also possible, perhaps likely, that easy-to-guess or research security questions were used.
Zdziarski notes that the software did not rely on any cooperation from Apple, but he thinks the company should make such access more difficult.
The Russian company’s tool, as Zdziarski describes it, doesn’t depend on any “backdoor” agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.
One obvious step that Apple has not yet made would be to require two-factor authentication before restoring an iCloud backup to a device.
The FBI is currently leading the investigation into the leaked photos. Meantime, the full article over on Wired is worth reading.
FTC: We use income earning auto affiliate links. More.
“But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.”
Right here, that last word that he used.. He made some sense until that last word.. Any security pro knows that ‘impossible’ is NOT going to happen.. ever.. Apple can, and after this, likely will dedicate more people to focus on making it more difficult.. but Zdziarski just lost credibility with me when he implied it was even possible or an option for Apple or ANYONE to make something like this impossible to hack.. Can’t happen..
If it’s connected to the NET, it’s hackable.. Period. Only way to keep that from happing to any system is to pull it from the internet. They can speed up security development, throw more money into it, but impossible is never, ever, never going to happen..
Then their is the question of balancing user ease and usability and security.. Sure, you can force 2 factor .. even increase options to 3 or even 4 factor auth.. but the more layers you add, the less likely people will use the security at all..
Simple fact of life is people will accept a lower level of security to make their lives easier. These scandals will get a few to look harder, but only for a short time…
Agree – impossible is impossible …
Totally agree.
It will never be impossible.
As long as somebody can use something like WireShark, monitors all network traffic whilst an iPhone is restoring properly, they can copy the process and create a tool that automates it (and stores it in a folder), just like this one does, it will always be possible.
The reason two factor authentication is not required for backups is because if a user only had one device, and they were restoring a backup to that device, there is no way they could authenticate, as the device in question is not setup.
And agreed, people do not treat security with enough priority, and will choose easy to guess passwords for convenience.
Well said, completely true, and probably way over the heads of most people that will view this as “Apple got hacked.”
Zdziarski is an anti-government gavel pounder yet provides police departments federal and state with tools like this capable and marketed as something that they can do whatever they want with. I find him completely untrustworthy as a person, and I don’t really trust anything he says because he’s such a horrific hypocrite. I used to like reading his site back when he was a big part of the jailbreaking scene, but once he started talking about all the great tools he provides that the government can and will use to violate the rights of people without fail I no longer have any reason to take anything he says as having value.
Interesting to observe that over the last 10 to 20 years, the majority of illegal/harmful hacking across the world is mostly carried out by young people from socialist and communist nations, proving yet again, that repressive state based societies breed criminals, rather than morally upstanding entrepreneurs – the direct opposite of US culture, where people are (on the whole, outside the pharmaceutical, cellular network and energy industries), motivated by the desire to create great products and services, with profit purely based on how good they are at execution and support.
Moscow based. Says it all really. And the NSA are also state run, so it was not the private sector committing such breaches of privacy.
I feel like you’re missing a link in your logic. How does the fact that these malicious hackers have a tendency to come from these nations actually prove that the repressive governments are the cause?
By your logic, we could similarly say: “It is interesting to observe that the majority of illegal / harmful hacking is carried out by young people from the Asian continent, this proves yet again that living on a large continent breeds criminals.”
Correlation does not equal causation.
Does anyone know if this applies only if you are backing up to iCloud? It isn’t clear whether this pulled from the user’s actual iCloud backup (via the ‘backup to iCloud’ feature), or if it pulls the associated user content stored in the cloud in general.
Another way to ask this — if I’m only doing local encrypted backups of my iPhone (only to my computer, not iCloud backup), is Elcomsoft’s tool still able to pull all of that data on me just based on what Apple generally stores in iCloud?
Apple should shut down an account after a certain number of failed attempts to login and contact the account’s owner. An automated call or text would be sufficient.
That would flood Applecare or the stores with people who do not remember their password, security questions, lied about their birthdate and don’t remember the lie, and have no rescue email.
F that.
I’d much rather have a secure account than an inconvenienced Apple. We pay a premium price and have come to expect premium service. So far Apple has been good about providing it, why should they not be expected to continue?
There is apparently an even more fundamental flaw with Apple’s security. I was inclined to dismiss this as a social engineered attack and move on. Pretty much giving Apple a pass since they can’t do anything about people handing out their passwords or using weak ones.
However, I then ran across a link to an excellent article by Nik Cubrilovic about it at https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
There is apparently some fault on Apple’s fault. And as they move into financial and health data with iOS8 they had better take a good look at their entire security system.
I have always been dubious of security questions anyway. Advice 101 on passwords is don’t use personal information, but what good is a 128 character long random password if it can be defeated by answering two or three questions regarding, seldom private, personal information?
And this isn’t just an Apple issue.
When asked (by, for example, your bank) for personal data, there is no reason you need respond accurately. If the site asks “what was your maternal grandmother’s name” or “what was the color of your first car” — both of which might be discoverable by careful snooping—create a false answer to be stored with your account. As long as you keep answering the security question the same, you’ll be able to log on. But the thief who searches for data about you, on Facebook, Linkdin, etc, will be kept out even through they have the real correct answers to the security questions.
Just made that very same point in an article I’m about to post :-)
http://9to5mac.com/2014/09/03/opinion-after-the-celebrity-hacks-the-vulnerability-that-still-exists-and-what-needs-to-be-done/
The big problem is that a lot of places require you to change your password frequently. People don’t remember all of those passwords due to restrictions on how complex they have to be. They get too complex for the person to remember.
Sheesh.
It is disturbing how users still don’t manage their accounts. About a month ago the international headlines were that Russian hackers amassed over a billion accounts from countless mom and pop service providers. The majority of these articles gave good advise on how to protect oneself.
But clearly millions of people ignore these warnings and continue to share passwords among providers AND ignore the call to change their passwords.
Is this the users fault? No. Could the user protect themselves much better? Yes.
You would be shocked on how lax people are with that. It doesn’t matter if it’s ios, android, PC, or Mac.
You can’t access your photos stored in iCloud by logging into iCloud.com
1- You need to have an iDevice or a Mac to directly access them from an image edit/preview app that is integrated with the iCloud.
2- Get an iDevice and boot it for the first time and use the ‘hacked’ iCloud account to login and install the back-up on the iDevice. Afterwards, get an iTunes to back-up the data on the iDevice into computer.
Finally, you will have the account owner’s back-up content in your computer ready for you un-archive it.
Although there is one other option that I am wondering as in how it relates with this whole back-up compromise and cracking: Normally in iTunes, you have the choice of encrypting your back-ups with a password of your choice so that if any of your accounts or devices get compromised, the said hacker would very well need to compromise the password for the back-up as well.
Can’t Apple incorporate this very form of separate encryption to iCloud back-ups to strengthen their security-architecture?
Or do they already have it?