Celeb hacking tapped law enforcement tools to gain access to data inside device backups

By , Sep 3, 2014

icloud backup iPhone

The alleged iCloud hacking, which has resulted in a massive leak of hundreds of revealing celebrity photos, has most likely been made possible because attackers reportedly used a piece of software that law enforcement officials rely on to siphon data from iOS device backups, Wired reported last night.

Rather than obtain a user’s iCloud username and password with brute-force attacks, the article points to web forum reports describing using specialized software called Elcomsoft Phone Password Breaker (EPPB) to impersonate the user’s device in order to obtain the full device backup which holds data like photos, videos, application data, contacts, text messages and more.

EPPB by Moscow-based Elcomsoft is typically used by law enforcement to gain access to a suspect’s iOS devices. Based on an analysis of the metadata from leaked photos of Kate Upton performed by forensics consult and security researcher Jonathan Zdziarski, the celebrity leaks might not have been possible without a tool like EPPB.

“You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

Makers of the $399 tool reverse-engineered Apple’s protocol for communicating between iCloud and iOS devices, but no credentials are required to purchase this sophisticate software, which is freely available on bittorrent sites.

Worse, hackers on the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, are even offering to pull nude photos on behalf of anyone who knows the target’s Apple ID and password.

Here’s a quick overview of EPPB.

Elcomsoft Phone Passwrod Breaker (compatibility chart 001)

In an effort to play down the PR crisis on its hand, Apple yesterday issued a media advisory attributing the leak to a “very targeted attack” and insisting that iCloud security has not been compromised.

This “very targeted attack” on user names, passwords and security questions has “become all too common” on the Internet, Apple said, adding that none of the cases they’ve investigated “has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone”.

Here’s Conan O’Brien’s take on the matter in an NSFW video below.

Long story short, Find My iPhone wouldn’t lock out a user’s Apple ID account after several unsuccessful attempts to guess the password, which provided a nice attack vector for nefarious users. Soon after the discovery was made public, Apple has patched this hole so now Find My iPhone locks you after five unsuccessful attempts to guess the password.

Apple ID disabled (image 001)

The seriousness of the celebrity breach is illustrated by the fact that the FBI is involved in the investigation as Apple continues to “work with law enforcement to help identify the criminals involved”.

The attack seems to have been targeted at female celebrities, most notably Jennifer Lawrence. For the sake of completeness, such an attack would have been rendered difficult, if not downright impossible, had the victims used a strong password and enabled two-factor authentication on their Apple ID.

Elcomsoft Phone Passwrod Breaker (screenshot 001)

If you have developed an interest in online security, I wholeheartedly recommend checking out Anna North’s excellent opinion piece over at The New York Times, titled ‘Why We Care About Privacy’.

Coincidentally or not, Apple yesterday updated its App Store guidelines for iOS development to ensure that third-party apps are not permitted to share user data acquired via HealthKit without user consent, use it for advertising or other data-mining purposes.

[Wired]

  • Share:
  • Follow:
  • @dongiuj

    Law enforcers leaked the photos. When do you become a suspect or when are you not classed as a suspect for “law enforcers” not to hack into you private life? Or maybe apple leaked these photos so they can say that celebrities are using their phones and knowing that this software is out there being used by “law enforcers” to divert the blame away from apple?…. Either way, good marketing for apple perhaps? Maybe not?…

    • TechLove

      ……………….RIP……………….
      …..BRAIN OF @dongiuj…..
      …………03-09-2014…………

      *facepalm*

      • http://www.eazycomputers.com/ PhoneTechJay

        09/03/2014 for me.. I almost got confused lol

      • TechLove

        Edited just for you, bro. :’)

      • http://www.eazycomputers.com/ PhoneTechJay

        No keep it.. it make my post useless lol.

  • Mads Teland

    I did hear that if you did use iCloud Control Panel on Windows, that was possible to change and sync without two-step authorization while you have it.

    • https://twitter.com/MrElectrifyer MrElectrifyer

      Sounds like another bug…report it to Apple and let’s see if they’ll listen this time or play the same old “we’re deaf until it makes headlines” policy.

  • Tony Trenkle Jr.

    So you just gave us the link to the tool that the hackers used? So for less than a cost of an iPad we can now do the same thing? Probably not the best idea.

  • http://www.liam-merlyn.co.uk/ ConduciveMammal

    It still begs the questions as to how they found the backups, it’s not like they can just search the database for “Jennifer Lawrence backup”

    • Barnez Hilton

      you still the need the Apple user id which would link to the account.
      you make a fake app with an account process, and entice them to login sign up, then try the info they use stored in your user database to hack other sites. most people re-use the same passwords

    • Hugh Jassol

      From what I read, it sounds like they simply used the findmyiphone vulnerability to gain their passwords then used the EPPB tool to download their backups.

      If this is in fact the case, then yesterday’s statement form Apple suggesting that their systems weren’t compromised are just trying to deflect from their role in letting the attack occur, especially since they ironically fixed the findmyiphone vulnerability after the attack.

      While it may be theoretically true that their systems weren’t breeched, the fact that they left this findmyiphone vulnerability, even after it was supposedly brought to their attention, DOES put some of the onus on Apple.

      I will have to read more about this.

    • Waleed

      Actually to get someone’s icloud email address is not hard ..
      So that email could be used on that tool to recover password and get the backups data . Damn weird

  • toortoor

    and where is the proof?
    many people just make speculations and assumptions and report them as facts that is just disappointing.
    ok iCloud backups were accessed, but even with this software (which by the way your article seems to be promoting by going into its details), you do need to know the apple ID & pass of the victim,
    ergo you must have obtained the ID & pass beforehand which is again assumed it was done by brute-force and more specifically “ibrute”
    one must have access to government level equipment to run an attack to this “scale”, involving “this many” people, and we still don’t know the full scope of the attack because only some revealing photos of female celebs were released.

  • Sgt. ThroatPunch

    It is terrible that this has happened. On the other side, I won’t complain about seeing JLaw’s tits.