Apple on Tuesday confirmed that various celebrities using iPhones have had their iTunes accounts hacked by third parties who managed to steal sensitive information including nude pictures and videos, but revealed that a massive iCloud security issue isn’t to blame. Instead, attackers used other means of associating user names and passwords to get into their targets’ iCloud accounts. Wired has learned more details about the massive hack, revealing that a law enforcement tool may have been used in the attacks.
The compromising data theft has been denied by some of the many celebrities affected, although others, including actress Jennifer Lawrence, confirmed that the nude pictures that have been posted online are genuine.
To grab them, as well as videos and other compromising data on a phone, hackers have apparently used a software tool called Elcomsoft Phone Password Breaker (EPPB) to download data from iCloud backups, likely after using a tool to actually guess the password of a certain user, such as the recently revealed iBrute tool that could have been used for brute force attacks on iCloud accounts.
The EPPB program, developed by Russian forensics company Elcomsoft, can be used to break into any iOS device and is mainly destined to reach the hands of law enforcement, but the company doesn’t perform checks on whether a buyer comes from such agencies. Moreover, the software is rather affordable at $399, not to mention that illegal copies can be downloaded from torrent sites by anyone interested in actually using it.
“All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID…accompanied with the corresponding password,” Elcomsoft’s website reads. “Data can be accessed without the consent of knowledge of the device owner, making Elcomsoft Phone Password Breaker an ideal solution for law enforcement and intelligence organizations.”
Once EPPB is used, an attacker can get into a person’s iTunes account, and perform a restore from iCloud backup that would give him or her access to everything on the iPhone, including pictures, videos, notes, contacts and more.
Security researcher Jonathan Zdziarski, who recently questioned some of the security-related practices at Apple when it comes to iOS devices, has analyzed the meta data of the pictures published online, revealing that the photos likely come from a downloaded backup, as obtained with an EPPB-like piece of software.
“You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” Zdziarski said. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”
It’s important to note that these law enforcement tools that can be used to retrieve data from an iPhone work regardless of whether Apple consents or not, as they only have to reverse engineer Apple’s protocol for communicating between iCloud and iOS devices to get access, rather than rely on any backdoor in iOS.