from wired.com: As nude celebrity photos spilled onto the web over the weekend,
blame for the scandal has rotated from the scumbag hackers who stole
the images to a researcher who released a tool used to crack victims’
iCloud passwords to Apple, whose security flaws may have made that
cracking exploit possible in the first place. But one step in the
hackers’ sext-stealing playbook has been ignored—a piece of software
designed to let cops and spies siphon data from iPhones, but is instead
being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image
boards for posting stolen nude selfies, hackers openly discuss using a
piece of software called EPPB or Elcomsoft Phone Password Breaker to
download their victims’ data from iCloud backups. That software is sold
by Moscow-based forensics firm Elcomsoft and intended for government
agency customers. In combination with iCloud credentials obtained with
iBrute, the password-cracking software for iCloud released on Github
over the weekend, EPPB lets anyone impersonate a victim’s iPhone and
download its full backup rather than the more limited data accessible on
iCloud.com. And as of Tuesday, it was still being used to steal
revealing photos and post them on Anon-IB’s forum.
“Use the script to hack her passwd…use eppb to download the backup,”
wrote one anonymous user on Anon-IB explaining the process to a
less-experienced hacker. “Post your wins here ;-)”
Apple’s security nightmare began over the weekend, when hackers began
leaking nude photos that included shots of Jennifer Lawrence, Kate
Upton, and Kirsten Dunst. The security community quickly pointed fingers
at the iBrute software, a tool released by security researcher Alexey
Troshichev designed to take advantage of a flaw in Apple’s “Find My
iPhone” feature to “brute-force” users’ iCloud passwords, cycling
through thousands of guesses to crack the account.
If a hacker can obtain a user’s iCloud
username and password with iBrute, he or she can log in to the victim’s
iCloud.com account to steal photos. But if attackers instead impersonate
the user’s device with Elcomsoft’s tool, the desktop application allows
them to download the entire iPhone or iPad backup as a single folder,
says Jonathan Zdziarski, a forensics consult and security researcher.
That gives the intruders access to far more data, he says, including
videos, application data, contacts, and text messages.
On Tuesday afternoon, Apple issued a statement calling the security
debacle a “very targeted attack on user names, passwords and security
questions.” It added that “none of the cases we have investigated has
resulted from any breach in any of Apple’s systems including iCloud® or
Find my iPhone.”
But the conversations on Anon-IB make clear the photo-stealing
attacks aren’t limited to a few celebrities. And Zdziarski argues that
Apple may be defining a “breach” as not including a password-guessing
attack like iBrute. Based on his analysis of the metadata from leaked
photos of Kate Upton, he says he’s determined that the photos came from a
downloaded backup that would be consistent with the use of iBrute and
EPPB. If a full device backup was accessed, he believes the rest of the
backup’s data may still be possessed by the hacker and could be used for
blackmail or finding other targets. “You don’t get the same level of
access by logging into someone’s [web] account as you can by emulating a
phone that’s doing a restore from an iCloud backup,” says Zdziarski.
“If we didn’t have this law enforcement tool, we might not have the
leaks we had.”
Elcomsoft is just one of a number of forensics firms like Oxygen and
Cellebrite that reverse engineer smartphone software to allow government
investigators to dump the devices’ data. But Elcomsoft’s program seems
to be the most popular among Anon-IB’s crowd, where it’s been used for
months prior to the most current leaks, likely in cases where the hacker
was able to obtain the target’s password through means other than
iBrute. Many “rippers” on Anon-IB offer to pull nude photos on behalf of
any other user who may know the target’s Apple ID and password. “Always
free, fast and discreet. Will make it alot easier if you have the
password,” writes one hacker with the email address email@example.com.
“Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!!
Pics, texts, notes etc!”
One of Anon-IB’s rippers who uses the handle cloudprivates wrote in
an email to WIRED that he or she doesn’t consider downloading files from
an iCloud backup “hacking” if it’s done on behalf of another user who
supplies a username and password. “Dunno about others but I am too lazy
to look for accounts to hack. This way I just provide a service to
someone that wants the data off the iCloud. For all I know they own the
iCloud,” cloudprivates writes. “I am not hacking anything. I simply copy
data from the iCloud using the user name and password that I am given.
Software from elcomsoft does this.”
Elcomsoft’s program doesn’t require proof of law enforcement or other
government credentials. It costs as much as $399, but bootleg copies
are freely available on bittorrent sites. And the software’s marketing
language sounds practically tailor-made for Anon-IB’s rippers.
“All that’s needed to access online backups stored in the cloud
service are the original user’s credentials including Apple
ID…accompanied with the corresponding password,” the company’s website
reads. “Data can be accessed without the consent of knowledge of the
device owner, making Elcomsoft Phone Password Breaker an ideal solution
for law enforcement and intelligence organizations.”
Elcomsoft didn’t respond to a request for comment.
On Monday, iBrute creator Troshichev noted that Apple had released an
update for Find My iPhone designed to fix the flaw exploited by iBrute.
“The end of fun, Apple have just patched,” he wrote on Github. But
Anon-IB users continued to discuss stealing data with iBrute in
combination with EPPB on the forum Tuesday, suggesting that the fix has
yet to be applied to all users, or that stolen credentials are still
being used with Elcomsoft’s program to siphon new data. Apple didn’t
immediately respond to WIRED’s request for further comment, though it
says it’s still investigating the hack and working with law enforcement.
For Apple, the use of government forensic tools by criminal hackers
raises questions about how cooperative it may be with Elcomsoft. The
Russian company’s tool, as Zdziarski describes it, doesn’t depend on any
“backdoor” agreement with Apple and instead required Elcomsoft to fully
reverse engineer Apple’s protocol for communicating between iCloud and
its iOS devices. But Zdziarski argues that Apple could still have done
more to make that reverse engineering more difficult or impossible.
“When you have third parties masquerading as hardware. it really
opens up a vulnerability in terms of allowing all of these different
companies to continue to interface with your system,” he says.
“Apple could take steps to close that off, and I think they should.”
The fact that Apple isn’t complicit in law enforcement’s use of
Elcomsoft’s for surveillance doesn’t make the tool any less dangerous,
argues Matt Blaze, a computer science professor at the University of
Pennsylvania and frequent critic of government spying methods. “What
this demonstrates is that even without explicit backdoors, law
enforcement has powerful tools that might not always stay inside law
enforcement,” he says. “You have to ask if you trust law enforcement.
But even if you do trust law enforcement, you have to ask whether other
people will get access to these tools, and how they’ll use them.”