A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …
Effectively, an attacker can restore an iPhone to a folder, allowing them more convenient access to everything they would get by restoring to a new iPhone.
Although the $399 EPPB software created by a Moscow-based forensics company is intended to be sold only to law enforcement agencies, no credentials are required to purchase it, and pirate copies are also available on torrent sites.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB to download their victims’ data from iCloud backups.
There are even forum members who offer to obtain iPhone data for other people.
Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it a lot easier if you have the password,” writes one hacker.
A report in the Daily Mail (via Business Insider) suggests that the man responsible for most of the leaked photos – who uses the handle OriginalGuy – was indeed a collector rather than a hacker.
“Guys, just to let you know I didn’t do this by myself. There are several other people who were in on it and I needed to count on to make this happened (sic). This is the result of several months of long and hard work by all involved. We appreciate your donations and applaud your excitement.”
The post above makes it clear that the naked celebrity photographs were assembled over a period of months by a team of collectors who specialized in valuable celebrity pornography.
The software still requires the hacker to obtain the Apple ID and password of the target. Apple has denied suggestions that a vulnerability in Find My iPhone was used for brute-force password attacks, but obtaining further celebrity email addresses would be easy once the contacts of one well-connected celebrity have been accessed. It is also possible, perhaps likely, that easy-to-guess or research security questions were used.
Zdziarski notes that the software did not rely on any cooperation from Apple, but he thinks the company should make such access more difficult.
The Russian company’s tool, as Zdziarski describes it, doesn’t depend on any “backdoor” agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.
One obvious step that Apple has not yet made would be to require two-factor authentication before restoring an iCloud backup to a device.