A law enforcement software tool played a key role in the iCloud hack that saw hundreds of nude celebrity photos released over the weekend, reports Wired.
It’s called Elcomsoft Phone Password Breaker. Built by Moscow-based forensics firm Elcomsoft, EPPB is designed to circumvent security on iOS devices so that law enforcement can get data off of bad guys’ phones. But anyone who wants it can buy it without needing to prove he or she works in law enforcement (prices range from $79 to $399) and pirated versions of the software are readily available through torrent sites for free. There’s no real checkpoint to stop anyone who wants it from having it.
To perpetrate the hack that has since been termed “the fappening,” hackers took advantage of a pre-existing flaw in iCloud that made it possible to use a piece of software called iBrute to guess celebrity account passwords all day until one worked (this iCloud weakness has since been fixed). Because EPPB enables you to “impersonate” a phone with the correct password, the hackers were able to download far more iCloud data than they would have been able to otherwise. From Wired:
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.
Such uninhibited access likely sets the stage for a hacker to gain entrance to other celebrity accounts if he is able to find relevant contact information for others hidden somewhere in the stash of data.
It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way.
9to5Mac points out that this whole problem could be easily solved if Apple were to require two-factor authentication before restoring an iCloud backup to a device.