Hackers Using Same Tools As Police To Hack Into iCloud Accounts

We still don't know exactly how the hacking into the iCloud accounts of celebrities happened. One of the reasons for that is that the accounts may have been hacked in different ways, making it hard to pinpoint a single method. Some of the actresses may have had their iCloud passwords brute forced directly (which is what Apple claims) and others may have had their Dropbox password stolen, and then the hackers used those to either get the photos from Dropbox or log into the Cloud accounts. Others may have had weak security questions that were easily guessed and then used to get access to the accounts, and so on.

One scary method that seems to still be working, according to some hackers, is using forensics tools like the ones the police use all the time to hack into phones (with or without a warrant, although a recent Court ruling said the police need a warrant to do it).

This brings us to something authorities have supported for years: the idea that if you can only give back doors or vulnerabilities to the "good guys", then everything will be fine. But time and time again we learn that these very same vulnerabilities or back doors can and will be used by the "bad guys", too. If there's an open door in a house, that's "meant for the good guys", there's nothing stopping the bad guys from finding it and entering the house, too. It's the same with software.

One piece of software that's being sold by a Russian company to government agencies all over the world as a forensics tool is called the Elcomsoft Phone Password Breaker (EPPB). Forensics tools are typically used when the device is already in the possession of the people doing the data extraction, but EPPB seems to be able to extract all the data from an iOS device remotely by impersonating the device itself, as long as an interested party already has the user's iCloud credentials.

EPPB is not the only forensics tools out there that can obtain data from iOS devices. One from Oxygen, for example, promised to take advantage of the recently discovered "iOS back doors," just weeks after the flaws were revealed. The tool could obtain data such as SMS, pictures and videos, but also instant messages from other third-party apps.

If Apple is serious about the security of its users, it will need to close any loopholes in its software and operating systems. In order to do this, Apple will need to pay much closer attention to companies offering such forensics tools and try to make those tools obsolete as soon as possible, noting well the "features" they offer for cracking iOS devices. This way Apple can make sure another major hack of iCloud accounts or iOS devices is much less likely to happen in the future, but the same strategy can also stop many other, perhaps less popular, attacks against regular (that is, non-celebrity) individuals.

Devices or services can never be 100 percent secure, and it's true that often the user bears some fault for using weak security, but Apple can also be more proactive about protecting its users.

Follow us @tomshardware, on Facebook and on Google+.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • dovah-chan
    Okay it's pretty clear just by the age of some pictures and the devices that were used to take them that they were not on the iCloud. Apple has denied that such an exploit exists and has been discovered. This is different from a phishing scam or some weak passwords when you have a humongous list of celebrities with a collection of pictures, some being years old.

    It appears that these pictures were dumped from users of a secret trading ring of celebrity nudes. Someone must've shared with someone who then proceeded to share with others and then all hell broke loose and the others decided to say why not and share as well.

    I think the iCloud nonsense is a hoax. This runs into a very different source just based on the evidence provided by the metadata in the pictures themselves.
  • ubercake
    Funny. A brand-new Apple press release is saying the leaked photos of the stars are fakes and they weren't from hacked accounts.
  • Anonymous
    But but but... the police told me it was a good thing for them to have back doors!

    Imagine what happens when someone hacks Intel's Active Management Technology. vPro doesn't sound too smart now, does it?