Skip to main content

Hackers Using Same Tools As Police To Hack Into iCloud Accounts

We still don't know exactly how the hacking into the iCloud accounts of celebrities happened. One of the reasons for that is that the accounts may have been hacked in different ways, making it hard to pinpoint a single method. Some of the actresses may have had their iCloud passwords brute forced directly (which is what Apple claims) and others may have had their Dropbox password stolen, and then the hackers used those to either get the photos from Dropbox or log into the Cloud accounts. Others may have had weak security questions that were easily guessed and then used to get access to the accounts, and so on.

One scary method that seems to still be working, according to some hackers, is using forensics tools like the ones the police use all the time to hack into phones (with or without a warrant, although a recent Court ruling said the police need a warrant to do it).

This brings us to something authorities have supported for years: the idea that if you can only give back doors or vulnerabilities to the "good guys", then everything will be fine. But time and time again we learn that these very same vulnerabilities or back doors can and will be used by the "bad guys", too. If there's an open door in a house, that's "meant for the good guys", there's nothing stopping the bad guys from finding it and entering the house, too. It's the same with software.

One piece of software that's being sold by a Russian company to government agencies all over the world as a forensics tool is called the Elcomsoft Phone Password Breaker (EPPB). Forensics tools are typically used when the device is already in the possession of the people doing the data extraction, but EPPB seems to be able to extract all the data from an iOS device remotely by impersonating the device itself, as long as an interested party already has the user's iCloud credentials.

EPPB is not the only forensics tools out there that can obtain data from iOS devices. One from Oxygen, for example, promised to take advantage of the recently discovered "iOS back doors," just weeks after the flaws were revealed. The tool could obtain data such as SMS, pictures and videos, but also instant messages from other third-party apps.

If Apple is serious about the security of its users, it will need to close any loopholes in its software and operating systems. In order to do this, Apple will need to pay much closer attention to companies offering such forensics tools and try to make those tools obsolete as soon as possible, noting well the "features" they offer for cracking iOS devices. This way Apple can make sure another major hack of iCloud accounts or iOS devices is much less likely to happen in the future, but the same strategy can also stop many other, perhaps less popular, attacks against regular (that is, non-celebrity) individuals.

Devices or services can never be 100 percent secure, and it's true that often the user bears some fault for using weak security, but Apple can also be more proactive about protecting its users.

Follow us @tomshardware, on Facebook and on Google+.

  • dovah-chan
    Okay it's pretty clear just by the age of some pictures and the devices that were used to take them that they were not on the iCloud. Apple has denied that such an exploit exists and has been discovered. This is different from a phishing scam or some weak passwords when you have a humongous list of celebrities with a collection of pictures, some being years old.

    It appears that these pictures were dumped from users of a secret trading ring of celebrity nudes. Someone must've shared with someone who then proceeded to share with others and then all hell broke loose and the others decided to say why not and share as well.

    I think the iCloud nonsense is a hoax. This runs into a very different source just based on the evidence provided by the metadata in the pictures themselves.
    Reply
  • ubercake
    Funny. A brand-new Apple press release is saying the leaked photos of the stars are fakes and they weren't from hacked accounts.
    Reply
  • But but but... the police told me it was a good thing for them to have back doors!

    Imagine what happens when someone hacks Intel's Active Management Technology. vPro doesn't sound too smart now, does it?
    Reply
  • dovah-chan
    14098371 said:
    Funny. A brand-new Apple press release is saying the leaked photos of the stars are fakes and they weren't from hacked accounts.

    They are definitely not fake. You just can't look through all those photos and call them fake; especially when there are clear as day videos that I've seen myself with celebrities in it. Not to mention any geodata that are in the photos. I'm not belittling these people at all for having a private life. As a woman myself I value my privacy and am a bit offended at how people are reacting to this but that's besides the point. But it doesn't make any sense how they just mention iPhones anyway since not all of these people use an iPhone. I'm sure some of them have never even owned one.
    Reply
  • house70
    They are definitely not fake. You just can't look through all those photos and call them fake; especially when there are clear as day videos that I've seen myself with celebrities in it. Not to mention any geodata that are in the photos. I'm not belittling these people at all for having a private life. As a woman myself I value my privacy and am a bit offended at how people are reacting to this but that's besides the point. But it doesn't make any sense how they just mention iPhones anyway since not all of these people use an iPhone. I'm sure some of them have never even owned one.
    Let's see... iCloud hacked and photos leaked... uploaded from mobile devices that use iCloud as backup... Yeah, they did use iPhones.
    Not all celebs use iPhones, I'll give you that, but all these pics were uploaded by iPhone people.
    Reply
  • dovah-chan
    14098696 said:
    They are definitely not fake. You just can't look through all those photos and call them fake; especially when there are clear as day videos that I've seen myself with celebrities in it. Not to mention any geodata that are in the photos. I'm not belittling these people at all for having a private life. As a woman myself I value my privacy and am a bit offended at how people are reacting to this but that's besides the point. But it doesn't make any sense how they just mention iPhones anyway since not all of these people use an iPhone. I'm sure some of them have never even owned one.
    Let's see... iCloud hacked and photos leaked... uploaded from mobile devices that use iCloud as backup... Yeah, they did use iPhones.
    Not all celebs use iPhones, I'll give you that, but all these pics were uploaded by iPhone people.

    http://puu.sh/bjR09/3e8fc11a27.jpg

    Obviously that big phone with the huge camera just screams iphone.
    Reply
  • Amdlova
    its why i have pictures of places not people.
    Reply
  • spentshells
    Please have a new article when Sofia Vergara photos show up.
    Reply
  • Zepid
    But this article is 100% false. I hate Apple as much as the next rational oxygen-breathing lifeform but these were a result of social engineering. Not even that, none of these users had two factor authentication on. When you can get the e-mail from a facebook account and the name of your first dog to pass the password reset there isn't much else left up to gaining access. You just have to find the weakest link. Usually it is an outside party like e-mail or facebook.

    In fact, the whole "hack" was thoroughly documented by the group of users who perpetrated it, they documented the entire process and posted it leading up to the leaks. How news outlets manage to get this wrong despite those people taking credit and documenting it is beyond me. Apple's story syncs up with this fact.
    Reply
  • koga73
    From what I heard the hackers were able to simply run a dictionary against the FindMyiPhone API. Specifically an endpoint that wasn't protected from brute-force attacks. This seems completely plausible to me. Once the hackers figure out the password accessing iCloud with it should be simple.

    In regards to old "deleted" images if iPhone backups were stored on iCloud then it's completely possible a hacker may have recovered the deleted images from an old backup.
    Reply