Hackers Using Government-Level Tools To Ill-Obtain iCloud Backups
This week’s headlines have been dominated by yet another incident regarding the compromising of mobile devices, with several celebrities and news outlets having outlined Apple’s iCloud as the wrongdoer in this particular sequence of events. But while, after an internal investigation, the Cupertino company has since stepped out and inferred that private photos wouldn’t have leaked out if two-step verification were present, one reporter has done a little digging of his own, and found that in certain pockets of the Web, folks are using law enforcement tools to snatch iCloud backups of unwitting victims.
Apple’s two-step verification system is definitely the wisest course of action that any privacy-concerned party should take, but it was only this week that this was realized by the vast majority of the millions using the company’s cloud-based storage portal. The fact that this incident has occurred is, in many ways, a good thing, for it may prompt others – particularly celebrities – to bolster their security and help to prevent such images from spreading across the Web.
But while the victims mightn’t have taken the necessary precautions, the Web belies a sinister underbelly of unwanted culprits using government-standard tools to hack iCloud backups. Although said accounts are harder to break into with the presence of two-step verification, it’s alarming to learn not only of how easily these intruders can infiltrate using heavy-duty software, and perhaps even more disconcerting is the apparent prevalence of this invasive behavior.
Wired’s Andy Greenberg decided to saunter over to Anon-IB, an anonymous image board and source of some of the recent celebrity leaks. Therein, he discovered that some hackers discuss law enforcement-level software including one in particular by the name of ElcomSoft Phone Password Breaker (EPPB).
In a nutshell, EPPB allows a user to snatch iCloud backups using an ill-obtained username and password, and not only do certain members of the Anon-IB offer specific instructions on how its done, but actively encourage that others share the stolen data amongst others.
Apparently, the EPPB facility of actually downloading backups from iCloud or Photo Stream is unaffected by two-step verification once a username and password is at hand, but by the same token, using two-step and a strong password may prevent an intruder from obtaining the necessary credentials in the first place.