Software That Could Have Been Used To Hack Celebs Is Available To Anyone

Software That Could Have Been Used to Hack Celebs Is Available to Anyone

By now you've heard about the massive cache of nude photos that internet scumbags stole from a number of female celebrities. Now, researchers are learning more about how the perv-hackers may have done it: using a password-cracking software designed for police, but available online to anyone who seeks it.

Over at Wired, Andy Greenberg explains the full story behind Elcomsoft Phone Password Breaker, or EPPB. The Russian-built software makes it possible to download the entire contents of an iCloud account -- not just the photos stored to an iCloud account, but a full backup of the entire device.

The method is astoundingly simple: First, hackers use iBrute, an iCloud password-cracking software released over the weekend and still readily available to those who seek it, to get a user's login and password. Once the attacker is logged in to an iCloud account, EPPB convinces iCloud that the device the hacker is using is the victim's iPhone, allowing the hacker to download a full system backup. Just check out Elcomsoft's description of the software's capabilities:

Now your investigation has access to all the secrets stored in iOS, including such highly sensitive data as contacts, call logs, emails, location history, WiFi usernames and passwords, websites, social networking accounts, instant messengers, and more. You can also make a full copy of the device and analyse it in specialised third party software. Getting evidence is easy with the Elcomsoft iOS toolkit.

EPPB was designed, ostensibly, for government agencies. But over at Wired, Greenberg waded into Anon-IB, an anonymous forum where scumbags trade nude photos stolen using EPPB. The software maker doesn't require any form of government credentials to download, and even if the $US400 price tag throws some hackers off, bootleg copies are widely available.

Apple maintains that the this weekend's celebrity nude theft was a targeted attack, rather than an exploitation of security shortcomings in iCloud. But just yesterday, Apple released an update to Find My iPhone purported to fix the flaws that allowed iBrute to work -- though as Greenberg mentions, Anon-IB chatter suggests that the fix hasn't fully stopped the dirtbags yet. Security researcher Jonathan Zdziarski analysed the metadata included in one of the leaked photos, and told Wired it's consistent with the use of iBrute and EPPB. What's more, that means the thieves who stole the photos could be in possession of even more info than previously thought.

It's frightening enough to think that law enforcement agencies can pry open your locked data without you knowing it. The fact that anyone with the requisite savvy can use those exact same tools is just astounding. [Wired]

Image: Screenshot from YouTube



    that internet scumbags stole

    I find it interesting how you refer to these people as "scumbags", yet those that make TV shows and movies available online, or those that crack game CD-keys or mod consoles to play copied games are not. To me those fall into exactly the same boat. I mean, while it's probably generally believed by most Gizmodo-ers that what those people are doing is wrong, not many would refer to them as "scumbags".

    Also, these guys didn't "steal" anything. The owners of those photos still have those photos. These people simply made a copy of those photos. It's not stealing, it's more like a form of copyright infringement (although that's not really correct either, as obviously as these photos were not intended to be seen by the public they would not have had a copyright on them).

    Note: I am in no way advocating the actions of these people. What they did was clearly wrong. I'm just pointing out that there's a bit of a double standard, and that articles like these are not using correct terminology, leading to a misunderstanding of what is going on.

    Last edited 03/09/14 12:21 pm

      All photos have copyright on them. It is generally owned by the person that took the photo or under some circumstances, their employer.

      It is interesting to see where things get placed on a scale...

      Person A takes a photo of a celebrity topless at a private beach.
      Person B releases photos that they copied from the celebrity's phone.

      To me there isn't a huge difference between those two acts, in terms of invasiveness.

      There is a very significant difference. In the case of these celebrity photos, they have been taken and stored privately. They are purely private and never were intended for public performance.

      In relation to TV shows, movies, console mods, etc they are products which are wholly intended for public performance. The content owners impose restrictions which limit fair use.

    Brute force only works on simple passwords, 8aplha num with a special character will take this app on a decent PC 50-60 years to crack.

    Why they hell are these people syncing nude photos with iCloud?.. That in itself is a stupid move, the internet is not private, and our governments are doing what they can to make it even less private. If you want to take nude photos and don't want to share them with the world, keep them on a USB or external HDD etc, not a cloud storage service... Are people really that stupid?

    @whitepointer good point, also Hollywood has a history of exploiting young women anyway? Albeit in "private" they still exploit them, so why can they get away with it but when a few hackers show people how stupid they are by making these photo's accessible it's then end of the world? I personally think this is a good thing, it is sending a clear message to young people that no one is safe from hacking, be it the government or a private person/company.

    Everyone keeps blaming the hackers or scumbags as you call them. But look at the big picture, this wouldn't be an issue if it wasn't for:
    A: The media, the fappening has been blown up to epic proportions by the media. This is a game for 4chan to play with the media much like a serial killer plays with the media for notoriety, and they serve it up on a platter without even checking facts.
    B: The government, the tools used for this were created for government agencies. Hackers are much smarter than the government - if a backdoor is made available to the NSA it is a target for hackers. End of story.
    The major issue to come from all this is that we need to get away from recording metadata and government snooping and make privacy and security of information a top priority.

Join the discussion!

Trending Stories Right Now