Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 2, 2014, 07:55 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication




Earlier today, Apple issued a press release stating that an iCloud/Find My iPhone breach had not been responsible for the leak of several private celebrity photos over the weekend, instead pointing towards a "very targeted attack on user names, passwords, and security questions" hackers used to gain access to celebrity accounts.

The company did not divulge specific details on how hackers accessed the iCloud accounts, leading Wired writer Andy Greenberg to investigate the methods that hackers might possibly have used to acquire the stolen media.

Greenberg visited Anon-IB, a popular anonymous image board where some of the celebrity photos first originated, and discovered that hackers openly discuss exploiting software designed for law enforcement and government officials. Called ElcomSoft Phone Password Breaker (EPPB), the software in question lets hackers enter a stolen username and password to obtain a victim's full iPhone/iPad backup.
Quote:
"Use the script to hack her passwd...use eppb to download the backup," wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. "Post your wins here ;-)"
Acquiring just a user name and password allows hackers access to content on iCloud.com, but with the accompaniment of the ElcomSoft software, a complete backup can reportedly be downloaded into easy-to-access folders filled with the device's contents.

According to security researcher Jonathan Zdziarski, who spoke to Wired, metadata from some of the leaked photos is in line with the use of the ElcomSoft software and possibly the iBrute software, which exploited a vulnerability in Find My iPhone to allow hackers unlimited attempts to guess a password. Apple has, however, patched the exploit, and has suggested iBrute was not a factor in the attacks.

As noted by TechCrunch, using ElcomSoft's software to download an iPhone's backup successfully circumvents two-factor verification as the two-factor authentication system does not cover iCloud backups or Photo Stream.

Two-factor verification can make it much more difficult for hackers to acquire a user's login credentials in the first place, preventing many attacks, but an iCloud backup can be installed with just a user name and a password.

The ElcomSoft software does not require any credentials to buy and while it costs $399, it is also available on bittorrent sites. The vulnerability in iCloud backups has been known for some time, with ElcomSoft's own CEO pointing towards the lack of two-factor authentication for iCloud backups back in May of 2013.

Apple has explored expanding two-factor authentication to some iCloud services, but an official expansion of the security feature has not yet been introduced.

Article Link: Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
MacRumors is offline   1 Reply With Quote
Old Sep 2, 2014, 07:58 PM   #2
krashx7
macrumors regular
 
Join Date: Jul 2012
The Fappening 2014. Never forget
krashx7 is offline   25 Reply With Quote
Old Sep 2, 2014, 07:58 PM   #3
sputnikv
macrumors regular
 
Join Date: Oct 2009
the plot thickens
sputnikv is offline   1 Reply With Quote
Old Sep 2, 2014, 07:58 PM   #4
mozumder
macrumors 6502
 
Join Date: Mar 2009
Another attack vector.

Not sure why Apple allows outside vendors access to their cloud?

The worst part is that Elcomsoft documents these holes, and Apple has no reason to keep open.

Also, Elcomsoft has Windows Live exploits available as well.
mozumder is offline   12 Reply With Quote
Old Sep 2, 2014, 07:58 PM   #5
apolloa
macrumors 601
 
Join Date: Oct 2008
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Should be changed to:

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
apolloa is offline   16 Reply With Quote
Old Sep 2, 2014, 07:58 PM   #6
DerekRod
macrumors Demi-God
 
Join Date: Jan 2012
Location: NYC
Jesus H Christ this is terrible,sexy,but terrible
__________________
Honor Courage Commitment,US Navy
DerekRod is offline   1 Reply With Quote
Old Sep 2, 2014, 08:03 PM   #7
mozumder
macrumors 6502
 
Join Date: Mar 2009
The ripping process, which has been going on for months:




Lots of security holes here, including weak password reset verification questions.
mozumder is offline   17 Reply With Quote
Old Sep 2, 2014, 08:03 PM   #8
starbird
macrumors 6502
 
Join Date: Mar 2010
There is good to come of all this

I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
__________________
 13" MacBook Pro with Retina display 
 Verizon iPhone 6 Space Grey (32GB)  iPad (32GB Black WiFi 3rd gen)  3rd gen TV 
starbird is offline   10 Reply With Quote
Old Sep 2, 2014, 08:05 PM   #9
Santabean2000
macrumors 65816
 
Santabean2000's Avatar
 
Join Date: Nov 2007
It seems there are no end if tricks available to the scumbags out there willing to do hurtful things.

However, bottom line (pun intended) is, if you want nude snaps of yourself, fine, take some, but don't keep them on your phone or in the cloud where they are most vulnerable.

While I have some sympathy for the victims, I also believe ignorance is not really an excuse these days.

People have to accept more responsibility for their actions, even if the consequences are far beyond what they initially imagined. The sad fact is in our cottonwool society is far easier to blame everyone else for everything than accept some responsibility personally. If you don't agree then you're part of the problem.
__________________
Cheers,
Santa
Santabean2000 is offline   17 Reply With Quote
Old Sep 2, 2014, 08:07 PM   #10
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: Great Lakes State
Good thing I back up to iTunes locally and not iCloud. Though my Photo Stream could still be compromised. But it'd be quite boring to a hacker. I mostly have pictures of coffee and espresso and song titles from my car radio that I want to look up later!
SandboxGeneral is online now   8 Reply With Quote
Old Sep 2, 2014, 08:07 PM   #11
swingerofbirch
macrumors 68030
 
Join Date: Oct 2003
Location: The Amalgamated States of Central North America
Interesting timing with Apple about to come out with a mobile payments system.
swingerofbirch is offline   14 Reply With Quote
Old Sep 2, 2014, 08:08 PM   #12
haruhiko
macrumors 68030
 
haruhiko's Avatar
 
Join Date: Sep 2009
Quote:
Originally Posted by starbird View Post
I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
They should be already encrypted. But the so called hacker has your password, which can decrypt the encrypted data.
__________________
Mac: rMBP'12, iMac'08/24", Mini'09, MBP'10/15", MBA'11/13". iPhone: 5s/64S 5/64B, 4S/64W, 4/32B, 3GS/16. iPT: 3G,1G. iPad: Air,Mini2,4,3/LTE/64 2/3G/32, 1/WiFi/16. ATV'12,'11, AEBS'09, TC'13/2TB
haruhiko is offline   7 Reply With Quote
Old Sep 2, 2014, 08:09 PM   #13
DipDog3
macrumors 6502a
 
DipDog3's Avatar
 
Join Date: Sep 2002
 
I'm surprised backups don't use two step authentication. This is a bad move by Apple.
DipDog3 is offline   3 Reply With Quote
Old Sep 2, 2014, 08:10 PM   #14
jlake02
macrumors 68000
 
jlake02's Avatar
 
Join Date: Nov 2008
Location: L.A.
Quote:
Originally Posted by starbird View Post
I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
Let's hope so. Regardless whether Apple was at fault this incident is giving them a PR black eye... right before their big Sept. 9 reveal.







----------

Quote:
Originally Posted by swingerofbirch View Post
Interesting timing with Apple about to come out with a mobile payments system.

EXACTLY lololol





__________________
iPhone 5; iPhone 4S x 2; iPad 2,3,Air; iPod Touch 4 x2, AppleTV x2
jlake02 is online now   3 Reply With Quote
Old Sep 2, 2014, 08:10 PM   #15
Trapezoid
macrumors 6502a
 
Trapezoid's Avatar
 
Join Date: Mar 2014
Quote:
Originally Posted by mozumder View Post
The ripping process, which has been going on for months:
Image
Image
Image

Lots of security holes here, including weak password reset verification questions.
Seems like some of these "hacks"can be used on any site you can think of. Pretty scary.

I don't know how any company can prevent things like this.

Couple that with weak or same passwords across multiple sites and it becomes easy for anyone to do this.
__________________
Promised land.
Trapezoid is online now   2 Reply With Quote
Old Sep 2, 2014, 08:10 PM   #16
jdawgnoonan
macrumors regular
 
Join Date: Apr 2007
Location: Kaiserslautern, Germany
If, and that obviously is an IF, that is what happened then Apple should not claim that the images were not stolen due to weaknesses in their security. In fact, this is an even bigger potential hole in their security in my opinion. And to those who want to make it the victims fault that these photos were stolen: You are messed up in the head.
jdawgnoonan is offline   14 Reply With Quote
Old Sep 2, 2014, 08:11 PM   #17
henzpwnapple
macrumors member
 
Join Date: Feb 2009
Once it is on the internet, it is never secured.
__________________
Somewhere in the future, I am remembering Steve Jobs.
henzpwnapple is offline   8 Reply With Quote
Old Sep 2, 2014, 08:11 PM   #18
xli_ne
macrumors 6502a
 
xli_ne's Avatar
 
Join Date: Mar 2005
Location: Center of the Nation
Send a message via AIM to xli_ne Send a message via MSN to xli_ne Send a message via Yahoo to xli_ne
i still don't understand how they got their username/email address
__________________

"The secret to creativity is knowing how to hide your sources."
- Albert Einstein

xli_ne is offline   7 Reply With Quote
Old Sep 2, 2014, 08:12 PM   #19
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: Great Lakes State
Quote:
Originally Posted by xli_ne View Post
i still don't understand how they got their username/email address
Social engineering, the black web, search engines and such, plus a ring of underground bad guys collaborating, together, achieve this and more.
SandboxGeneral is online now   9 Reply With Quote
Old Sep 2, 2014, 08:14 PM   #20
Rogifan
macrumors G3
 
Rogifan's Avatar
 
Join Date: Nov 2011
Quote:
Originally Posted by apolloa View Post
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Should be changed to:

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Yes, this headline is VERY misleading.
__________________
"I have a very optimistic view of individuals. As individuals, people are inherently good. I have a somewhat more pessimistic view of people in groups." -- Steve Jobs , Wired interview
Rogifan is offline   6 Reply With Quote
Old Sep 2, 2014, 08:15 PM   #21
haruhiko
macrumors 68030
 
haruhiko's Avatar
 
Join Date: Sep 2009
Quote:
Originally Posted by mozumder View Post
The ripping process, which has been going on for months:
Image
Image
Image

Lots of security holes here, including weak password reset verification questions.
Just tried the step suggested by these guys.

Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was asked: what is your hometown? WTF everybody knows this guy's hometown! I didn't go any further but it made me very worried about my security questions. I'd better enter some password like stuff in the answer fields.
__________________
Mac: rMBP'12, iMac'08/24", Mini'09, MBP'10/15", MBA'11/13". iPhone: 5s/64S 5/64B, 4S/64W, 4/32B, 3GS/16. iPT: 3G,1G. iPad: Air,Mini2,4,3/LTE/64 2/3G/32, 1/WiFi/16. ATV'12,'11, AEBS'09, TC'13/2TB

Last edited by haruhiko; Sep 2, 2014 at 08:20 PM.
haruhiko is offline   3 Reply With Quote
Old Sep 2, 2014, 08:17 PM   #22
trevorbsmith
macrumors member
 
Join Date: Dec 2007
Quote:
Originally Posted by MacRumors View Post

but it appears enabling two-factor authentication would not stop iCloud backup hacks conducted with the Phone Password Breaker.

Article Link: Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Sigh. No.

The 2-factor authentication Apple has set up works specifically to stop people from guessing/researching/finding answers to your "security questions" (by actually eliminating all security questions). This stops them from resetting your password, thus gaining access to your iCloud account, thus gaining access to your iPhone backups.

Therefore it WOULD in fact have stopped the iCloud backup "hacks" conducted, at least those conducted by the n00bs on AnonIB. They are specifically laying out the method they use in step by step instructions. They are not haxxors, they are not the NSA, they are not brute forcing passwords, they do not have skillz. They are just researching info on people, then going to appleid.apple.com and resetting passwords.

Jeez. Fact check anyone?

Would it be better if Apple prevented restores/downloads of iPhone backups without a trusted device being present? Yes. Would that step be necessary to stop the "hackers" in question? No. These guys are not even script kiddies. They are literally just filling out fields on a web site to get these pics.

In short, ignore the implied "the sky is falling" in this post.

DO enable 2-factor authentication on your apple id.

DO also tell Apple to increase their 2-factor authentication to prevent even more things.

But do not imagine that your iCloud account is somehow going to be magically hacked even if you set-up 2-factor authentication (and are smart enough to use a longish, randomish password).
trevorbsmith is offline   8 Reply With Quote
Old Sep 2, 2014, 08:17 PM   #23
DipDog3
macrumors 6502a
 
DipDog3's Avatar
 
Join Date: Sep 2002
 
Quote:
Originally Posted by xli_ne View Post
i still don't understand how they got their username/email address
Hacked friends or family. Personal assists, business associates, or stolen off business documents by some low-level employee. Social engineering of the person or people who would know the address.

Even your local Apple Genius could help one of these celebrities or their assistants & they would have access to all of their info.
DipDog3 is offline   0 Reply With Quote
Old Sep 2, 2014, 08:18 PM   #24
haruhiko
macrumors 68030
 
haruhiko's Avatar
 
Join Date: Sep 2009
Quote:
Originally Posted by trevorbsmith View Post
Sigh. No.

The 2-factor authentication Apple has set up works specifically to stop people from guessing/researching/finding answers to your "security questions" (by actually eliminating all security questions). This stops them from resetting your password, thus gaining access to your iCloud account, thus gaining access to your iPhone backups.

Therefore it WOULD in fact have stopped the iCloud backup "hacks" conducted, at least those conducted by the n00bs on AnonIB. They are specifically laying out the method they use in step by step instructions. They are not haxxors, they are not the NSA, they are not brute forcing passwords, they do not have skillz. They are just researching info on people, then going to appleid.apple.com and resetting passwords.

Jeez. Fact check anyone?

Would it be better if Apple prevented restores/downloads of iPhone backups without a trusted device being present? Yes. Would that step be necessary to stop the "hackers" in question? No. These guys are not even script kiddies. They are literally just filling out fields on a web site to get these pics.

In short, ignore the implied "the sky is falling" in this post.

DO enable 2-factor authentication on your apple id.

DO also tell Apple to increase their 2-factor authentication to prevent even more things.

But do not imagine that your iCloud account is somehow going to be magically hacked even if you set-up 2-factor authentication (and are smart enough to use a longish, randomish password).
Just tried my own accounts with 2-step verification enabled. Apple requested me to enter my recovery key (I remember I stored them on my laptop) once after I entered my e-mail address.
__________________
Mac: rMBP'12, iMac'08/24", Mini'09, MBP'10/15", MBA'11/13". iPhone: 5s/64S 5/64B, 4S/64W, 4/32B, 3GS/16. iPT: 3G,1G. iPad: Air,Mini2,4,3/LTE/64 2/3G/32, 1/WiFi/16. ATV'12,'11, AEBS'09, TC'13/2TB
haruhiko is offline   0 Reply With Quote
Old Sep 2, 2014, 08:18 PM   #25
VenusianSky
macrumors 65816
 
VenusianSky's Avatar
 
Join Date: Aug 2008
Quote:
Originally Posted by starbird View Post
I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
There is a problem with this. If you get a new phone, it won't be able to decrypt the backup/files unless it has the private key. If encryption keys are stored on the server (iCloud account), anyone would be able to decrypt as long as they can get into the account. Good idea, but difficult to implement, as with anything that uses file encryption.
__________________
"I know that I know nothing..."
-Socrates
VenusianSky is offline   2 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -5. The time now is 09:08 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC