Did you even understand the function of this software?
It's rather late in this thread you 've posting in to finally understand it, but it's high time you did I guess...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
ElcomSoft's Phone Forensics Software Offers Near Real-Time Access to iCloud Backups
- Thread starter MacRumors
- Start date
- Sort by reaction score
Did you even understand the function of this software?
It's rather late in this thread you 've posting in to finally understand it, but it's high time you did I guess...
Someone would still need your username and password with this software. If you think they could get your data directly from Apple without having your username / password, then this thread is irrelevant.
How is it Apple's fault that 60k people were idiots and gave the trojan their admin password? That's like being mad at the deadbolt maker on your house after you hand over your keys to a burglar and they steal your stuff.
And there isn't an issue with iCloud. The information is sent over a secure connection contrary to the assumptions that many here are making. All connections to iCloud are on port 443, https which is encrypted. Once again this is an issue of the forensic software acquiring your password elsewhere.
----------
I'm willing to bet it won't be. The forensic community doesn't share this stuff and it generally requires special software device authentication such as a HASP key. It's not the kinda software that most pirates go for so it's not bothered with. But keep telling yourself that it'll be easy to get.
----------
You obviously have no concept of the usefulness of this type of software. Time to stop posting. For computer forensic examiners in the law enforcement community, this type of information is valuable. Once a warrant is issued, it would allow them to gain access to the suspect's iCloud account along with their iPhone.
Please just stop making assumptions as it's only leading to more users here reading the misinformation you're posting and running with it.
Those claiming that iCloud info is sent unencrypted are incorrect. All connections to the iCloud service are made over https (port 443) and use SSL and a secure certificate just as they would if you were doing online banking, etc. These servers include:
setup.icloud.com
p07-content.icloud.com
p07-steams.icloud.com
p07-bookmarks.icloud.com
keyvalueservice.icloud.com
p07-quota.icloud.com
p07-contacts.icloud.com
p07-ubiquity.icloud.com
aolauth.icloud.com
and all the others.
setup.icloud.com
p07-content.icloud.com
p07-steams.icloud.com
p07-bookmarks.icloud.com
keyvalueservice.icloud.com
p07-quota.icloud.com
p07-contacts.icloud.com
p07-ubiquity.icloud.com
aolauth.icloud.com
and all the others.
As far as I understand apple don't offer encrypted transfers in icloud though, and last time I heard:
Points well taken for the rest of what you are saying.
I completely agree about the security lapses at Apple. They can do more when it comes to patching security exploits. Flashback made it even more apparent.
But about Dropbox, I know they use SSL and AES-256 on their servers. You may know something I don't, but my assumption was that Apple did the same with iCloud backups and that the issue at hand is that the backups should be encrypted locally on the iPhone before being sent to iCloud.
As it stands, Dropbox should be vulnerable too. If someone had their Dropbox account stolen and they logged in, they should be able to download any of their files even if it's over HTTPS and even if they were encrypted on the servers with AES256. Cloud solutions like SpiderOak do the encryption on the local computer first. So even if the account name/password was stolen ... they would need the local encryption keys before the server assumes they are properly authenticated to see the data. This stops Spideroak employees and hackers, who may steal files from their servers, from seeing the data. But even then with all that encryption (2048 RSA + AES256), knowing the password of an account leaves you vulnerable no matter what. I believe with Spideroak, if you lose the local encryption keys you can still get them back with your password and use them to unlock the data. Safest way to keep the data private is to never allow regeneration of the keys, which leaves you without your data, which defeats the point of cloud backup storage.
Last edited:
The most damage some of the ill conceived responses in this thread will do is unecessarily alarm an average user into switching iCloud off. However when you consider the merits of the argument for and against iCloud, its much more likely those people will lose, damage their iphone or have data corruption than have their data stolen, the result being they could potentially lose data they didnt need to lose because they switched the service off - due to reading poor information from people who dont understand security protocols or spread misinformation.
Also, considering some of the ill thought responses to iCloud security, i figured i shouldnt tell people to microwave their HDD, incase they do just that. It was irresponsible of me, and i apologise. Im sure the Russians next door are lovely people too.
Also, considering some of the ill thought responses to iCloud security, i figured i shouldnt tell people to microwave their HDD, incase they do just that. It was irresponsible of me, and i apologise.
Im sure the Russians next door are lovely people too.
That means thay have access to your iTunes and computer, and if you backup up to iCloud there are no backups in iTunes.
Shame, Shame, Shame
For shame, MacRumors. This is scaremongering, caveat-in-the-nineteenth-paragraph of the highest order.
YOU NEED THE ICLOUD USERNAME AND PASSWORD.
This is not hacking! This is accessing your own data!
Obtaining someone's password: that's "hacking", if we can call it that. Apple makes the entirely reasonable assumption that someone with your iCloud username and password is YOU. If they didn't do that, the entire concept of username/password identification is pointless.
If you couldn't access your iCloud backups with your iCloud username and password, then when you're restoring to a new device, how on earth are you supposed to identify yourself?
For shame, MacRumors. This is scaremongering, caveat-in-the-nineteenth-paragraph of the highest order.
YOU NEED THE ICLOUD USERNAME AND PASSWORD.
This is not hacking! This is accessing your own data!
Obtaining someone's password: that's "hacking", if we can call it that. Apple makes the entirely reasonable assumption that someone with your iCloud username and password is YOU. If they didn't do that, the entire concept of username/password identification is pointless.
If you couldn't access your iCloud backups with your iCloud username and password, then when you're restoring to a new device, how on earth are you supposed to identify yourself?
Vey interesting post Mark, thanks for the heads up about spideroak as well, I ll look em up.
----------
Easy there with the cabs tiger, they have a lot of, flashback, ways to get your pass, once they have it the point is they can track you without you noticing there are no hardware keys that will ensure that only your devices can access it. Take it easy on the caps.
----------
typical apple apologist. Yeah why would they hold a phone like this and short circuit it's antenna? There's nothing wrong with the iPhone antenna but we fixed in 4s but there was nothing wrong with it to begin with. Its never apples fault. There was a java vulnerability in os x hence the intrusion of the malware.
Unless you are an American and are considered a threat to national security, then anything goes..
I can break into your house if you give me the key and the location.
well some kids over in China guessed mine twice last fall.. maybe they just got lucky!
This product doesn't make sense to me.
First off, you need the person's iTunes username and password in order to access their data with this software...
...but if I already had their username and password to begin with, I could already access their data in the first place. So why would I need this software?
Also, if I have the level of sophistication to get someone's iTunes username and password, I also probably have the required sophistication to get much more of their data than this software could get me, and therefore wouldn't need the software in the first place.
Makes no sense...
Addendum: It would be extremely foolish for US (or any Western) law enforcement or intelligence services to use Russian-made security software, since Russia is the number 2 spy service against us, besides China. I hope no dolts at the federal government are actually using this stuff...
First off, you need the person's iTunes username and password in order to access their data with this software...
...but if I already had their username and password to begin with, I could already access their data in the first place. So why would I need this software?
Also, if I have the level of sophistication to get someone's iTunes username and password, I also probably have the required sophistication to get much more of their data than this software could get me, and therefore wouldn't need the software in the first place.
Makes no sense...
Addendum: It would be extremely foolish for US (or any Western) law enforcement or intelligence services to use Russian-made security software, since Russia is the number 2 spy service against us, besides China. I hope no dolts at the federal government are actually using this stuff...
Last edited:
Exactly! Can't believe it took until the second page of this thread for someone to point this out.
Next scandal: It has just been revealed that if someone acquires your gmail username and password, they can view and download your emails as you receive them, in NEAR REAL TIME!!! I've been saying that email isn't secure for years, but no one listened to me!
Yep. So how is this really that different than using that information on a blank phone to restore the backup and see what's there. It isn't really.
if they don't have your credentials they can't do jack.
----------
You mean the one that says they can get the info from your iTunes backups off your own computer.
So they have to have access to your computer.
Frankly if they have that or access to your iPhone to make a backup on their computers, you should be more worried they have those items.
----------
they don't even need a local backup if the user has ever bought anything from the iTunes store. every song etc has the ID in plaintext in the 'info' for the file. But that only gets them your user name. they have to dig for your password. unless you are someone dumb enough to store it in a plain text file on the computer they have access to. or something like 1Password with a simple (or worse no) password
So. Let me get this straight.
If they have your username and password, they can get your info and track you... and if they don't, they can get it from your old back ups on your computer.
Why is this news?
Hell If you have the username and password for my online bank accounts, you can do the same thing AND bilk me out of every cent I have. Oh, not to mention breaking into my house and looking through my files and finding my SS card to steal my identity.
Seems like this is the on the bottom of my worry list.
If they have your username and password, they can get your info and track you... and if they don't, they can get it from your old back ups on your computer.
Why is this news?
Hell If you have the username and password for my online bank accounts, you can do the same thing AND bilk me out of every cent I have. Oh, not to mention breaking into my house and looking through my files and finding my SS card to steal my identity.
Seems like this is the on the bottom of my worry list.
And how exactly are they supposed to fix it. You're so smart I'm sure you have it all figured out. You know exactly how they can fix an issue that requires your private password info or access to your actual hardware.
That addendum is one of the stupidest comments I have ever read on the internet (srs)
That's a very strong statement, considering all the junk on the internet.
Such strong, extremist, emotionally charged statements indicate a lack of reason, and indicate I hit an emotional nerve.
So, in fairness I ask: Do you have any actual objective evidence or a reasonable argument that shows that what I said was wrong? If so, I'm willing to listen.
...or do you have nothing but an emotional personal attack?
(Yet I fear I already know the answer)
Sorry, its a bit rude to roll out that old 'apologist' tag to someone when it appears youre intent on being alarmist and spreading misinformation.
This isnt a fault, why are you having trouble seeing that? How is the concept of a secure username and password a fault lol? Appears to me youre so intent on trying to prove a point about Apple that isnt relevent, you've actually missed the purpose of this software???
Besides that re: iPhone 4, the company took a lot of flak over that. You can call the poster above an apologist till you're blue in the face but youre beating a dead horse. Everyone knows there was a design fault, but clearly you thought we needed reminding about it 2 years later!
Not that it's in any way relevent.no, not an emotional personal attack. I am well aware that this software is being used by Law Enforcement in Australia.
One of the more common tools for mobile phone forensics is Cellebrite, (http://en.wikipedia.org/wiki/Cellebrite) which is headquartered in Israel.
Should law enforcement and intelligence agencies boycott software because their developers may be spying on us too? Should they continue to lack capability just because the company that developed it is headquartered in Russia?
Everyone is going crazy regarding this article, possibly one of the best troll articles I've seen on MacRumors.
Surprising, since Australians are a pragmatic and level-headed people. I would be further surprised if any US government folks were using this software. I would hope they are exercising due caution and thoughtfulness without the hindrance of political correctness and naivety which tell us that everyone in the world is pretty much OK regardless of nationality and can basically be trusted.
The best option for these kinds of things is homegrown, that way you remove all doubt.