Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

by

icloud_icon_blueEarlier today, Apple issued a press release stating that an iCloud/Find My iPhone breach had not been responsible for the leak of several private celebrity photos over the weekend, instead pointing towards a "very targeted attack on user names, passwords, and security questions" hackers used to gain access to celebrity accounts.

The company did not divulge specific details on how hackers accessed the iCloud accounts, leading Wired writer Andy Greenberg to investigate the methods that hackers might possibly have used to acquire the stolen media.

Greenberg visited Anon-IB, a popular anonymous image board where some of the celebrity photos first originated, and discovered that hackers openly discuss exploiting software designed for law enforcement and government officials. Called ElcomSoft Phone Password Breaker (EPPB), the software in question lets hackers enter a stolen username and password to obtain a victim's full iPhone/iPad backup.

"Use the script to hack her passwd...use eppb to download the backup," wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. "Post your wins here ;-)"

Acquiring just a user name and password allows hackers access to content on iCloud.com, but with the accompaniment of the ElcomSoft software, a complete backup can reportedly be downloaded into easy-to-access folders filled with the device's contents.

According to security researcher Jonathan Zdziarski, who spoke to Wired, metadata from some of the leaked photos is in line with the use of the ElcomSoft software and possibly the iBrute software, which exploited a vulnerability in Find My iPhone to allow hackers unlimited attempts to guess a password. Apple has, however, patched the exploit, and has suggested iBrute was not a factor in the attacks.

As noted by TechCrunch, using ElcomSoft's software to download an iPhone's backup successfully circumvents two-factor verification as the two-factor authentication system does not cover iCloud backups or Photo Stream.

Two-factor verification can make it much more difficult for hackers to acquire a user's login credentials in the first place, preventing many attacks, but an iCloud backup can be installed with just a user name and a password.

twostepverification
The ElcomSoft software does not require any credentials to buy and while it costs $399, it is also available on bittorrent sites. The vulnerability in iCloud backups has been known for some time, with ElcomSoft's own CEO pointing towards the lack of two-factor authentication for iCloud backups back in May of 2013.

Apple has explored expanding two-factor authentication to some iCloud services, but an official expansion of the security feature has not yet been introduced.

Tag: Jonathan Zdziarski

Popular Stories

New Things Your iPhone Can Do in iOS 18

20 New Things Your iPhone Can Do in iOS 18.2

Monday December 16, 2024 8:55 am PST by
Apple released iOS 18.2 in the second week of December, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. Apple has added a handful of new non-AI related feature controls as...
Read Full Article28 comments
iphone 16 apple intelligence

Apple Drops Plans for iPhone Hardware Subscription Service

Wednesday December 18, 2024 11:39 am PST by
Apple is no longer planning to launch a hardware subscription service that would let customers "subscribe" to get a new iPhone each year, reports Bloomberg's Mark Gurman. Gurman first shared rumors about Apple's work on a hardware subscription service back in 2022, and at the time, he said that Apple wanted to develop a simple system that would allow customers to pay a monthly fee to gain...
Read Full Article109 comments
iPhone 17 Pro Dual Tone Feature 1

iPhone 17 Pro Rumored to Stick With 'Triangular' Camera Design

Wednesday December 18, 2024 2:36 am PST by
Contrary to recent reports, the iPhone 17 Pro will not feature a horizontal camera layout, according to the leaker known as "Instant Digital." In a new post on Weibo, the leaker said that a source has confirmed that while the appearance of the back of the iPhone 17 Pro has indeed changed, the layout of the three cameras is "still triangular," rather than the "horizontal bar spread on the...
Read Full Article153 comments
elevation lab airtag battery

Your AirTag's Battery Will Last for Up to 10 Years With Elevation Lab's New TimeCapsule Enclosure

Wednesday December 18, 2024 10:05 am PST by
Elevation Lab today announced the launch of TimeCapsule, an innovative and simple solution for increasing the battery life of Apple's AirTag. Priced at $20, TimeCapsule is an AirTag enclosure that houses two AA batteries that offer 14x more battery capacity than the CR2032 battery that the AirTag runs on. It works by attaching the AirTag's upper housing to the built-in custom contact in the...
Read Full Article129 comments
apple tv 4k yellow bg feature

New Apple TV Rumored to Launch Next Year With These Features

Tuesday December 17, 2024 9:02 am PST by
The current Apple TV 4K was released more than two years ago, so the streaming device is becoming due for a hardware upgrade soon. Fortunately, it was recently rumored that a new Apple TV will launch at some point next year. Below, we recap rumors about the next-generation Apple TV. Bloomberg's Mark Gurman last week reported that Apple has been working on its own combined Wi-Fi and...
Read Full Article176 comments
blackmagic vision pro

Blackmagic Debuts $30K 3D Camera for Capturing Video for Vision Pro

Monday December 16, 2024 4:17 pm PST by
Blackmagic today announced that its URSA Cine Immersive camera is now available for pre-order, with deliveries set to start late in the first quarter of 2025. Blackmagic says that this is the world's first commercial camera system designed to capture 3D content for the Vision Pro. The URSA Cine Immersive camera was first introduced in June, but it has not been available for purchase until...
Read Full Article95 comments
mac pro creativity

Apple Launched the Controversial 'Trashcan' Mac Pro 11 Years Ago Today

Thursday December 19, 2024 7:00 pm PST by
Apple launched the controversial "trashcan" Mac Pro eleven years ago today, introducing one of its most criticized designs that persisted through a period of widespread discontentment with the Mac lineup. The redesign took the Mac Pro in an entirely new direction, spearheaded by a polished aluminum cylindrical design that became unofficially dubbed the "trashcan" in the Mac community. All of ...
Read Full Article159 comments
iPhone 17 Slim Feature

'iPhone 17 Air' With 'Major' Design Changes and 19-Inch MacBook Detailed in New Report

Sunday December 15, 2024 9:47 am PST by
Apple is planning a series of "major design" and "format changes" for iPhones over the next few years, according to The Wall Street Journal's Aaron Tilley and Yang Jie. The paywalled report published today corroborated the widely-rumored "iPhone 17 Air" with an "ultrathin" design that is thinner than current iPhone models. The report did not mention a specific measurement, but previous...
Read Full Article136 comments

Top Rated Comments

krashx7 Avatar
krashx7
135 months ago
The Fappening 2014. Never forget
Score: 25 Votes (Like | Disagree)
Santabean2000 Avatar
Santabean2000
135 months ago
It seems there are no end if tricks available to the scumbags out there willing to do hurtful things.

However, bottom line (pun intended) is, if you want nude snaps of yourself, fine, take some, but don't keep them on your phone or in the cloud where they are most vulnerable.

While I have some sympathy for the victims, I also believe ignorance is not really an excuse these days.

People have to accept more responsibility for their actions, even if the consequences are far beyond what they initially imagined. The sad fact is in our cottonwool society is far easier to blame everyone else for everything than accept some responsibility personally. If you don't agree then you're part of the problem.
Score: 17 Votes (Like | Disagree)
mozumder Avatar
mozumder
135 months ago
The ripping process, which has been going on for months:




Lots of security holes here, including weak password reset verification questions.
Score: 17 Votes (Like | Disagree)
apolloa Avatar
apolloa
135 months ago
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Should be changed to:

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Score: 16 Votes (Like | Disagree)
jdawgnoonan Avatar
jdawgnoonan
135 months ago
If, and that obviously is an IF, that is what happened then Apple should not claim that the images were not stolen due to weaknesses in their security. In fact, this is an even bigger potential hole in their security in my opinion. And to those who want to make it the victims fault that these photos were stolen: You are messed up in the head.
Score: 14 Votes (Like | Disagree)
swingerofbirch Avatar
swingerofbirch
135 months ago
Interesting timing with Apple about to come out with a mobile payments system.
Score: 14 Votes (Like | Disagree)
Read All Comments