There’s a seedy trade in compromising photos stored in Apple iCloud accounts, and it is in part aided by a software program that cleanly collects the data.
Some of the nude celebrity photos are believed to have first been circulated on Anon-IB, a definitely not safe-for-work forum. As reported by Wired, the forum is full of offers for iCloud “ripping,” or downloading the entire contents of an account.
The software tool they’re using is Moscow-based Elcomsoft’s Phone Password Breaker, or EPPB, one of many forensic tools the company develops for law enforcement and other clients.
Elcomsoft CEO Vladimir Katalov said via email on Wednesday that there are legitimate uses for his company’s software and that it doesn’t exploit flaws in Apple services.
Apple has denied it was breached, saying the celebrities were victims of targeted attacks that sought their user names, passwords and security questions.
Elcomsoft doesn’t restrict who it sells EPPB to, Katalov said, and over time the software has been sold and then leaked to underground websites.
The problem of pirated software isn’t unique to Elcomsoft. Companies such as Microsoft have built technical defenses into their software to try to prevent piracy.
EPPB comes into play after a victim’s Apple ID and password have been compromised by other means. The software can pull text messages, attachments, call logs, address books, calendars, email account settings, photos and other information in a few minutes.
Of course, if someone already knows the person’s Apple credentials, they could recover the data anyway, but in a slower fashion. Katalov said a hacker could set up a new device and restore it with the victim’s iCloud data.
Even with EPPB, downloading a large backup for the first time could take hours, Elcomsoft advises on its website. But users that need data fast, such as law enforcement officials, can select data piecemeal to download it faster.
It appears quite a few people on Anon-IB have a pirated copy of EPPB. Many offer to use their copy of EPPB on iCloud accounts for which the credentials have been obtained by others, promising to quickly return the data for free, presumably so they can have a peek at what’s in it.
One posting on Anon-IB read: “Ripping right now! Send email with Apple ID and Password and I will have it ripping ASAP. Will keep everything private!”
So far, it appears only photos of the celebrities have been publicly released. But the hackers in control of the accounts could also have text messages, call logs and a host of other data if the victim had chosen to back up the data in iCloud.
Apple has advised that iCloud customers use two-factor authentication as an additional protection, which involves entering a one-time passcode when logging on.