The software that helped hack the iCloud nudes got a scary update


Credit: Kevin C. Tofel

The software tool that was used to exfiltrate many of the photos that comprised the infamous iCloud celebrity nude dump of 2014 has received a big update. Elcomsoft Phone Breaker now supports the two-factor authentication process that Apple added as a result of the iCloud hacks, according to Elcomsoft:

The new release adds support for latest Apple hardware and iOS 8/8.1, acquires iCloud accounts featuring two-factor authentication, extracts all types of data from iCloud including iWork documents, WhatsApp chats and third-party data saved by games, password managers, social networks etc. Elcomsoft Phone Breaker can now extract iCloud authentication tokens from users’ hard drives and forensic disk images, thus greatly expanding the availability of iCloud acquisition.

As with the iCloud hacks from earlier this fall, the attacker will still need your Apple ID and your password to gain access to your account, and if you’ve got two-factor authentication on, he or she will need your recovery device or single-use code as well. Phone Breaker, a forensic tool targeted at law enforcement, only makes the process of downloading parts of iCloud backups easier, and doesn’t actually gain access to iCloud accounts. You’ll still want to keep an eye on sketchy emails, because phishing is a likely way for an attacker to glean your login and password.

The latest update also introduces a new attack vector: Scanning disk images for Apple’s authentication token. In addition, under Apple’s two-factor implementation, you’re given a recovery key (if you lose it, you lose access to your account). Phone Breaker can scan a computer for that key — so you’ll want to write it down on paper, not save it in a .txt file.

The Elcomsoft blog has a few very informative posts that look at specific scenarios where its tool can be used: For instance, “iCloud Acquisition Without Login and Password” or “I have a computer that was used to sync with iCloud.”

One of the issues that led to the celebrity photos being pilfered in September was that Apple’s previous iCloud two-factor authentication only covered Apple ID management and iTunes purchases — not full device iCloud backups, which is where most of the stolen photos came from. As a result, [company]Apple[/company] added more email alerts and push notifications related to account security as well as two-factor authentication for user backups. But even though these tweaks curtailed the use of tools like Elcomsoft Phone Breaker for a while, it’s hard to keep companies like Elcomsoft completely shut out.

In my opinion, it’s Apple’s responsibility to continue to break tools like Phone Breaker through updates and protect its users. But given that the world’s most valuable technology company apparently doesn’t have a cloud team, users will have to take some security into their own hands.

For regular people who use iPhones every day, this doesn’t change recommended practices much. Two-factor authentication and long, unique passphrases are still the easiest and best ways to harden personal security, at least enough so that you’re no longer an easy target.


Hiddn App

We agree with the following assertion: „users will have to take some security into their own hands”. Unfortunately, we live in a world where you have to fight for your own privacy. But we give you one of the most powerful weapons: Hiddn.

Hiddn is an app that instantly encrypts the photos that you take and doesn’t sync them to iCloud, keeping them locally. So users have the opportunity to choose what goes online and what stays private. Have a look here, if you’re interested:


Wait so they need access to your computer /and/ for you to have left your key in a text file..?

I’m not sure that’s /that/ scary.

Kif Leswing

Sure, it’s not terrifying the same way that a program that could simply own you with a button press would be.

But on the other hand, I’m not Elcomsoft’s customer. If someone is trying to get into my iCloud account using Phone Breaker it is most likely not going to be me — so them finding a way to scan my computer for a recovery key or adapting their software to beat Apple’s new security measures *is* scary to me.

Comments are closed.