The software tool that was used to exfiltrate many of the photos that comprised the infamous iCloud celebrity nude dump of 2014 has received a big update. Elcomsoft Phone Breaker now supports the two-factor authentication process that Apple added as a result of the iCloud hacks, according to Elcomsoft:
The new release adds support for latest Apple hardware and iOS 8/8.1, acquires iCloud accounts featuring two-factor authentication, extracts all types of data from iCloud including iWork documents, WhatsApp chats and third-party data saved by games, password managers, social networks etc. Elcomsoft Phone Breaker can now extract iCloud authentication tokens from users’ hard drives and forensic disk images, thus greatly expanding the availability of iCloud acquisition.
As with the iCloud hacks from earlier this fall, the attacker will still need your Apple ID and your password to gain access to your account, and if you’ve got two-factor authentication on, he or she will need your recovery device or single-use code as well. Phone Breaker, a forensic tool targeted at law enforcement, only makes the process of downloading parts of iCloud backups easier, and doesn’t actually gain access to iCloud accounts. You’ll still want to keep an eye on sketchy emails, because phishing is a likely way for an attacker to glean your login and password.
The latest update also introduces a new attack vector: Scanning disk images for Apple’s authentication token. In addition, under Apple’s two-factor implementation, you’re given a recovery key (if you lose it, you lose access to your account). Phone Breaker can scan a computer for that key — so you’ll want to write it down on paper, not save it in a .txt file.
The Elcomsoft blog has a few very informative posts that look at specific scenarios where its tool can be used: For instance, “iCloud Acquisition Without Login and Password” or “I have a computer that was used to sync with iCloud.”
One of the issues that led to the celebrity photos being pilfered in September was that Apple’s previous iCloud two-factor authentication only covered Apple ID management and iTunes purchases — not full device iCloud backups, which is where most of the stolen photos came from. As a result, [company]Apple[/company] added more email alerts and push notifications related to account security as well as two-factor authentication for user backups. But even though these tweaks curtailed the use of tools like Elcomsoft Phone Breaker for a while, it’s hard to keep companies like Elcomsoft completely shut out.
In my opinion, it’s Apple’s responsibility to continue to break tools like Phone Breaker through updates and protect its users. But given that the world’s most valuable technology company apparently doesn’t have a cloud team, users will have to take some security into their own hands.
For regular people who use iPhones every day, this doesn’t change recommended practices much. Two-factor authentication and long, unique passphrases are still the easiest and best ways to harden personal security, at least enough so that you’re no longer an easy target.