Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes
from the lawful-access-opens-a-door-that's-difficult-to-close dept
You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, celebgate, celebrity nudes, hacking, icloud, law enforcement, lawful access, nudes
Companies: apple, elcomsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Easy fix
2. Make it illegal to anyone without that paperwork* to use the security vulnerabilities.
3. Since no criminal would ever break the law, clearly the security vulnerabilities will remain secure, and only used by the proper authorities.
And just like that you've got access points for the authorities without any worry needed that someone of less sterling character may utilize them for nefarious ends.
*Depending on circumstance/whim, proper paperwork may or may not be created/filled in after the fact.
[ link to this | view in thread ]
Re: Easy fix
I'm sure it's easy for them - they write code all the time.
[ link to this | view in thread ]
Re: Easy fix
[ link to this | view in thread ]
oh so true but the authorities are not interested in terrorists, they are not interested if they cant stop terrorism, but they are EXTREMELY INTERESTED in knowing every possible thing about every ordinary person on the planet! why? because politicians are, by definition, nothing but a bunch of double standard, lying ass holes and when they get up to their naughtiness, they dont want to be found out and dont want that info spread! if they can access all of peoples communication ways, including having speech monitors scattered around, as soon as there is a mention of so and so telling him/her whatever, they can stop it. if there is to be a demonstration against the government, they will know what is to be done where, when and by how many so that can be stopped! the planet is actually being turned into almost the exact copy of what the Nazis wanted to do, where no one and nothing can so much as think of anything without the government knowing about it and being able to sweep people off the streets, out of their work places and out of their homes, all started by Hollywood!!
[ link to this | view in thread ]
Wouldn't he be a phisher?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Just because criminals can do something doesn't mean you should make it even easier for them by granting them more tools or access points.
[ link to this | view in thread ]
[ link to this | view in thread ]
That is so very true, especially considering that once you deliberately open one it eliminates a lot of the difficulty in the finding it part. Normally hackers are searching for holes that may or may not exist. You put a backdoor in and suddenly they know there is a gaping hole, they just have to kick the door in.
[ link to this | view in thread ]
Fair play
[ link to this | view in thread ]
Re: Re: Easy fix
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Obviously Mr. Collins should walk...
Ergo, no crime was committed.
(And I say that as an impartial dude who totally didn't look at the released photos.)
[ link to this | view in thread ]
[ link to this | view in thread ]