Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes

from the lawful-access-opens-a-door-that's-difficult-to-close dept

You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called “Celebgate” in certain circles, and the much more terrible “The Fappening” in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But… that’s not all that he apparently used. He also used “lawful access” technologies to help him grab everything he could once he got in.

We keep hearing from people who think that just “giving law enforcement only” access to encrypted data is something that’s easy to do. It’s not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a “lawful access” forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims? data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim?s iPhone and download its full backup rather than the more limited data accessible on And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB?s forum.

Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It’s tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.

Filed Under: , , , , , , ,
Companies: apple, elcomsoft

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Easy fix

1. Force companies to create security vulnerabilities, or discover them and ‘forget’ to mention them to the companies so as to allow ‘lawful access’ to anyone with the right paperwork*.
2. Make it illegal to anyone without that paperwork* to use the security vulnerabilities.
3. Since no criminal would ever break the law, clearly the security vulnerabilities will remain secure, and only used by the proper authorities.

And just like that you’ve got access points for the authorities without any worry needed that someone of less sterling character may utilize them for nefarious ends.

*Depending on circumstance/whim, proper paperwork may or may not be created/filled in after the fact.

Anonymous Coward says:

Re: Easy fix

Depending on circumstance/whim, proper paperwork may or may not be created/filled in after the fact.

FBI Snooping Story Should Make Politicians Rethink Data Retention Laws”, by Mike Masnick, Techdirt, Mar 9, 2007

The Justice Department is in a bit of hot water (yet again) today after the news came out that the FBI has been guilty of “serious misuse” of the power to obtain secret information under the Patriot Act. . . .

Anonymous Coward says:

‘Deliberately opening one can be catastrophic’

oh so true but the authorities are not interested in terrorists, they are not interested if they cant stop terrorism, but they are EXTREMELY INTERESTED in knowing every possible thing about every ordinary person on the planet! why? because politicians are, by definition, nothing but a bunch of double standard, lying ass holes and when they get up to their naughtiness, they dont want to be found out and dont want that info spread! if they can access all of peoples communication ways, including having speech monitors scattered around, as soon as there is a mention of so and so telling him/her whatever, they can stop it. if there is to be a demonstration against the government, they will know what is to be done where, when and by how many so that can be stopped! the planet is actually being turned into almost the exact copy of what the Nazis wanted to do, where no one and nothing can so much as think of anything without the government knowing about it and being able to sweep people off the streets, out of their work places and out of their homes, all started by Hollywood!!

That One Guy (profile) says:

Re: Re:

Which is rather like saying ‘Criminals can pick/break locks, therefore nothing is lost by requiring homeowners to leave a key in a designated spot for the police to use’.

Just because criminals can do something doesn’t mean you should make it even easier for them by granting them more tools or access points.

That One Guy (profile) says:

Re: Re: Re: Re:

Or, rather than giving everyone lockpicks, the lock maker instead does what they can to make it even more difficult to pick the lock. That this makes it more difficult for criminals and ‘law enforcement’ to break past is just how it works, and better than leaving the vulnerabilities in place, or worse deliberately adding them.

Machin Shin (profile) says:

“It’s tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.”

That is so very true, especially considering that once you deliberately open one it eliminates a lot of the difficulty in the finding it part. Normally hackers are searching for holes that may or may not exist. You put a backdoor in and suddenly they know there is a gaping hole, they just have to kick the door in.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...