Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes

from the lawful-access-opens-a-door-that's-difficult-to-close dept

You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called "Celebgate" in certain circles, and the much more terrible "The Fappening" in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But... that's not all that he apparently used. He also used "lawful access" technologies to help him grab everything he could once he got in.

We keep hearing from people who think that just "giving law enforcement only" access to encrypted data is something that's easy to do. It's not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a "lawful access" forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.

Filed Under: backdoors, celebgate, celebrity nudes, hacking, icloud, law enforcement, lawful access, nudes
Companies: apple, elcomsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 24 Mar 2016 @ 12:08pm

    Easy fix

    1. Force companies to create security vulnerabilities, or discover them and 'forget' to mention them to the companies so as to allow 'lawful access' to anyone with the right paperwork*.
    2. Make it illegal to anyone without that paperwork* to use the security vulnerabilities.
    3. Since no criminal would ever break the law, clearly the security vulnerabilities will remain secure, and only used by the proper authorities.

    And just like that you've got access points for the authorities without any worry needed that someone of less sterling character may utilize them for nefarious ends.

    *Depending on circumstance/whim, proper paperwork may or may not be created/filled in after the fact.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Mar 2016 @ 12:46pm

    'Deliberately opening one can be catastrophic'

    oh so true but the authorities are not interested in terrorists, they are not interested if they cant stop terrorism, but they are EXTREMELY INTERESTED in knowing every possible thing about every ordinary person on the planet! why? because politicians are, by definition, nothing but a bunch of double standard, lying ass holes and when they get up to their naughtiness, they dont want to be found out and dont want that info spread! if they can access all of peoples communication ways, including having speech monitors scattered around, as soon as there is a mention of so and so telling him/her whatever, they can stop it. if there is to be a demonstration against the government, they will know what is to be done where, when and by how many so that can be stopped! the planet is actually being turned into almost the exact copy of what the Nazis wanted to do, where no one and nothing can so much as think of anything without the government knowing about it and being able to sweep people off the streets, out of their work places and out of their homes, all started by Hollywood!!

    reply to this | link to this | view in chronology ]

  • identicon
    Jigsy, 24 Mar 2016 @ 12:59pm

    I don't understand how he can be a hacker if the people gave him their details.

    Wouldn't he be a phisher?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Mar 2016 @ 6:33pm

    Even if the good guys refuse to make such a tool, you're kidding yourself if you think bad guys won't. These tools are going to exist, might as well have them work in our favour by people bound by the law.

    reply to this | link to this | view in chronology ]

    • icon
      CK20XX (profile), 24 Mar 2016 @ 9:18pm

      Re:

      People are lazy. Forcing a criminal to actually put in some effort at carrying out misdeeds is a crime deterrent in and of itself. Make things easier for criminals though, and more people will suddenly decide that they want to be one.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Mar 2016 @ 6:18am

        Re: Re:

        So what is your position? That software developers be banned from making this kind of software? Again, even if law enforcement refuses to use this tech, there is still a market it for it, meaning it has the ability to be stolen as well.

        reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 24 Mar 2016 @ 9:48pm

      Re:

      Which is rather like saying 'Criminals can pick/break locks, therefore nothing is lost by requiring homeowners to leave a key in a designated spot for the police to use'.

      Just because criminals can do something doesn't mean you should make it even easier for them by granting them more tools or access points.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Mar 2016 @ 6:13am

        Re: Re:

        Not at all, this is like saying criminals have lockpicks, locksmiths have lockpicks, so law enforcement should also have and use them under proper legal authority.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 25 Mar 2016 @ 7:37am

          Re: Re: Re:

          Or, rather than giving everyone lockpicks, the lock maker instead does what they can to make it even more difficult to pick the lock. That this makes it more difficult for criminals and 'law enforcement' to break past is just how it works, and better than leaving the vulnerabilities in place, or worse deliberately adding them.

          reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 25 Mar 2016 @ 8:44am

          Re: Re: Re:

          What That One Guy said. But I would add the there doesn't appear to be any "proper legal authority" that can be trusted with these sorts of powers.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Mar 2016 @ 10:33pm

    So this was just a tool allegedly developed for law enforcement, not actually a backdoor in the phones OS or the iCloud service. That's a wholly different scale in my opinion

    reply to this | link to this | view in chronology ]

  • icon
    Machin Shin (profile), 25 Mar 2016 @ 4:33am

    "It's tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic."

    That is so very true, especially considering that once you deliberately open one it eliminates a lot of the difficulty in the finding it part. Normally hackers are searching for holes that may or may not exist. You put a backdoor in and suddenly they know there is a gaping hole, they just have to kick the door in.

    reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 25 Mar 2016 @ 5:01am

    Fair play

    Listen, this just shows that cops are not the only individuals who get to be pervs online.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 25 Mar 2016 @ 11:53am

    Obviously Mr. Collins should walk...

    As the Lawful Access tools are only usable lawfully and by good guys, this man's use of them demonstrates he's a good guy who used these tools lawfully.

    Ergo, no crime was committed.

    (And I say that as an impartial dude who totally didn't look at the released photos.)

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 28 Mar 2016 @ 12:58pm

    I'm amazed with the speed the trolls and Totalitarianism fanbois are being proven wrong these days. I mean, it's been a few days since the last post our own pet troll was certain such tools would never, ever be leaked because law enforcement is so cool and magical.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.