Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes
from the lawful-access-opens-a-door-that's-difficult-to-close dept
You may have heard, recently, that the guy who was apparently behind the celebrity nudes hacking scandal (sometimes called “Celebgate” in certain circles, and the much more terrible “The Fappening” in other circles) recently pled guilty to the hacks, admitting that he used phishing techniques to get passwords to their iCloud accounts. But… that’s not all that he apparently used. He also used “lawful access” technologies to help him grab everything he could once he got in.
We keep hearing from people who think that just “giving law enforcement only” access to encrypted data is something that’s easy to do. It’s not. Over and over again, security experts keep explaining that opening up a hole for law enforcement means opening up a hole for many others as well, including those with malicious intent. ACLU technologist Chris Soghoian reminds us of this by pointing to an earlier article about how the guy used a “lawful access” forensics tool designed for police to get access to such data (warning, link may ask ask you to pay and/or disable adblocker):
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims? data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim?s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB?s forum.
Obviously, the situation with encryption on the iPhone is a bit different, but the same basic principle applies. Opening up a door is, by definition, opening up a vulnerability. And we should be very, very, very wary about opening up any kind of vulnerability. It’s tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.
Filed Under: backdoors, celebgate, celebrity nudes, hacking, icloud, law enforcement, lawful access, nudes
Companies: apple, elcomsoft
Comments on “Remember, It Was A 'Lawful Access' Tool That Enabled iCloud Hacker To Download Celebrity Nudes”
Easy fix
1. Force companies to create security vulnerabilities, or discover them and ‘forget’ to mention them to the companies so as to allow ‘lawful access’ to anyone with the right paperwork*.
2. Make it illegal to anyone without that paperwork* to use the security vulnerabilities.
3. Since no criminal would ever break the law, clearly the security vulnerabilities will remain secure, and only used by the proper authorities.
And just like that you’ve got access points for the authorities without any worry needed that someone of less sterling character may utilize them for nefarious ends.
*Depending on circumstance/whim, proper paperwork may or may not be created/filled in after the fact.
Re: Easy fix
Why mess with paperwork? These are SOFTWARE companies. They can create code that knows the difference between a good guy and a bad guy and then simply block the bad ones from getting in.
I’m sure it’s easy for them – they write code all the time.
Re: Re: Easy fix
no
Re: Easy fix
“FBI Snooping Story Should Make Politicians Rethink Data Retention Laws”, by Mike Masnick, Techdirt, Mar 9, 2007
‘Deliberately opening one can be catastrophic’
oh so true but the authorities are not interested in terrorists, they are not interested if they cant stop terrorism, but they are EXTREMELY INTERESTED in knowing every possible thing about every ordinary person on the planet! why? because politicians are, by definition, nothing but a bunch of double standard, lying ass holes and when they get up to their naughtiness, they dont want to be found out and dont want that info spread! if they can access all of peoples communication ways, including having speech monitors scattered around, as soon as there is a mention of so and so telling him/her whatever, they can stop it. if there is to be a demonstration against the government, they will know what is to be done where, when and by how many so that can be stopped! the planet is actually being turned into almost the exact copy of what the Nazis wanted to do, where no one and nothing can so much as think of anything without the government knowing about it and being able to sweep people off the streets, out of their work places and out of their homes, all started by Hollywood!!
I don’t understand how he can be a hacker if the people gave him their details.
Wouldn’t he be a phisher?
Re: Re:
Anyone that does anything that isn’t Facebook, aka “The Internet” is a hacker.
Even if the good guys refuse to make such a tool, you’re kidding yourself if you think bad guys won’t. These tools are going to exist, might as well have them work in our favour by people bound by the law.
Re: Re:
People are lazy. Forcing a criminal to actually put in some effort at carrying out misdeeds is a crime deterrent in and of itself. Make things easier for criminals though, and more people will suddenly decide that they want to be one.
Re: Re: Re:
So what is your position? That software developers be banned from making this kind of software? Again, even if law enforcement refuses to use this tech, there is still a market it for it, meaning it has the ability to be stolen as well.
Re: Re:
Which is rather like saying ‘Criminals can pick/break locks, therefore nothing is lost by requiring homeowners to leave a key in a designated spot for the police to use’.
Just because criminals can do something doesn’t mean you should make it even easier for them by granting them more tools or access points.
Re: Re: Re:
Not at all, this is like saying criminals have lockpicks, locksmiths have lockpicks, so law enforcement should also have and use them under proper legal authority.
Re: Re: Re: Re:
Or, rather than giving everyone lockpicks, the lock maker instead does what they can to make it even more difficult to pick the lock. That this makes it more difficult for criminals and ‘law enforcement’ to break past is just how it works, and better than leaving the vulnerabilities in place, or worse deliberately adding them.
Re: Re: Re: Re:
What That One Guy said. But I would add the there doesn’t appear to be any “proper legal authority” that can be trusted with these sorts of powers.
So this was just a tool allegedly developed for law enforcement, not actually a backdoor in the phones OS or the iCloud service. That’s a wholly different scale in my opinion
“It’s tough enough to find and close vulnerabilities. Deliberately opening one can be catastrophic.”
That is so very true, especially considering that once you deliberately open one it eliminates a lot of the difficulty in the finding it part. Normally hackers are searching for holes that may or may not exist. You put a backdoor in and suddenly they know there is a gaping hole, they just have to kick the door in.
Fair play
Listen, this just shows that cops are not the only individuals who get to be pervs online.
Obviously Mr. Collins should walk...
As the Lawful Access tools are only usable lawfully and by good guys, this man’s use of them demonstrates he’s a good guy who used these tools lawfully.
Ergo, no crime was committed.
(And I say that as an impartial dude who totally didn’t look at the released photos.)
I’m amazed with the speed the trolls and Totalitarianism fanbois are being proven wrong these days. I mean, it’s been a few days since the last post our own pet troll was certain such tools would never, ever be leaked because law enforcement is so cool and magical.