The software reportedly responsible for this week’s iCloud attacks on famous female celebrities is meant for government institutions, this according to the CEO of the company behind the software, Vladimir Katalov.
“It’s a double-edged sword; it can be used for both good and bad,” said Katalov in a phone interview.
The software is called Elcomsoft Phone Password Breaker (EPPB) and is developed by Elcomsoft, a Russian company specializing in computer forensics. As Wired first reported, ElcomSoft’s name first popped up on web forum Anon-IB, where hackers claim to have used the EPPB software– which allows you to retrieve iCloud Backups with a user’s original credentials– to extract nude photos from other people’s iCloud accounts. According to Business Insider, it was this software that was responsible for stealing iCloud data from celebrities like Jennifer Lawrence, Kirsten Dunst, and Kate Upton.
The software works by emulating a device, which is required to access a person’s iCloud backup. If someone manages to get a hold of your Apple ID and password, or if they use brute force attacks, they can log in with your credentials, and just like that, they’ll have access to all of your iCloud backup data. Even scarier is that you won’t know about it: there is no notification that the account was accessed by an unauthorized user.
“The benefits to the user outweigh the risk of making the software publicly available.”
According to Katalov, however, the software is meant for government and law-enforcement agencies, even though it started off as a software to help regular end-users retrieve lost iCloud data. Still, Katalov said that government and law-enforcement agencies make up roughly 75% of the company’s sales, which aside from EPPB, includes a slew of around 25 products all dealing with computer forensics.
Considering that the software is predominantly used by government agencies like the FBI and the CIA– at least according to Katalov– could it be possible to require some sort of proof of law enforcement or other documentation for people purchasing the software?
Unlikely, said Katalov, who supports the idea that it’s still a useful product for the everyday user, as was its actual intention from the beginning. Still, that doesn’t mean that the average Joe– or hacker– can’t get his hands on the software.
“The benefits to the user outweigh the risk of making the software publicly available,” said Katalov, but when it comes to this kind of software, there’s little that hackers wouldn’t be able to do to get it. Consider that while 75% of sales are made up of those from government agencies, that doesn’t include downloads from illegals torrents of the pricey ‘forensics’ version of the software.
The most disconcerting part, however, is the fact that EPPB has already been around for two years without any collaboration (or fuss) from Apple. According to Katalov, the software doesn’t use any vulnerabilities or security exploits in iCloud, although the lack of two-step verification with Apple ID and a security hole in the iCloud Control Panel is a huge oversight in the system’s security.
Still, Apple does follow security standards for the most part, encrypting all data sent between Apple devices and its iCloud servers. Data stored in iCloud is also encrypted with a relatively strong minimum of 128-bit AES.
“This means that you need an official method of accessing the data so that you can see it decrypted, which means the issue lies more with weak passwords and the lack of two-step authentication [emphasis added] on all the client software that is available,” said AVG’s Head of Free Products Tony Anscombe.
“Any system protected by security questions is not safe.”
Although iCloud supports two-factor authentication, it is easily defeated because of Apple’s implementation of security questions. “Any system protected by security questions is not safe. But with iCloud, you can get into the account and change the password by simply answering the security questions,” says Lastpass CEO Joe Siegrist.
When asked how iCloud users can protect themselves from similar attacks, Siegrist said “Don’t use iCloud.” If you want the convenience of storing your photos in the cloud, check out Google+ and Dropbox. Otherwise, keep your photos on your phone or back them up directly to you computer.
“Don’t use iCloud.”
Beyond avoiding iCloud, security company avast! recommends using strong and unique passwords for every site. Password managers like 1Password, Lastpass and Dashlane are great programs that will help you generate and manage all your passwords. For more information about how to protect yourself online, check out our guide here.
Apple is currently working with the FBI to determine how the hackers gained access to the celebrity photos, and while EPPB has been implicated by some news outlets, its still unclear how exactly it was done. The software certainly yields a frighting amount of power to crack iCloud accounts, even with two-factor authentication active. Still, less complicated methods like phishing, social engineering, and brute force attacks were likely used by attackers to gain access. The company also promises to tighten security in the next two weeks.
When asked how Katalov felt about the recent high-profile incident and the fact that his software was potentially responsible, he said he’s not happy about it, but that even if the hackers did use his software, it’s not their only option. “Once the bad guys get the Apple ID and password, they can do the same using a device and the credentials, without using a third-party software like ours. Unfortunately, our software just happens to make it easier for them to do so.”
We’ll continue following the story as more details emerge.
Lewis Leong contributed to this report.
Follow me on Twitter: @suzieblaszQwicz
Hole found in Apple’s two-step verification system with iCloud Control Panel
Apple is ‘actively investigating’ possible iCloud security breach
What you need to know about syncing photos in iCloud
Header image background: leolintang via Flickr