If you're new to AirPods, considering buying a pair, or just want to pick up some new tips.
AirPods and AirPower: Everything We Know
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Earlier today, Apple issued a press release stating that an iCloud/Find My iPhone breach had not been responsible for the leak of several private celebrity photos over the weekend, instead pointing towards a "very targeted attack on user names, passwords, and security questions" hackers used to gain access to celebrity accounts.
The company did not divulge specific details on how hackers accessed the iCloud accounts, leading Wired writer Andy Greenberg to investigate the methods that hackers might possibly have used to acquire the stolen media.
Greenberg visited Anon-IB, a popular anonymous image board where some of the celebrity photos first originated, and discovered that hackers openly discuss exploiting software designed for law enforcement and government officials. Called ElcomSoft Phone Password Breaker (EPPB), the software in question lets hackers enter a stolen username and password to obtain a victim's full iPhone/iPad backup.
"Use the script to hack her passwd...use eppb to download the backup," wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. "Post your wins here ;-)"Acquiring just a user name and password allows hackers access to content on iCloud.com, but with the accompaniment of the ElcomSoft software, a complete backup can reportedly be downloaded into easy-to-access folders filled with the device's contents.
According to security researcher Jonathan Zdziarski, who spoke to Wired, metadata from some of the leaked photos is in line with the use of the ElcomSoft software and possibly the iBrute software, which exploited a vulnerability in Find My iPhone to allow hackers unlimited attempts to guess a password. Apple has, however, patched the exploit, and has suggested iBrute was not a factor in the attacks.
As noted by TechCrunch, using ElcomSoft's software to download an iPhone's backup successfully circumvents two-factor verification as the two-factor authentication system does not cover iCloud backups or Photo Stream.
Two-factor verification can make it much more difficult for hackers to acquire a user's login credentials in the first place, preventing many attacks, but an iCloud backup can be installed with just a user name and a password.
The ElcomSoft software does not require any credentials to buy and while it costs $399, it is also available on bittorrent sites. The vulnerability in iCloud backups has been known for some time, with ElcomSoft's own CEO pointing towards the lack of two-factor authentication for iCloud backups back in May of 2013.
Apple has explored expanding two-factor authentication to some iCloud services, but an official expansion of the security feature has not yet been introduced.
Tag: Jonathan Zdziarski
[ 227 comments ]
Top Rated Comments
(View all)
58 months ago
The ripping process, which has been going on for months:
Lots of security holes here, including weak password reset verification questions.
Lots of security holes here, including weak password reset verification questions.
58 months ago
It seems there are no end if tricks available to the scumbags out there willing to do hurtful things.
However, bottom line (pun intended) is, if you want nude snaps of yourself, fine, take some, but don't keep them on your phone or in the cloud where they are most vulnerable.
While I have some sympathy for the victims, I also believe ignorance is not really an excuse these days.
People have to accept more responsibility for their actions, even if the consequences are far beyond what they initially imagined. The sad fact is in our cottonwool society is far easier to blame everyone else for everything than accept some responsibility personally. If you don't agree then you're part of the problem.
However, bottom line (pun intended) is, if you want nude snaps of yourself, fine, take some, but don't keep them on your phone or in the cloud where they are most vulnerable.
While I have some sympathy for the victims, I also believe ignorance is not really an excuse these days.
People have to accept more responsibility for their actions, even if the consequences are far beyond what they initially imagined. The sad fact is in our cottonwool society is far easier to blame everyone else for everything than accept some responsibility personally. If you don't agree then you're part of the problem.
58 months ago
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Should be changed to:
Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Should be changed to:
Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
58 months ago
Interesting timing with Apple about to come out with a mobile payments system.
58 months ago
If, and that obviously is an IF, that is what happened then Apple should not claim that the images were not stolen due to weaknesses in their security. In fact, this is an even bigger potential hole in their security in my opinion. And to those who want to make it the victims fault that these photos were stolen: You are messed up in the head.
58 months ago
Another attack vector.
Not sure why Apple allows outside vendors access to their cloud?
The worst part is that Elcomsoft documents these holes, and Apple has no reason to keep open.
Also, Elcomsoft has Windows Live exploits available as well.
Not sure why Apple allows outside vendors access to their cloud?
The worst part is that Elcomsoft documents these holes, and Apple has no reason to keep open.
Also, Elcomsoft has Windows Live exploits available as well.
58 months ago
There is good to come of all this
I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
I suspect by year end, Photos in iCloud, iCloud Backups, everything, will all be encrypted.
58 months ago
i still don't understand how they got their username/email address
Social engineering, the black web, search engines and such, plus a ring of underground bad guys collaborating, together, achieve this and more.
58 months ago
Time for Apple to realize that people do have and take these kinds of photos of either themselves or their partners.
It'd be nice if they allowed people to mark photos like these with a tag or something so you can hide them in the Photos app or have them in a password protected/Touch ID protected vault.
Also, these would be exempt from Photo Stream and other possible higher security decisions could be made.
OR: Of course they can pretend people just don't do that, everyone is living in a Disney world where nudity doesn't even exist and keep on going the same way.
I don't blame Apple, I just hope that MAYBE this could be a reminder for Apple to acknowledge that people do have files they want to treat differently.
Glassed Silver:mac
It'd be nice if they allowed people to mark photos like these with a tag or something so you can hide them in the Photos app or have them in a password protected/Touch ID protected vault.
Also, these would be exempt from Photo Stream and other possible higher security decisions could be made.
OR: Of course they can pretend people just don't do that, everyone is living in a Disney world where nudity doesn't even exist and keep on going the same way.
I don't blame Apple, I just hope that MAYBE this could be a reminder for Apple to acknowledge that people do have files they want to treat differently.
Glassed Silver:mac
[ Read All Comments ]
Parallels this week debuted a new promo bundle for both new and current users, offering a chance to buy or upgrade to Parallels Desktop 14, and then get ten other Mac apps for free. New owners can...
Over the past few weeks, a handful of users have reported receiving the message "an error occurred" when attempting to load the "For You" tab in iTunes, which provides personalized...
The latest Apple Pay promotion offers you the chance to get $5 off movie tickets with Fandango. To see the discount, you'll have to purchase two or more tickets within a single transaction...
Google Maps this week updated its iOS app with a new "Follow" feature, letting you keep track of events and news from your favorite local restaurants, bakeries, or bars. You can follow a...
Twitter today launched its Twitter Prototype Program and is accepting applications from people who want to beta test new Twitter features on iOS devices. Twitter's tests will be done through a...
Shazam, the song discovery app that's now owned by Apple, received a minor bug fix update last week, which, according to AppFigures, removes all third-party SDKs.
Shazam for iOS is no longer...
As of February 27, 2019, Apple is requiring that all Developer accounts with an Account Holder role be secured with two-factor authentication in order to ensure that only the account owner is able to...
Apple today seeded the third beta of an upcoming tvOS 12.2 update to its public beta testing group, one day after providing the beta to developers and a week after releasing the second tvOS 12.2...
