As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims' iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
“Use the script to hack her passwd...use eppb to download the backup,” wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. “Post your wins here ;-)”
Apple's security nightmare began over the weekend, when hackers began leaking nude photos that included shots of Jennifer Lawrence, Kate Upton, and Kirsten Dunst. The security community quickly pointed fingers at the iBrute software, a tool released by security researcher Alexey Troshichev designed to take advantage of a flaw in Apple’s “Find My iPhone” feature to “brute-force” users’ iCloud passwords, cycling through thousands of guesses to crack the account.
Could your phone be secretly taking pictures right now? A new app can 'virtually steal' from your home - by turning on your phone's camera. Criminals can steal your phone number by pretending to be you, and then moving your number to another phone. They’ll then receive security codes sent via SMS on their phone, helping them gain access to your bank account and other secure services.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.
On Tuesday afternoon, Apple issued a statement calling the security debacle a 'very targeted attack on user names, passwords and security questions.' It added that 'none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.'
But the conversations on Anon-IB make clear the photo-stealing attacks aren't limited to a few celebrities. And Zdziarski argues that Apple may be defining a 'breach' as not including a password-guessing attack like iBrute. Based on his analysis of the metadata from leaked photos of Kate Upton, he says he’s determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and EPPB. If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets. “You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”
Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices' data. But Elcomsoft's program seems to be the most popular among Anon-IB’s crowd, where it’s been used for months prior to the most current leaks, likely in cases where the hacker was able to obtain the target’s password through means other than iBrute. Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it alot easier if you have the password,” writes one hacker with the email address [email protected]. “Willing to rip anything iclouds - gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!”
One of Anon-IB's rippers who uses the handle cloudprivates wrote in an email to WIRED that he or she doesn't consider downloading files from an iCloud backup 'hacking' if it's done on behalf of another user who supplies a username and password. 'Dunno about others but I am too lazy to look for accounts to hack. This way I just provide a service to someone that wants the data off the iCloud. For all I know they own the iCloud,' cloudprivates writes. 'I am not hacking anything. I simply copy data from the iCloud using the user name and password that I am given. Software from elcomsoft does this.'
Elcomsoft’s program doesn't require proof of law enforcement or other government credentials. It costs as much as $399, but bootleg copies are freely available on bittorrent sites. And the software’s marketing language sounds practically tailor-made for Anon-IB's rippers.
“All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID...accompanied with the corresponding password,” the company’s website reads. “Data can be accessed without the consent of knowledge of the device owner, making Elcomsoft Phone Password Breaker an ideal solution for law enforcement and intelligence organizations.”
Elcomsoft didn’t respond to a request for comment.
On Monday, iBrute creator Troshichev noted that Apple had released an update for Find My iPhone designed to fix the flaw exploited by iBrute. “The end of fun, Apple have just patched,” he wrote on Github. But Anon-IB users continued to discuss stealing data with iBrute in combination with EPPB on the forum Tuesday, suggesting that the fix has yet to be applied to all users, or that stolen credentials are still being used with Elcomsoft’s program to siphon new data. Apple didn’t immediately respond to WIRED’s request for further comment, though it says it's still investigating the hack and working with law enforcement.
For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company's tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple's protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.
'When you have third parties masquerading as hardware. it really opens up a vulnerability in terms of allowing all of these different companies to continue to interface with your system,' he says. 'Apple could take steps to close that off, and I think they should.'
The fact that Apple isn't complicit in law enforcement's use of Elcomsoft's for surveillance doesn't make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. 'What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,' he says. 'You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they'll use them.'
Criminals can steal your phone number by pretending to be you, and then moving your number to another phone. They’ll then receive security codes sent via SMS on their phone, helping them gain access to your bank account and other secure services.
What is a Port Out Scam?
![How to hack a phone pictures free How to hack a phone pictures free](/uploads/1/2/5/2/125275761/760561143.jpg)
“Port out scams” are a big problem for the entire cellular industry. In this scam, a criminal pretends to be you and moves your current phone number to another cellular carrier. This process is known as “porting,” and is designed to let you keep your phone number when you switch to a new cellular carrier. Any text messages and calls to your phone number are then sent to their phone instead of yours.
This is a big problem because many online accounts, including bank accounts, use your phone number as a two-factor authentication method. They won’t let you sign in without sending a code to your phone first. But, after the porting scam has taken place, the criminal will receive that security code on their phone. They could use it to gain access to your financial accounts and other sensitive services.
Of course, this type of attack is most dangerous if an attacker already has access to your other accounts—for example, if they already have your online banking password, or access to your email account. But it lets the attacker bypass the SMS-based security messages designed to protect you in this situation.
This attack is also known as SIM hijacking, as it moves your phone number from your current SIM card to the attacker’s SIM card.
How Does a Port Out Scam Work?
This scam has a lot in common with identity theft. Someone with your personal information pretends to be you, asking your cellular carrier to move your phone number to a new phone. The cellular carrier will ask them to provide some personal information to identify themselves, but often providing your social security number is good enough. In a perfect world, your social security number would be private—but, as we’ve seen, many Americans’ social security numbers have leaked in breaches of many big businesses.
If the person can successfully fool your cellular carrier, the switch takes place and any SMS messages sent to you and phone calls intended for you will be routed to their phone. Your phone number is associated with their phone, and your current phone won’t have phone call, texting, or data service anymore.
This is really just another variation of a social engineering attack. Someone calls a company pretending to be someone else and uses social engineering to gain access to something they shouldn’t have. Like other companies, cellular carriers want things to be as easy as possible for legitimate customers, so their security may not be tight enough to fend off all attackers.
![Steal Steal](/uploads/1/2/5/2/125275761/230329215.jpeg)
How to Stop Port Out Scams
We recommend making sure you have a secure PIN set with your cellular carrier. This PIN will be required when porting your phone number. Many cellular carriers previously just used the last four digits of your social security number as a PIN, which made port out scams much easier to pull off.
- AT&T: Ensure you’ve set a “wireless passcode“, or PIN, online. This is different from the standard password you use to sign into your online account, and must be four-to-eight digits. You may also want to enable “extra security” online, which will make your wireless passcode required in more situations.
- Sprint: Provide a PIN online on the My Sprint website. Along with your account number, this PIN will be used to confirm your identity when porting your phone number. It’s separate from the standard online user account password.
- T-Mobile: Call T-Mobile customer service and ask to add “Port Validation” to your account. This is a new six-to-fifteen digit password that must be provided when you’re porting your number. We don’t know why, but T-Mobile doesn’t let you do this online and forces you to call in.
- Verizon: Set a four-digit account PIN. If you haven’t already set one or don’t remember it, you can change it online, in the My Verizon app, or by calling customer service. You should also ensure your My Verizon online account has a secure password, as that password could be used when porting your phone number.
If you have another cellular carrier, check your carrier’s website or contact customer service to find out how protect your account.
Unfortunately, there are ways around all these security codes. For example, for many carriers, an attacker who could gain access to your online account could change your PIN. We also wouldn’t be surprised if someone could all your cellular carrier, say “I forgot my PIN,” and somehow reset it if they knew enough personal information. Carriers need to have a way for people who forget their PINs to reset them. But this is all you can do to protect yourself against porting.
Mobile networks are working on beefing up their security. The big four US cellular companies—AT&T, Sprint, T-Mobile, and Verizon—are working together on something called the “Mobile Authentication Taskforce” to make porting scams and other types of fraud harder to pull off.
Avoid Relying on Your Phone Number as a Security Method
Phone number port out scams are one of the reasons you should avoid SMS-based two-step security when possible. We all like to think our phone numbers are completely under our control and only associated with the phone we own. In reality, that’s just not true—when you rely on your phone number, you’re relying on your cellular carrier’s customer service to protect your phone number and stop attackers from stealing it.
Instead of getting security codes sent via text message, we recommend using other two-factor security methods, like the Authy app for generating codes. These apps generate the code on your phone itself, so a criminal would actually need to have your phone—and unlock it—to get the security code.
Unfortunately, many online services require you to use SMS verification with a phone number and don’t provide another option. And, even when services do provide another option, they may let you send a code to your phone number as a backup method, just in case. You can’t always avoid SMS codes.
RELATED:Why You Shouldn’t Use SMS for Two-Factor Authentication (and What to Use Instead)
As with everything in life, it’s impossible to completely protect yourself. All you can do is make it harder for attackers—keep your devices secure and your passwords private, ensure you have a secure PIN associated with your cellular phone account, and avoid using SMS verification for important services.
Image Credit: Foto.Touch/Shutterstock.com.
READ NEXT- › How to Use Text Editing Gestures on Your iPhone and iPad
- › Windows 10’s BitLocker Encryption No Longer Trusts Your SSD
- › How to Disable or Enable Tap to Click on a PC’s Touchpad
- › How HTTP/3 and QUIC Will Speed Up Your Web Browsing
- › Motherboards Explained: What Are ATX, MicroATX, and Mini-ITX?