Security researchers are still working to discover how hacker(s) broke into the iCloud accounts of celebrities including Jennifer Lawrence and Kate Upton to download private photos, but Wired reports one of the tools likely used was a piece of police technology designed to intercept data from iPhones.
Elcomsoft Phone Password Breaker (EPPB) by the Moscow forensics company Elcomsoft is designed to let hackers emulate an iPhone user’s handset, which allows them to download a user’s entire iPhone backup, as opposed to just the minimum amount of data saved on iCloud.com.
According to the report, hackers on Anon-IB — a popular forum for posting hacked nude photos — openly discuss using the software in combination with iBrute, which cracks Apple passwords by generating random guesses until stumbling across the correct entry.
“Use the script to hack her passwd…use eppb to download the backup,” an anonymous user on Anon-IB explained to another user. “Post your wins here ;-)”
Early reports of the hack, which may have compromised the private photos of some 100 female celebrities including Lawrence, Upton, Kirsten Dunst and Ariana Grande, directed blame at a flaw in Apple’s “Find My iPhone” app login, which allowed the hacker(s) to execute multiple password attempts until coming across the right one. Other conventional login systems lock a user out after so many incorrect entries.
Security researcher and forensics consultant Jonathan Zdziarski said in the report that by using iBrute to hack Apple passwords and EPPD to emulate phones, the hacker(s) could download an entire Apple device’s backup in a single file, which would include photos, videos, text messages, contacts, app data and more.
After analyzing data stolen from Kate Upton, Zdziarski said he had “determined” this is how Upton’s account was accessed.
“You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” Zdziarski told Wired. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”
Elcomsoft’s software can cost up to $399 and doesn’t require any law enforcement agency verification in order to purchase. Illegal downloads of the program are also available on bittorrent websites.
After the leak Apple updated the Find My iPhone login to address the flaw, but released a statement Tuesday asserting the company’s security protocols were not to blame for the hack, arguing any website would be equally vulnerable to such targeted attacks. (RELATED: Apple Denies Responsibility For Celeb Photo Leak)