EPPB tool copies usable to download victims’ data from iCloud backups

Copies of the Elcomsoft EPPB tool are circulating in the underground and could have been used in the recent leak of celebrity photos.

Recently naked pictures of celebrities have been leaked online, but security experts were particularly interested to the news because they speculate that the images have been stolen from the Apple iCloud service.

The case is not isolated, security experts are aware of numerous attacks against online storage services, including the popular iCloud, Google Drive and DropBox.

In the underground is quite easy to find forums where hackers sell images stolen from unaware Apple iCloud accounts, threat actors use to compromise cloud storage services using software designed with the specific intent to gather pictures online from poorly protected accounts.

Some of the nude celebrity images have first been circulated on Anon-IB, the most popular anonymous image boards for posting stolen nude selfies. As explained in a blog post published by Wired, through the forum are offered many applications for iCloud “ripping,” or downloading the entire contents of an account.

“Ripping right now! Send email with Apple ID and Password and I will have it ripping ASAP. Will keep everything private!” report one posting on Anon-IB.

One of the software most debated is Elcomsoft Phone Password Breaker (EPPB ) which allows an attacker to download data from iCloud backups. As explained by the Elcomsoft CEO Vladimir Katalov, the software is a forensic tool sold to government agencies for legitimate uses, but the company doesn’t exclude that copies has been offered for sale in the underground.

EPPB doesn’t exploit flaws in Apple services, the use of such tools once the account Apple ID and password have been compromised allows attacker to access data stored in the backup. The EPPB allows to analyze all the data related to an Apple device, including text messages, pictures, email attachments, call logs, address books, calendars, email account settings and much more.

“All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID…accompanied with the corresponding password,” the company’s website reads. “Data can be accessed without the consent of knowledge of the device owner, making Elcomsoft Phone Password Breaker an ideal solution for law enforcement and intelligence organizations.” states Wired.

A hacker who knows the victim’s Apple credentials could recover the data, set up a new device and restore it with the targeted account’s iCloud data.

“If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.” states Wired.

EPPB can download specific pieces of data from the backup, allowing law enforcement officials to select only information of interest and reducing the time necessary for data extraction.

If the hackers behind the leaking of the naked celebrity pictures have used a tool like the EPPB, it is likely they had access to much more data like SMSs and address books which could allow them to conduct further targeted attacks.

Apple users are advised, enabling two-factor authentication they can ensure further protection to the accounts.

Pierluigi Paganini

(Security Affairs – EPPB software, iCloud)