Over the course of the last few days, I've written a number of articles related to the celebrity photo thefts that surfaced Sunday. Many of those posts have focused on how safe — or unsafe — various cloud service providers are.
On Tuesday, while doing research into the origins of these thefts and the culture around them, I kept coming across references to Elcomsoft Phone Password Breaker, a piece of software colloquially known as EPPB in various underground communities.
EPPB is a program that makes it possible for a user to download iCloud backups from Apple's iCloud servers onto a computer. Once there, the backups can be scoured for information including camera rolls, messages, email attachments and more.
In essence, the app reverse-engineers Apple's "restore iOS backup" functionality, only instead of downloading the backed up data to a physical device, it downloads it to the cloud.
The application, which costs between $79.99 and $400 depending on the version, can also be used to retrieve backups from Windows Live (now OneDrive) and to unlock access to BlackBerry, BlackBerry 10 and iOS backups.
Perusing through various image boards on 4Chan and AnonIB, it's clear that EPPB is the tool of choice for most individuals involved in the types of iCloud "rips" as they are known, that are believed to be at the center of the celebrity photo thefts.
EPPB even promises to let users access iCloud backups without a password. Yes, there are caveats, but that promise was intriguing.
Curious (and a bit concerned), I decided to figure out how this software works and try to theorize just how easy it would be for anyone to do their part to break into an iCloud account. My initial target was myself, though I soon found that it would be remarkably easy to use this type of software to access the iCloud backups of my colleagues, my spouse and many of my family members.
For just $200, and a little bit of luck, I was able to successfully crack my own iCloud password and use EPPB to download my entire iCloud backup from my iPhone. For $400, I could have successfully pulled in my iCloud data without a password and with less than 60 seconds of access to a Mac or Windows computer where I was logged into iCloud.
Breaking into iCloud is way easier than I thought it would be
Even after reading through various image boards and seeing boasts of how easy it was to "rip" iCloud backups, I held out hope that the process of actually downloading my own iCloud data would be slightly difficult.
Sure, many of the boasters sounded unintelligent (and not tech savvy in a way that most goodcracker types usually are) and sure the website for EPPB had disarmingly simple-looking screenshots, but surely the process for breaking into my own iCloud account would be difficult. Right?
OK, so how does someone obtain an iCloud password? Well, again, this was easier than I thought it might be.
As Nik Cubrilovic outlines in his excellent post on the data theft, there are a few common vectors (that is, attack holes) for obtaining an iCloud password. Cubrilovic lists them in order of popularity and effectiveness:
- Password reset (secret questions / answers)
- Phishing email
- Password recovery (email account hacked)
- Social engineering / RAT install / authentication keys
The first possibility, using a password reset, can be remarkably effective. As Cubrilovic notes, "Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account."
"The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions."
In other words, it's very easy to figure out if an email account is connected to an Apple ID. That's step one. Step 2 is as simple as knowing the account creator's birthday. This information is often widely available, thanks to Facebook, credit reports and other information across the web. For celebrities, that information might even be in Wikipedia. The next step, which requires answering two security questions. This comes down to simple social engineering.
As a test, I decided to see if I could successfully reset the Apple ID account password for my sister (sorry, Kelley). I entered in her iCloud username and her birthdate, and then came across two security questions.
It turns out, I only knew the answer to one of the question. Simply hitting "refresh" on the question page, however, led me to a new combination of questions. Eventually, I managed to get a pair of questions I could answer. Voila, reset.
Until Monday, the process could have been even easier, thanks to a brute-force tool that took advantage of Find My iPhone's lack of rate-limiting. Apple has since closed that hole, but with a particularly bad password and some time (as to not trip-up the rate-limiting), this is an option too.
In fact, I was able to use an iBrute-like tool to crack my own password (which, to be clear, was chosen to be extremely easy to crack. Like, it was Passw0rd1. Apple wouldn't let me use Passw0rd, but Passw0rd1 was just fine.).
So once you have an iCloud password, what can you do then?
Well, this is where EPPB comes into place. The program, which runs on Windows, simply asks for the username and password of the iCloud account in question. Simply login and you'll be greeted with the available device backups from that particular user.
You can see what I saw after purposefully cracking my very bad password:
Now, this will download everything from my latest iCloud backup. It's basically the same as an iTunes backup you would do normally on your computer, but with a major exception: the data is not encrypted. With iTunes, you can opt to encrypt your phone backups, which would require another passcode or security code to access. With iCloud backups, that isn't the case.
Although the iOS Keychain file is encrypted (but there are tools that can help crack that), the actual files themselves, including your camera roll, call history, messages and other data are not.
EPPB even lets users select what data they want to get. So if you're just interested in the camera roll, which includes all photos and videos stored on the phone, you can do that.
From here, it's as simple as downloading the backup to a designated folder. Many iCloud rippers tend to use Google Drive and Dropbox as the destination folder for these rips, because it makes it easier to share the stuff with others.
Then, any number of iPhone backup viewer utilities can be used to access the data in an easy to use manner.
The cost of this exercise? Just $200 if you buy the software directly from Elcomsoft. It also shouldn't be surprising that cracked copies of Elcomsoft's tools are available all over the web, though I imagine the success rate with those copies has probably declined as the software has gained more public attention.
t.
Even though my iCloud password was purposefully chosen to be easy to crack, I want to make one thing clear: I had two-factor verification turned on on this account.
As we've mentioned before, Apple's two-factor implementation does not protect your data, it only protects your payment information. Yes, if you have two-factor authentication enabled, the password reset process for an account can be greatly impeded (you need to provide a special one-off key before you can reset a password), but assuming someone can get your password anyway using any number of phishing or remote-access methods, two-factor verification is absolutely not required for accessing an iCloud backup.
To me, this is an insanely huge hole in Apple's security systems. And this isn't a new revelation. This hole was pointed out by Elcomsoft, the creators of EPPB in May 2013. The Elcomsoft team has even given security presentations on this flaw.
What makes this even worse is that Apple is encouraging users to use "strong passwords and two-step verification." That's all well and good, but in this case, two-step verification wouldn't have mattered. If someone can get physical or remote access to a computer that uses iCloud or successfully convince a user to click on a phishing email for iTunes and get a password, an iCloud backup can be downloaded remotely, two-factor verification or not.
For $400 I could steal iCloud data from everyone in my office
The basic "professional" version of Elcomsoft's EPPB allows users to download iCloud data with a username and password. For $400, the forensic version of the software goes one step further: You don't even need access to the password. You just need to have remote or physical access to a machine where someone is logged into the iCloud control panel.
That's because Elcomsoft has created a tool that can offer access to iCloud backups simply by copying an iCloud authentication token from Windows or OS X.
A small program is included with EPPB that can be run from the command line on Windows or OS X. The program searches to see if a user has the iCloud Control Panel for Windows installed (or if the user is logged into iCloud in OS X) and if it is, it copies an authentication token from the proper place and copies it to a text file for easy copying.
Then just enter this token into EPPB and voilĂ , you can login and download iCloud data. You don't even need a user's iCloud or Apple ID email address.
For me, this type of attack is the most jarring because it shows just how easily regular people in our lives could access our cloud backups.
I could quite easily take a USB thumb drive from machine to machine across Mashable's offices and run the program and then get iCloud authentication tokens. It would take me less than 60 seconds to do, 30 seconds if I was super fast.
This shouldn't be possible. If Apple won't encrypt iCloud backups (which it should), at the very least, it should make the authentication token stored on Windows or OS X harder to access. I can give Apple a pass on a lot of aspects of security, but this is just amateur hour.
Moreover, this proves just how easy it would be for law enforcement or the government to access cloud data from users if they just have physical (or remote) access to a computer.
Understanding what EPPB is and why it exists
It would be easy to want to blame the tools (in this case, EPPB) for making iCloud backups so accessible.
The truth is, however, that these tools exist for a reason and have many valid purposes.
One of the target audiences for tools like EPPB is law enforcement, repair shops and IT administrators. Law enforcement agencies frequently use forensic tools to try to recover information from digital devices that may be used as evidence of a crime.
These types of software programs also are not new. As long as we have been putting locks on doors and safes, there has been a secondary market of locksmiths and safe-crackers.
In the desktop computing world, there is an entire market segment dedicated to applications for computer forensics, data recovery and account access.
When I was in college, I worked as a PC and Mac repair tech at a major big box chain. Back then (we're talking a decade ago), I used many of these tools when working on customer machines.
I used to keep USB sticks, DVDs and CDs loaded with apps such as ERD Commander, BartPE and Offline NT Password Reset on-hand. To this day, I still maintain a collection of Mac forensics software so that I can better diagnose and have luck at fixing the various Mac desktops and laptops on my home network.
Which is why I probably shouldn't be as surprised as I am of the forensic tools available for smartphones.
Still, although I absolutely agree that tools like EPPB deserve to exist (and can even be useful for those with non-nefarious goals in mind), I'm still a bit gob-smacked that the tools are as inexpensive and accessible as they are. Maybe I'm just naive, but I didn't expect that my cloud data would be as easy to access as it is. I also didn't expect it to be accessible from a piece of software with a solid UI and with a relatively low price tag.
A $200 (or even $400) program might be steep for some users, but it's far less expensive than than the thousands of dollars a seat other mobile phone forensic toolkits go for. That's probably one of the reasons EPPB has become the 4chan and AnonIB tool of choice. It's cheap, the DRM can be cracked and there is no dongle-requirement that often comes with the more expensive software targeted at law enforcement.
EPPB knows it has a reputation for having its apps used for iCloud hacking and the company's response is as you would expect: "we're sorry our software is used in this way, but that's not the intention." And frankly, I'm OK with that position. As long as there are locks, there will be lock pickers.
Having said that, however, I do believe there is some onus on the cloud providers to make the job of reverse-engineering these types of solutions more difficult.
Steps Apple should take now to improve iCloud security
Using my own experience of hacking into my iCloud account (and my sister's account) and accessing iCloud data from EPPB, I see a few very obvious things Apple could do that would make it more difficult for individuals to access iCloud data, even with forensic software.
- Encrypt iCloud backups. I realize that encrypting backups would make the phone restoration process more lengthy and that this would have a negative customer impact, but I think that it is something Apple needs to do anyway. I would feel better if the download someone got from iCloud was encrypted and that the key could only be unlocked on a device I specifically sign into.
- Stop storing iCloud Authentication Tokens in plaintext. It's insane that I could access my colleagues iCloud backups just by spending 60 seconds at their computer. Stop storing this data in plaintext to prevent this sort of thing from happening.Update: I've heard from a number of readers that encrypting the authentication token isn't a feasible possibility. I'm not sure what the solution is to this problem, but it needs to be acknowledged that this is a potential vector for iCloud data access.
- Make two-factor authentication actually protect something more than just payment methods. Look, I get that for most users, the most pressing need is to protect against people trying to steal your credit card information, not your photos. But as the celebrity photo thefts have shown, there is an entire underground subculture of individuals who are committed to breaking into the accounts of friends, acquaintances, spouses, girlfriends and ex-girlfriends. The average user shouldn't be concerned about a stranger hacking into their account, they should be concerned about how easy it would be for someone they know to do so. Two-factor authentication attached to an iCloud backup would help make that much, much more difficult.
- Make two-factor verification easier to set-up. Apple's current process is ad-hoc at best and is not easy to set-up. Not only does it take three days to do, the entire process is not user friendly. Make this better.
- Be more transparent about how secure iCloud backups are and how easy it is for others to access that data.
As for me, seeing just how easy it would be for someone to access my iCloud data, even with two-factor authentication enabled, has me uneasy.
I'm not going to disable iCloud or its auto-backup feature. I'm still going to pay for extra iCloud storage. Still, it has me re-thinking some of my plans for paying for more storage once Apple unveils its new pricing plans alongside iOS 8. I had thought I would start putting more of my documents from my Mac on iCloud too. Now, I'm not so sure.
The scariest thing about all of this is the fact that it just reiterates once again how much information security, as an industry has to improve. We need to improve how users are educated, how systems are implemented and how threats are mitigated.
0 comments:
Post a Comment