Yet another major data breach has been announced, this time affecting sensitive photos stored on celebrities’ iCloud accounts. In the wake of the incident, Apple has released a statement calling the breach “a very targeted attack on user names, passwords and security questions,” adding that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud and Find My iPhone.”
After investigating the breach, it appears that a piece of software used by law enforcement agencies to retrieve data from iPhones may have been leveraged to steal the celebrity photos, according to Wired contributor Andy Greenberg. Cybercriminals on the Web forum Anon-IB have openly discussed using software called Elcomsoft Phone Password Breaker to download the iCloud backup data from the iPhones of unsuspecting victims, even though the software is intended to be used by government agencies.
Another tactic used to steal sensitive information from these phones is iBrute. The vulnerability is able to exploit a flaw in the Find My iPhone program that allows users to input their login credentials an unlimited number of times, enabling the bug to flood the program with numerous attempts without being locked out, according to ZDNet contributor Jason O’Grady.
Hackers can try to find the right password combination for as long as they like until they land on the correct one. When used in tandem, iBrute and EPPB would theoretically anyone to impersonate an iPhone user and easily download his or her iCloud backup data instead of the limited information available on the iCloud website.
Double Trouble Malware
Using the two attacks in concert gives hackers access to a drastically greater amount of information, according to forensic consultant and security researcher Jonathan Zdziarski. In an interview with Wired, Zdziarski noted that cybercriminals can only access a handful of files if they simply steal login credentials for an iCloud account, but by impersonating the device, the entire phone’s backup data can be downloaded onto a single folder.
While Elcomsoft seems to have made the software that aided in the hack this time around, they are only one of multiple manufacturers who sell similar programs, most of which are readily available online for malicious actors to use at any time.
One of the most shocking things about this breach is the fact that, while Apple has implemented two-factor authentication for many of their services, iCloud and PhotoStream accounts were not protected by that security measure.
TechCrunch contributor Matthew Panzarino noted that Apple has known that these programs haven’t been covered for over a year, and yet nothing was done about it. Employing strong authentication is one of the most reliable ways businesses can protect their customers against a data breach.
This type of data security requires multiple forms of identification before issuing access to privileged information or systems, ensuring only authorized users are allowed in. The need for strong authentication to defend enterprise information has never been greater, so make sure systems are protected by the best level of security available.