Hackers may have obtained the recently leaked nude celebrity photos using a combination of a password-breaking script and software designed for law enforcement, according to a new report from Wired. However, in a statement released by Apple on Tuesday, the company wrote, “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
Confused? Apple’s defense is mostly semantic and could leave the impression that hackers guessed celebrity passwords based on their security questions. For example, if a hacker knew Jennifer Lawrence’s Apple ID and the name of her first pet, he could have reset her password and accessed her data. However, it appears there is a more complex system behind these leaks.
Wired reporter Andy Greenberg investigated a web forum called Anon-IB where hackers anonymously post stolen nude photos. One of their methods involves hacking Apple’s iCloud with a script called iBrute to crack a person’s Apple password through Find My iPhone.
Then, they use Elcomsoft Phone Password Breaker (EPPB), originally designed for law enforcement, to download a complete backup of that iPhone, including photos, text messages, application data, videos, and contacts–all without the user’s knowledge. Elcomsoft, a Russian software company, markets its product as “an ideal solution for law enforcement and intelligence organizations.” But anyone can purchase the software, and bootleg copies are widely available.
Jonathan Zdziarski, a forensics consult and security researcher, analyzed metadata from Kate Upton’s stolen photos and concluded that they were likely stolen using this method.
As of Monday, iBrute creator and security researcher Alexey Troshichev said that Apple had patched the security flaw that allowed iBrute to work, but on Tuesday, hackers were still posting nude photos to Anon-IB obtained with this method.
So, how could this all have been prevented? Two-factor verification–a process that requires both a password and a PIN sent via text message to log in–is the safest way to secure your most intimate photos in the cloud, aside from not taking them at all. But as Fast Company writer Chris Gayomali discovered Tuesday, Apple makes it quite difficult to activate this extra security measure, even though protecting user data should be a top priority for the company that makes America’s top-selling smartphone.