BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Stealing Nude Pics From iCloud Requires Zero Hacking Skills -- Just Some YouTube Guides

Following
This article is more than 8 years old.

The Department of Justice yesterday charged a 36-year-old man with stealing nude photos from at least 50 iCloud and 72 Gmail accounts, most of which belonged to celebrities. Though not explicitly stated in the court filings or official statements from the DoJ, it’s apparent Ryan Collins is a chief suspect in the 2014 “celebgate” leaks in which major actresses were targeted, including Jennifer Lawrence and Kate Upton. Collins has pled guilty to one count of unauthorized access to a protected computer to obtain information, officials said.

What’s startling about Collins’ alleged “hacks” is how little technical ability he needed to get access to those celebrity accounts. Court documents showed he required no hacking skills at all, creating fake email addresses - e-mail.protection318@icloud.com and noreply_helpdesk0118@outlook.com - that appeared to come from official Apple and Google sources. He simply emailed the celebrities and asked them for their login information, which, it seems, they duly gave away.

It’d be easy to chastise celebrities for being careless with their security, falling for such "phishing" tactics more security-minded folk would detect as criminal immediately. But even for those with limited technical skill, it’s worryingly easy to find someone else who can create a convincing “phishing” email or to use one of the free guides that are accessible all over the web.

On YouTube, a simple search for “iCloud phishing” brings up tutorials on how to craft an effective account theft campaign in just 15 minutes. The video below, which had more than 23,000 views at the time of publication, details the steps required to dupe someone into handing over iCloud passwords with some pre-made HTML emails that really look like they come from Apple.

That service is run by whoever owns the gadget-shows[dot]com domain, which was registered at the start of 2015 by an Otelea Catalin Madalin. The registration details indicate he’s a Romanian living in the city of Focșani, in the east of the country. FORBES tried emailing Madalin, but had no response at the time of publication. The site offers all manner of free guides and tools for cracking open iCloud and Apple software.

Russian tool grabs iClouds

But phishing credentials only yield so much. When hackers want to download data fast, before victims notice and Apple stops the attack, they turn to more advanced tools. Soon after the so-called “fappening” broke, celebs’ naked bodies spread over the web, some guessed password bruteforcing software from Russian provider Elcomsoft, aimed at law enforcement forensic specialists, was used.

That tool, which costs between $199 and $799 depending on what features a user wants, certainly has the capability to crack iCloud accounts. “The Forensic edition of Elcomsoft Phone Breaker enables over-the-air acquisition of iCloud data without having the original Apple ID and password,” the company’s literature reads. “Password-free access to iCloud data is made possible via the use of a binary authentication token extracted from the user’s computer.” That authentication token can only be accessed from a target’s computer where they’re still logged in to the iCloud Control Panel, which is a significant hurdle.

But rather than use that tool to break into accounts, it seems Collins either used Elcomsoft’s Phone Breaker or a similar program to download information at speed from Apple servers. The DoJ said: “In some instances, Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups.”

That’s another of the functions of Elcomsoft’s kit, to harvest all data from targets’ iClouds. Elcomsoft CEO Vladmir Katalov told me: "We do not provide the service, just the software... once you supply the Apple ID and password, it shows the list of available iCloud backups and allows [you] to download any of them. It makes a direct connection to Apple datacenters."

In a previous affidavit, where another suspect in the celebgate, a Chicago-based man named Emilio Herrera who allegedly broke into 572 iCloud accounts, had his computer seized, Elcomsoft’s tool was named. Though it wasn’t directly attributed to the attacks, FBI special agent Josh Sadowski said in the court filing he’s seen the tool used alongside phishing to download victims’ iCloud backups.

Vendor responsibility

It’s not illegal to create such software and though phishing activities are against the law (and, most agree when people’s most private data are stolen, morally reprehensible), the creation of phishing kits and disseminating information on how to use them is unlikely to be prosecuted unless the creator knows their kit will be used in specific hacks. Google is therefore unlikely to remove YouTube tutorials; even if they might facilitate crime, they’re also useful for understanding the threat. And the likes of Elcomsoft can actually help prosecute criminals (grabbing data from iCloud being particularly pertinent in light of the FBI's attempts to gather information on a San Bernardino shooter from Apple).

What all users, celebrities or not, need to learn is that major technology companies rarely ask them for their passwords. But vendors should all follow that rule so users aren’t confused by what the norm actually is. Those that do ask users to hand over login details (British ISP Virgin Media , for instance, asks for certain characters from customers’ passwords) need to stop and warn users they would never do so.

Follow me on TwitterCheck out my websiteSend me a secure tip