Who here remembers the controversy surrounding the theft of photos of nude celebrities that were stored in the iCloud? In the end it was proved that, in fact, it was more ?fault? of the celebrities in question, who did not have two-step verification configured and, through common techniques such as phishing, social engineering and others, handed over their passwords to malicious people.
One piece of software that gained prominence at the time was Elcomsoft Phone Breaker, which was used by these crackers to export data from such accounts (including photos and videos) to a specific folder.
This week, the software won an update that manages to bypass iCloud's two-step verification, in addition to expanding the types of files that can be extracted from Ma's service, including iWork documents, WhatsApp conversations and game content, apps from password management, social networking and many other things. To top it off, it also extracts tokens authentication of hard drives and disk images of users.
But before we get away with yelling that the end of Apple, that iCloud is terrible and everything, it's worth understanding how it all works. Firstly, even using the Elcomsoft Phone Breaker, the person * cannot * extract the information from the iCloud account if they do not have the Apple ID, password and a reliable device / recovery key with them. Because . If anyone has it all, don't even need the Elcomsoft Phone Breaker to be able to access all the information in their iCloud account, right? Just get one iGadget and if you log in with that account, all that information will be there, available.
What Elcomsoft Phone Breaker does, however, simplify all of this, making it much easier to access this information since everything is easily extracted from the account. And it makes a lot of sense if we take into account that the Elcomsoft Phone Breaker should be an exclusive tool for government and security agencies. The problem, however, is that anyone can access it, with just a minimum of US $ 80 hours to spend including a trial version of the software, which can be downloaded by anyone.
For these and other reasons, it is always good to use all the security resources that companies offer us. In the case of iCloud, I highly recommend enabling two-step verification. Before, however, it is worth reading this article to understand the risks and prevent you from being locked out of your account.
Update · 12/18/2014 6:30 pm
Definitely some readers did not understand what I meant when I wrote that the "fault" for the leaks was the celebrities themselves. Just to explain everything better:
- I have absolutely nothing to do with the lives of these people. If they want to take nude pictures, their right.
- The ?fault? I referred to was not that they did not activate two-step verification even though, if you care about confidential information about yourself (especially if you are a publicly known person), you should be concerned about security, but for them have fallen into the old techniques like phishing, social engineering and others. I repeat: if you have sensitive information stored in an account, the minimum you should do is think twice before clicking on any link and entering your username and password. It is really the fault and it will always be the thief's, but if you know you are in a violent city, the least you can do on the floor full of jewelry hanging around your neck.
- Yes, Apple was at fault for not requesting the two-step verification code for backup restores. But at that moment the crackers they already had the celebrities username and password on their hands.
I hope I have clarified things.