Wired: Hackers Used this Police Tool to Steal Celebrity Images from iCloud


You may have already seen or at least heard about the nude Hollywood celebrity images that flooded the Internet over the weekend as some hackers managed to crack the iCloud passwords of the victims. Apple refused to take enough blame in the photo hack, as the company’s carefully crafted response shows. But the reality looks different: What the story and the investigation around it reveal is that Apple’s iCloud isn’t as safe as Apple wants us to believe. So the issue is bigger than we originally thought.


As Wired points out, besides the Find My iPhone API vulnerability discovered by security researcher Alexey Troshichev — the man behind iBrute — there is another piece of information that completes the picture of the celebrity nude hack: a piece of software designed to siphon data from iPhones.

The bad news: While you may understand why it is used by law enforcement agencies, this tool is available to everyone for a certain fee ($400 or via the internet).

This software is called EPPB (Elcomsoft Phone Password Breaker). As the conversation on the Anon-IB site — a place where users can post stolen nude images — shows, the hackers are using EPPB to obtain data from iCloud.

So if a hacker can obtain your username and password with iBrute, he/she can log into your iCloud account and steal not just photos but the whole iPhone backup that contains the data you save from your phone.

And to back up the above theory of regular users being targeted by hackers, you only need to head to Anon-IB, where conversations reveal that photo stealing isn’t limited to just a few celebrities.

Apple has allegedly patched the Find My iPhone vulnerability, but hackapp tweeted the other day that Apple’s patch depends on the region. So we can only hope that Apple fixes this issue soon and will focus on protecting users’ privacy as promised.


  • shuriken48

    I am sorry, but this article is worthless… For these hacks to be doable, you need to have a simple passcode, not have the 10 attempts & erase policy turned on and now with 2-factor authentication for Apple IDs, that has to be disabled too. Is Apple also supposed to take us by the hand while crossing the street too! 🙁

  • TheHutch

    I think it is also important to point out that the tool in question can also be used to access other manufacturers devices and services. Including Blackberry.

  • Sean

    And all three of those things conspired to having hundreds of nude celebrity photos leaked. This article is very useful to those people who didn’t originally have all of this turned on. Don’t be so quick to jump on people, as I’m sure you’ve got holes in your life that could probably be exploited as well.

  • Andrew Gault

    Except the article makes it sound like it’s Apples security flaw when it’s actually the users fault for not using all the security options.

  • Sean

    Not all users know about all the additional security avail to them. Remember, they’re celebrity iphone users.

  • Z S

    From EPPB’s website: “The given feature is confirmed to work even for acconts with Apple’s two-step verification enabled, but does NOT work for Microsoft Live! accounts that use 2FA.”

    I sure as hell hope Apple patches THAT.

  • BrodieTheDog

    Lol. There are even easier ways to hack MS Live