Hackers Are Already Preparing New Attacks On iCloud
But hackers have already found ways around this improved security, and they have returned to a public forum to continue sharing them.
Apple hasn't overhauled the iForgot password system, which can still be used by hackers to download your iPhone photographs stored on iCloud. Instead, Tim Cook announced that Apple will now send notifications when someone tries to change an account password, access iCloud backups, or when someone logs into an account from a new device for the first time.
Here's one of the emails that Apple sends out to users to let them know that someone has logged into their iCloud account:
There is a small number of iCloud hackers still posting on the porn forum "AnonIB," the site where the celebrity photo leaks first emerged. They note that the only real change that Apple made was expanding the notification system to cover iCloud backups. Apple claims that this alerts users quickly if hackers are in their account, but it doesn't prevent iCloud hackers gaining access.
Most of the people targeted by iCloud hackers are young females, often in their teenage years. They're unlikely to regularly check their emails (teens don't check email the way adults do), and so Apple's tactic of notifying people as soon as possible when an account is accessed is not as effective in this demographic. iCloud hackers may have gained access to an account using weak security questions and downloaded an encrypted backup file before the target even realizes that anything has happened.
But what if a hacker wants to hack an iCloud account without notifying the target? iCloud hackers have found a way to do that, too. They suggest entering the target's email account before attempting to hack the iCloud account. Since most targets are teenage girls who don't check their email often, the premise is that their passwords will be easy to guess ("password" is frequently found to be one of the most commonly used passwords). Once inside the email inbox, hackers mark emails from Apple as spam, which they claim sends Apple's new iCloud security notifications straight to spam also.
For iCloud hackers, Apple's new security only means that their targets have an extra email in their inbox. Some posters on AnonIB report that there's even a delay in the emails that they can use to quickly raid the account for photos.
Once iCloud hackers have gained access to an account, they then set about decrypting the iCloud backup file and searching it for photos. As Business Insider reported last month, hackers use expensive specialist software intended for law enforcement to download and access iCloud backup files.
And now there's a new tool that hackers are using to steal photos from women on the internet. iLoot is an open-source and completely free tool developed by security researcher Alexey Troshichev, who is known for discovering a bug in the Find My iPhone software. Troshichev's company, Hack App, released a tool, iBrute, to exploit the flaw shortly before the celebrity photo leaks. (That led to multiple reports falsely claiming that his discovery was used to hack celebrities.)
iLoot is publicly available on GitHub, unlike previous programs used by hackers, which were sold online. Released in September, hackers are turning to iLoot to help them break into iCloud accounts. iLoot is a "command line interface," meaning that it gives hackers access to software by letting them punch in lines of code commands to manipulate it.
Here's what the tool looks like when in use:
Hack App's Github page says the tool should not be used on copyrighted material. And the iLoot program's page on GitHub includes a warning not to use the software to hack into accounts: "This tool is for educational purposes only. Before you start, make sure it's not illegal in your country."
- I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
- Colon cancer rates are rising in young people. If you have two symptoms you should get a colonoscopy, a GI oncologist says.
- Saudi Arabia wants China to help fund its struggling $500 billion Neom megaproject. Investors may not be too excited.
- Catan adds climate change to the latest edition of the world-famous board game
- Tired of blatant misinformation in the media? This video game can help you and your family fight fake news!
- Tired of blatant misinformation in the media? This video game can help you and your family fight fake news!
- JNK India IPO allotment – How to check allotment, GMP, listing date and more
- Indian Army unveils selfie point at Hombotingla Pass ahead of 25th anniversary of Kargil Vijay Diwas