We know back doors get built into systems because sooner or later they’re abused in ways that often grab our attention.
Keep in mind that any “password recovery” system accomplishes something that would not be possible within a system that really protects confidentiality. There is a tradeoff between confidentiality and availability. The stronger the protection given to confidentiality, the greater the likelihood that availability may be irretrievably lost. Escrowed keys and, worse yet, back doors and other alternative avenues of access provide further opportunities for the intruders as well as the legitimate data owners.
The recent large scale theft and distribution of nude celebrity self-portaits provides a lurid reminder of this concept.
And please, let’s be honest and careful with language and call it the theft that it was. Daniel Ellsberg and Ed Snowden leaked information embarrassing to the government, information which they felt would beneficially empower the public. They didn’t steal private picture albums.
Anyway, it now appears that Elcomsoft’s Phone Password Breaker (or EPPB) has been playing a role in this series of exploits. We have been talking about this tool and the associated risks in Learning Tree’s Cloud Security Essentials course for quite some time now. It leads to a situation where the act of putting data into the underlying cloud storage did not cause the problem. It’s almost a side channel risk. There is an alternative access channel, which itself has an alternative access method or a back door built into it.
This episode also demonstrates the “weakest link” concept. Apple has said that iCloud wasn’t hacked. EPPB doesn’t get you directly in, but it gets you a password that — for typical non-cyber-savvy users of iCloud — leads you right to the cloud storage password. Then it’s just a matter of automating the download and distribution.
I’ve worked in Russia, and so I know that things can be kind of sketchy there. Especially questions about “What are the rules?”, as the answers have to do with the power or influence of who is asking. Elcomsoft has said all along that they only sell some of their products to legitimate law enforcement or government agencies. Who is one of those? Whoever convincingly says that they are… Of course EPPB has spread, copies have gotten into the hands of people not everyone would consider to be legitimate law enforcement or security agencies, including spreading as bootlegged copies of those.
Another tool in the black bag may have been ibrute, at least for proof-of-concept testing of the exploit techniques. It took advantage of how some application programming interfaces did not impose any limits or even rate throttling on password guessing.
This breach wasn’t inevitable. Social engineering techniques including collecting some pretty obvious password hints seem to have been involved. So yes, there are things we can and should do to protect ourselves.