Police Tool Used to Steal Nude Pics from iCloud

2014-09-09 Formal Informal Institutions and the Future

I’m sure everyone has heard of the scandal / sexual crime1 in which hackers grabbed nude photos of celebrities like Jennifer Lawrence and Kate Upton and then posted them online. What isn’t being reported, but is being covered by Wired, is that a key tool used in the hack is actually a piece of software designed for use by law enforcement agencies.

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

There isn’t any suggestion that it’s actually law enforcement officers who are doing the hacking, of course, because it turns out the software is just not that hard to come by:

Elcomsoft’s program doesn’t require proof of law enforcement or other government credentials. It costs as much as $399, but bootleg copies are freely available on bittorrent sites. And the software’s marketing language sounds practically tailor-made for Anon-IB’s rippers.

“All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID…accompanied with the corresponding password,” the company’s website reads. “Data can be accessed without the consent of knowledge of the device owner, making Elcomsoft Phone Password Breaker an ideal solution for law enforcement and intelligence organizations.”

So obviously the main take away is that your data isn’t safe. Unless you’re going to invest the time to become a full-time computer expert, you may as well just assume it’s not safe. This has all kinds of implications for the conversation about rape culture and sexual violence in our society: do we tell women it’s a bad idea to have nude photos of themselves (supply side) and pass laws against “revenge porn” (demand side)? Or is addressing the supply side at all a form of victim-blaming? I’m not going to debate that here.

Instead, here’s something totally different: this story shows one of the subtle but profound ways in which future society is going to be markedly different from past societies. One of the defining characteristics of modernity is the supremacy of formal institutions and of those formal institutions the most powerful is the nation-state. The reason for this supremacy is the wide power-differential between formal institutions (like governments) and informal instutions (like a mob of angry citizens). As recently as the 18th century, a bunch of angry colonials2 could stand against a global empire or a bunch of angry Parisians could topple their own government. In the centuries since then, the level of power available to a group of citizens (informal institution) vs. a state (formal institution) has diminished drastically. Governments have fighter jets and aircraft carriers. Insurgents can make car bombs, sure, but there’s a reason this kind of warfare is known as asymetric: only governments have the resources to field military-grade hardware these days. That is a big part of why we see formal institutions as being so dominant in our society. But it’s changing.

The software put out by Elcomsoft is government-grade, but it’s easily available to consumers and, for that matter, Elcomsoft is not exactly Boeing or Lockheed-Martin. Meaning that small companies and even individuals can put together top-flight software. Another example is TrueCrypt, an open-source harddrive encryption utility whose future is in jeopardy today, some believe, precisely because despite being free and open-source it was military-grade encryption for the every man.

In a lot of ways, we’re returning to the era when a bunch of farmers and their muskets were at least in the same ballpark as professional armies: all they needed was to steal a few canons to make a war of it. Or, going back farther, to the days when peasants and farming or hunting implements quite literally were an army in terms of training and hardware. A world where informal institutions like organized crime, militias, political movements, and the like can actually pose a threat to nation-states is not a world we’ve never seen before. But it might be a world we never thought we’d see again, at least not in the developed parts of the globe. But the power of formal institutions is on the wane.