They had nothing to hide

We have been working in the information security market for several years. Our main clients are law enforcement agencies of different countries, special services, as well as IT security departments in large companies. Sometimes our customers share interesting stories with us; You can read about some of them in the media. Today I want to tell several stories about people who had “nothing to hide” and who as a result had serious problems literally out of the blue.

What is the problem?

I often write articles on information security. Sometimes it turns out to be understandable to a layman, sometimes, probably not so. “Something I didn’t understand at all about sending the article [...] what is the problem?”, “IMHO, the problem with icloud is a bit far-fetched,” and immortal - “I didn’t bother, I have nothing to hide.” Great, let's see if you should hide something.

Celebgate: “iCloud problem is a bit far-fetched”

More than five years have passed since the release of our first product to extract data from iCloud. The key to the product Elcomsoft Phone Password Breaker (now it has a different name), which at that time we sold exclusively to law enforcement agencies, was stolen and fell into the hands of a hacker group.

“From August 31 to September 1, 2014, hackers staged a massive drain of intimate celebrity photos from the iCloud service. Internet users have marked this epic event as “Celebgate” and “The Fappening”, ”writes The Fappening NSFW! Alexander Slepchenko. The link above can also be found with the photos of people who had nothing to hide.

To access iCloud, attackers used our product and real data from accounts. How did they know them? In different ways: somewhere there were leaks, somewhere the iCloud password was found based on the passwords for other accounts, but social engineering was most often used: the victim received a letter in which, under a far-fetched pretext, they were asked to log into their account. Some victims even got a phone call, helping to “secure” the account or “restore” access to it after a “compromise attempt”.

Interestingly, at the time of the event, Apple had already implemented a half-measure of protection - Two-Step Authentication (2SV), the pale forerunner of modern two-factor authentication. However, even this half-measure Apple was used only partially, without extending the protection to photos in iCloud. Only with the release of iOS 9 and OS X El Capitan in March 2016 did Apple have a modern and reliable two-factor authentication system.

For how the hackers acted, what programs they used and where they learned the passwords of the victims of the attack can be found in the English article Forbes Stealing Nude Pics From iCloud Requires Zero Hacking Skills - Just Some YouTube Guides .

“We generally have freedom of speech!”

Yes of course. The freedom to read any literature and not be harassed for it. Good old England, 2013. The assistant pioneer leader (well, let’s be the assistant to the leader of the scouts) John Cockcroft had a Kindle e-book with him. During folding camp counselor found a book. Turning it on and reading the text, the counselor was horrified to find descriptions of explicit scenes with minors. John’s attempts to argue “it's like Lolita” failed, the counselor called the police.

They grabbed the old pervert, made a search, seized computers ... further - a technical question: after a thorough scan of two John computers on them were discovered pictures of a very dubious quality - as many as 12 pieces.

This case attracted our attention because two encrypted files (the nature of which were not disclosed) were found on John’s computer, and our products are designed to crack passwords as quickly as possible. In this case, the police were not able to break into the defense, and John committed another crime by refusing to provide passwords for these files (according to British law, this is quite a crime). On the aggregate of crimes, John was sentenced to three years of community service, three years of attending special courses, and three years of observation. The criminal record will be removed only after five years. Details of this story can be read here .

Stolen iPhone and Dismissed Teacher

Your iPhone has been stolen. Who is guilty? Of course you are! You will be fired from work and a criminal case will be brought against you. And all because you did not set the lock code. Fierce nonsense? If. Not so long ago, in 2016, an iPhone was stolen from a high school teacher Lee Anna Arthur from South Carolina. The thief, who turned out to be her 16-year-old student, had no problems accessing the contents of the device: the honest teacher had nothing to hide, and she did not bother with setting the PIN code. On the phone, the student found the teacher’s selfie in negligee, which he gladly distributed among classmates, and also posted on social networks.

In the end, the student was still punished . But Lee Arthur lost her job despite petitions . A year later, the parties agreed out of court ; the student was expelled from school. At that time, Lee Anna Arthur was still unemployed.

Conclusion? Even if you think you have nothing to hide, your colleagues, superiors, or students may have the opposite opinion. And if your phone is stolen, you risk at least a ruined career. If you think that “this is in Puritan America, but here we have it…”, then in Russia to dismiss the teacher, not even nudity is enough, but simple photos in a swimsuit (by the way, the phrase at the end of the article about “was hired” wasn’t corresponds to reality - it’s easy to verify this by simply following the link). Do you still think you have nothing to hide?

Just walked down the street

You walk along the street, staring at the phone, and stumble into the broad chest of a policeman. A policeman requires a device, you automatically pass it into the hands of a representative of the law. You get accused of pedophilia, go out on bail, destroy evidence. Now you are accused of counteracting justice, but, having meticulously well, you are still released. You understand: if you hadn’t swept the tracks, you would have sat down for three years ...

Honestly, I could not have invented such a thing. But now - it happened and got into the newspapers, and now this incident has become my favorite illustration during the trainings that I conduct for the police (in the context: “do not repeat police mistakes, keep the seized phones in the Faraday cage!”)

So the situation. The 19-year-old guy was calmly and without breaking the rules, was driving in the car with his girlfriend. He was stopped by the police for a routine check. The policeman liked the phone, and the guy who had “nothing to hide” agreed with the policeman’s request to unlock the device. (In parentheses: do you know that you are absolutely not obliged to do this, and the policeman has the right to ask, but has no right to require you to unlock the device?) On the phone, the policeman found photos of the same girlfriend who was a passenger in the car. (Surprisingly, right?) The girlfriend in the pictures was not dressed. The girlfriend was under 18 years old. Criminal article: the creation and dissemination of child pornography; You can sit down for ten years.

The guy, do not be a fool, went out on bail, after which he instantly initiated the destruction of data through the Find my iPhone function.

After some time, the police realized that the phone was locked; After contacting the accused and receiving a password from him, the police were surprised to find that the contents of the phone had been destroyed. Having lost the only evidence of a terrible crime, the infuriated police tried to hang up the guy with counteraction to justice; in the end, the accusation fell apart, and the guy escaped with a serious hassle.

Morality? Even if you have nothing to hide, do not unlock any devices by passing them to the police. By the way, law enforcement officials perceive this story with humor; I heard a lot of cynical comments about the actions of the Morristown police, but not one in the direction of the accused.

Details were posted in a WATE article that was subsequently deleted (but cached by Google ). We saved the incident description:

“A Morristown man was arrested after police say he allegedly remotely wiped nude photographs of his underage girlfriend from his iPhone.”

“Darvel Walker, 19, is charged with tampering with evidence. Police say the phone was confiscated during a traffic stop on February 23. They say Walker gave officers permission to search his phone, and they found what they said were several nude images of the underage girl, who was a passenger in the vehicle. ”

“Once detectives learned the phone was password protected, they contacted Walker to get the passcode, but then discovered the photos were gone.”

“Walker was held on $ 25,000 bond.”

Life cases

Not all stories get into newspapers. Three cases also happened to us (in fact, much more, but we can’t tell about everyone).

Car rental tablet

The first one was a car rental company. A regular iPad was installed in the rented car as a navigation system; Of course, there was no lock code on it. Curiosity dismissed me, and I connected to the tablet with our <iOS Forensic Toolkit. The first attempt to extract data failed: the MDM profile was installed on the tablet, which prohibits the creation of backups. But the IT security department did not bother to somehow protect the device from deleting the MDM profile (for this you need to put an extra checkmark, the existence of which the company specialists seem to simply not know).

After deleting the MDM profile, a complete copy of the data from the tablet was at my disposal in just a couple of minutes. (In a nutshell: jailbreak is not needed; EIFT sets the password for the backup and downloads it from the device, which gives access to most of the information, including passwords). As a result, I learned the password from the closed Wi-Fi network of car rental, as well as the passwords from several user accounts. History has not received development: I did not go into the accounts. By the way, the backup itself still lies in the dump of such trophies.

Baby phone

Another story concerns “children's” phones, which are passed from parents to a child or donated outside the family. When we needed a test phone iPhone 5C, a long-time friend gave me the device. The phone was used by his son. A friend gave me the phone, but did not drop it, and did not untie it from iCloud; in fact, I cleaned only contacts and notes and deleted applications. I set the password for the backup, downloaded the Keychain, found out the password from Apple ID and untied the phone from iCloud, disconnecting Find my iPhone. I accidentally saw passwords from Wi-Fi, mail and several social networks. On the phone, Find Friends was turned on, which successfully showed the location of the child's parents (that is, my friend and his wife) in real time. Of course, I dropped the phone, and a friend called and had a security education program.

Smart girls

Sometimes it’s fun to read news in which young children are much better savvy in safety matters than their parents. So, a seven-year-old child managed to circumvent the restrictions of “Screen time” set by parents. Another child circumvented the restrictions on viewing YouTube by sending himself links to videos in iMessage messages: parents did not guess to block this application.

A case indicative in this context occurred recently with our employee. I will give her the floor. “Now I was riding in a taxi with a driver who spoke on the phone with his daughters (8 and 10 years old). My grandmother hid the phone from them so that they would not sit in it for a long time, and they were told that they had stolen it. They complained to dad over the phone, explained that a long password was set there in Russian, and then they finally yelled in chorus: “Why would anyone need a telephone with a PASSWORD !?” Such smart girls were. She told the driver that I was just working for a company that was recovering data from phones. To which the driver asked me whether it is true that the password on the iPhone cannot be broken, I reassured him. "


All Articles