Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Tim Cook Promises Improved iCloud Security

In the wake of the theft of nude photos from celebrities (see “iCloud Flaw Not Source of Celebrity Photo Theft,” 2 September 2014) — a theft that has been linked to Apple’s iCloud suite of online services — Apple CEO Tim Cook has vowed to improve iCloud security in his first interview about the situation.

Here’s what Apple is planning:

  • Starting in two weeks, Apple will send email and push notifications “when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.”

  • Apple will do more to raise user awareness about security, both in terms of the potential dangers and the importance of stronger passwords. Perhaps Apple should give everyone a copy of Joe Kissell’s best-selling “Take Control of Your Passwords.”

  • The company plans to broaden its use of two-factor authentication, and push more aggressively for users to enable it.

  • Apple will extend two-factor authentication to iCloud accounts accessed from mobile devices in iOS 8.

Cook reiterated that the photo theft didn’t happen due to any sort of Apple ID or password leakage, but rather by guessing passwords and/or security questions.

Ashkan Soltani, an independent security researcher, told The Wall Street Journal that the new notifications “will do little to actually protect consumers’ information since it only alerts you after the fact.”

While Soltani has a point, an enhanced focus on two-factor authentication could help prevent future incidents such as this. Two-factor authentication, which requires both something you know (a password), and something you have (a token or an app that generates random numbers every few seconds) is offered by Apple, but isn’t exactly user-friendly (to learn more, see “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013). There’s often a three-day waiting period to enable it, and even then, it protects only payment information, not content you store in iCloud.

Journalists have been doing some sleuthing of their own to discover the holes in iCloud security. Andy Greenberg of Wired scouted the anonymous image board Anon-IB, which specializes in stolen pornographic images, and discovered that attackers were using a combination of a script based on the Find My iPhone rate-limiter vulnerability (which Rich Mogull discusses in “iCloud Flaw Not Source of Celebrity Photo Theft,” 2 September 2014) and Elcomsoft Phone Password Breaker (EPPB) to steal images from victims’ iCloud backups.

Christina Warren of Mashable took things a step further, using EPPB and a bit of guesswork (plus a password cracker) to break into her own iCloud account, as well as her sister’s. Warren used the $199 Professional Edition of EPPB, but the $399 Forensic Edition, marketed toward law enforcement, can pull an iCloud authentication token from a personal computer, bypassing even the password requirement.

Warren points out a number of security flaws in iCloud, including unencrypted backups and iCloud authentication tokens stored in plaintext. Two other points, about two-factor authentication being difficult to set up and protecting only payment information, will hopefully be addressed soon.

In any case, this security breach could not have came at a worse time for Apple. With a major product launch coming up on 9 September 2014, the stakes are high. If the rumors that Apple is set to announce a biometric-tracking smartwatch and a new payment system pan out, Apple will have to go above and beyond to regain the public’s trust.


Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <>

Comments about Tim Cook Promises Improved iCloud Security
(Comments are closed.)

Alan Sanders  2014-09-10 13:15
Companies ALWAYS promise better security after a well-publicized breach. My question is always the same: If stronger security measures are possible, why weren't they already using them before the breach occurred?! Laziness and/or incompetence are the most obvious answers. It's hard to imagine Apple being either lazy or incompetent, but there you have it.
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-10 16:48
The problem is always the tradeoff between security and convenience. You could have a door lock that would require passing a DNA test to open, but that's ridiculously hard. So instead we have keys, combination locks, fingerprint scanners, and so on. The same principle applies to digital security.
Alan Sanders  2014-09-11 13:54
True enough. But if break-ins became commonplace enough in your neighborhood, you'd go for the DNA-coded locks—convenient or not.
Adam Engst  An apple icon for a TidBITS Staffer 2014-09-11 14:33
And that's just it - we're not seeing iCloud accounts hacked constantly, just a relatively few celebrity accounts where the security questions are fairly easily figured out. So Apple has to tread the line of not annoying users constantly for little reason while still providing sufficient security for most cases.
Apple has now started using two-factor authentication when you use a web browser to log onto iCloud.

But from what I can tell their SMS are not making it through to my iPhone. I can chose to have my iPhone notified via Find My Phone messaging instead and that works fine. But as soon as I select SMS I get nothing.

I checked they have the right phone number. I wanted to the enter phone number again. No dice, they say they already have it on file. So I figured I'd delete the phone number and set it up again from scratch, but apparently you can't do that. They need one phone number on file at all time.

Any other ideas how to diagnose the problem? No matter how often I try, I never receive their SMS with the 4-digit code. I'd like to know SMS work, because I want the freedom to turn off Find My iPhone at any time without losing two-factor authentication.

Of course SMS must have worked at some point, because IIRC you can only add the phone number by replying to a text sent to it.