In the wake of the theft of nude photos from celebrities (see “iCloud Flaw Not Source of Celebrity Photo Theft,” 2 September 2014) — a theft that has been linked to Apple’s iCloud suite of online services — Apple CEO Tim Cook has vowed to improve iCloud security in his first interview about the situation.
Here’s what Apple is planning:
Starting in two weeks, Apple will send email and push notifications “when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.”
Apple will do more to raise user awareness about security, both in terms of the potential dangers and the importance of stronger passwords. Perhaps Apple should give everyone a copy of Joe Kissell’s best-selling “Take Control of Your Passwords.”
The company plans to broaden its use of two-factor authentication, and push more aggressively for users to enable it.
Apple will extend two-factor authentication to iCloud accounts accessed from mobile devices in iOS 8.
Cook reiterated that the photo theft didn’t happen due to any sort of Apple ID or password leakage, but rather by guessing passwords and/or security questions.
Ashkan Soltani, an independent security researcher, told The Wall Street Journal that the new notifications “will do little to actually protect consumers’ information since it only alerts you after the fact.”
While Soltani has a point, an enhanced focus on two-factor authentication could help prevent future incidents such as this. Two-factor authentication, which requires both something you know (a password), and something you have (a token or an app that generates random numbers every few seconds) is offered by Apple, but isn’t exactly user-friendly (to learn more, see “Apple Implements Two-Factor Authentication for Apple IDs,” 21 March 2013). There’s often a three-day waiting period to enable it, and even then, it protects only payment information, not content you store in iCloud.
Journalists have been doing some sleuthing of their own to discover the holes in iCloud security. Andy Greenberg of Wired scouted the anonymous image board Anon-IB, which specializes in stolen pornographic images, and discovered that attackers were using a combination of a script based on the Find My iPhone rate-limiter vulnerability (which Rich Mogull discusses in “iCloud Flaw Not Source of Celebrity Photo Theft,” 2 September 2014) and Elcomsoft Phone Password Breaker (EPPB) to steal images from victims’ iCloud backups.
Christina Warren of Mashable took things a step further, using EPPB and a bit of guesswork (plus a password cracker) to break into her own iCloud account, as well as her sister’s. Warren used the $199 Professional Edition of EPPB, but the $399 Forensic Edition, marketed toward law enforcement, can pull an iCloud authentication token from a personal computer, bypassing even the password requirement.
Warren points out a number of security flaws in iCloud, including unencrypted backups and iCloud authentication tokens stored in plaintext. Two other points, about two-factor authentication being difficult to set up and protecting only payment information, will hopefully be addressed soon.
In any case, this security breach could not have came at a worse time for Apple. With a major product launch coming up on 9 September 2014, the stakes are high. If the rumors that Apple is set to announce a biometric-tracking smartwatch and a new payment system pan out, Apple will have to go above and beyond to regain the public’s trust.