Apple’s focus on the security of its operating systems used to be pretty minimal. Fortunately, it didn’t really matter.
Spend enough time in the security world and you realize that it’s defined by economics and human behavior, not technology. When I first started writing about Apple in 2006, the company had a good security team, but didn’t give it many resources. It’s hard to justify spending a lot on security when you aren’t suffering security losses.
Just ask Microsoft. For years the company didn’t invest much in security, even as Windows came to dominate the computer industry. Then the bad guys showed up, and in 2001 it became nearly impossible to protect Windows-based PCs from attack. Microsoft’s biggest customers, like big banks and the U.S. government, threatened to move to something — anything! — else as the costs to install security defenses and account for security breaches skyrocketed. The result was the Trustworthy Computing Initiative in 2002. Microsoft now has the strongest security program in the industry.
In a series of what look like near-prescient moves, Apple dodged that bullet while coming to dominate the handheld device market and increasing its share of the personal computer market. Apple learned the right lessons from Microsoft’s early failures, and as a result, we haven’t seen any significant iOS malware (most of what there is targets jailbroken devices) or a major Mac malware epidemic. In essence, particularly with iOS, Apple put security in place early, before criminals could build an attack ecosystem.
But the future is in the cloud. And Apple’s future is iCloud, the online glue that holds its entire ecosystem of devices, software, and services together. I spend most of my working hours on cloud security, and it is an indescribably difficult problem that’s only getting worse as our use of these services grows. Apple, like all major cloud providers, now faces the same security issues as banks (cue the Willie Sutton reference about “that’s where the money is”).
Talk to any bank about security, and they’ll all point to the customer account as the problem.
Chum in the Water -- Little grabs attention like the words “celebrity nudes.” The phrase “chum in the water” doesn’t even begin to describe the resulting media feeding frenzy. Add in the world’s most popular technology brand, schedule it for a few weeks before the company’s biggest product announcement in years, which also included a major new financial service, and you end up with a special sort of PR nightmare.
You know the story by now. A string of nude photos of about one hundred celebrities hit the Internet over Labor Day weekend. Speculation quickly focused on iCloud backups or photos as the source, given that it came only a few days after the release of a new tool that attacked iCloud directly via a brute-force technique that most cloud services restrict (and that Apple quickly blocked).
The truth was slightly less dramatic, but no less disturbing. Within 48 hours Apple announced that iCloud in general hadn’t been hacked, and the brute-force tool wasn’t the vector. Instead, individual celebrities were deliberately targeted and their photos stolen, most likely via iOS backups to iCloud. The crimes likely occurred over a long period, and the photos didn’t necessarily all come from iCloud.
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
iCloud wasn’t hacked, but it was. Instead of compromising some core vulnerability in the service, the criminals targeted famous users and performed a series of account takeovers. They figured out passwords or password recovery questions. I suspect they then pulled in the victims’ friends and colleagues using phishing techniques based on the initial information taken. They harvested iCloud credentials, and used hacking tools to pull down copies of iCloud backups, circumventing Apple’s normal new-device notifications (primarily used with Messages and FaceTime) and even two-factor authentication, which protected only purchases and core Apple ID changes.
Apple was in a bind. This wasn’t an issue specific to iCloud, and the company essentially blamed its customers for not protecting their accounts well enough. And Apple then recommended a solution, two-factor authentication, that wouldn’t have stopped the attacks at the time (it didn’t then apply to iCloud logins or backups). Ouch.
To be fair, Apple was correct that account takeovers are an all-too-common problem on the Internet. But decisions by Apple, such as limiting the services protected by two-factor authentication, relying on password recovery questions (which are notoriously easy to circumvent, especially for public figures), and not detecting the unusual activity on the server side all conspired to make the attackers’ jobs easier.
iCloud wasn’t compromised in general, but that’s not to say that Apple did all it could have. And even if the company had done more, there’s no guarantee that such persistent attacks could have been prevented. Account takeovers are incredibly serious, impossible to eliminate, and likely the single greatest challenge as we continue to expand our reliance on cloud computing.
Where Password Equals “Gordian” -- Proving identity is a complex problem, especially since the concept of identity itself is somewhat ephemeral. Just ask any friend with a common name, like our own Michael Cohen (who is not any of these people). In the digital world, we worry less about proving identity and more about authentication, which is proving to the computer that you are the person associated with a specific account.
We do this using something you know (a password), something you have (a digital token like a smart card or a code from an iPhone app), or something you are (a fingerprint). The more of these things that are checked, the stronger the authentication.
Passwords are nearly always used as one of the authentication factors. Tokens cost money and are easy to lose. Fingerprints, or any biometric factor, raise serious privacy issues and are hard to work with reliably. Neither tokens nor fingerprints are well suited for logging into remote services, since everyone would need their own readers. Imagine having to swipe your credit card to log in to every Web site. The complexity of these systems, at scale, is nearly insurmountable with current technological and social limitations. Who provides the cards? Who manages your fingerprint template? How is this all communicated? In many cases tokens and fingerprints are less secure than passwords which is why we tend to use them as a second factor, not the primary one.
Reducing our reliance on passwords may not be an impossible problem, but it’s one we’re a long way from solving.
Compounding the problem is the issue of account ownership and recovery. We forget passwords. We lose smart cards. Our fingerprints change. We can’t let those facts restrict access to our accounts, so we add recovery mechanisms. It might be another, stronger, password we tell the user to write down and store safely — but anything written down isn’t safe by definition. Or perhaps we require security questions we hope only the account owner can answer, but to be memorable, they have to be discoverable, as the hacked celebrities experienced.
Apple’s Challenge -- Apple, Google, and other cloud providers now manage many of the most private and important aspects of our lives. We trust them with an astonishing range of information that, in some cases, has direct monetary value. They are, effectively, banks.
Securing a bank isn’t easy. Account takeovers still occur on a regular basis, but, based on my experience, at a rate far below most online services. Banks deploy a wide range of security tools with names like “risk-based authentication,” “user behavioral analytics,” and “anti-fraud analysis.” These tools catch many account takeover attempts, but not all, and financial institutions spend more on security than any other vertical market by a wide margin.
Some of the criticism I saw of Apple after the celebrity photo theft was warranted. It didn’t appear that Apple used expected detection and analysis techniques for a cloud provider of Apple’s size and importance, based on the effectiveness of the brute-force tool (even if it wasn’t used in those attacks). Two-factor authentication (your password plus a code sent to your phone) was not applied to most iCloud services and was surprisingly complex to set up. Nor did Apple send activity notifications that could have alerted a customer that someone had accessed her account and restored her data.
Apart from missing the brute-force attack vector, Apple’s security team likely isn’t to blame for most of these decisions. It is one of the best in the business but was clearly constrained by other considerations that can’t be dismissed out of hand. Send too many user notifications, and they quickly lose meaning. Require two-factor authentication too frequently and users will revolt. Still, these were concerns I had even before the incident — I always worried that no matter how strong my password, my data could be exposed to an account takeover. I wouldn’t even use iCloud backup for some of my devices.
Many of the criticisms and proposed solutions were naive. Numerous writers suggested mandating two-factor authentication. That’s fine for someone like me with multiple iPhones and iPads, plus a wife I trust. But what if you have only a single iPhone and no one you trust to recover your account? Email password resets were another option, but what happens when the associated email account is compromised or is accessible only from the device you’ve lost? Go to an Apple store with an ID? That’s fine for urbanites, but a massive inconvenience for a large swath of the population.
Hundreds of millions of customers use Apple products. I don’t know what the iCloud numbers are, but we are talking about a company that sold 10 million iPhones in a weekend. Security complexity increases exponentially as fringe situations encompass millions of users. With Apple operating on that scale, the rules change.
Even behavioral analytics (identifying deviations from normal behavior through big data and automatic analysis) fails at some point. Take our celebrities, who may use their devices from 10 countries in 10 days during a press junket. They would likely have been excluded from the rules that could detect an attack on most accounts.
Apple thus faces one of the most complex security challenges in society, and faces it at a scale only a handful of companies need to consider.
All In -- Apple is fully capable of using its design and technical resources to tackle tough security issues. Touch ID is a masterful implementation of fingerprint technology. Apple approached the problem unlike anyone else, and simplified a complex problem to increase both usability and security without exposing privacy. Messages, FaceTime, and iCloud Keychain all leverage ingenious uses of encryption that are nearly transparent to the average user, yet still support more-complex options for those with greater security concerns. Gatekeeper effectively cut off the possibility of a widespread Mac malware market before it could grow. Apple Pay looks to be one of the most secure and simple payment systems ever implemented.
Contrast these with Apple’s implementation of two-factor authentication, which is no better than anyone else’s, and until recently quite a bit worse. It’s one of those tremendously difficult problems screaming out for an elegant solution. The company’s response to authentication and account ownership requires a Touch ID–like rethinking of the problem. And to be clear, Apple is far from the first to tackle it.
Apple’s initial response to the celebrity photo thefts closed the most significant gaps. Two-factor authentication, if you enable it, now protects everything related to iCloud. Since two-factor authentication breaks third-party software that relies on usernames and passwords alone, Apple also added the capability to create secure application-specific passwords that don’t expose your entire account. App-specific passwords are bit of a hack — most other consumer cloud providers use a standard called OAuth instead — but moving directly to OAuth would break everything until developers could catch up. But Apple will need it eventually.
Apple is also sending more notifications for logins and changes to your account. This helps, but starts veering into a Windows Vista–level of notifications, especially with all the new device-level privacy notifications in iOS 8.
We don’t know what Apple is doing on the server side, and likely never will. The company may be using a range of technologies similar to those used by banks. We do know it doesn’t use risk-based authentication, which is the technology that causes your bank to occasionally ask you if you logged in from a trusted computer. I doubt that’s the only gap.
I’m not about to tell Apple what to do, even speaking as someone who makes his living advising companies on cloud security. But I suspect there will be two basic facts about Apple’s future cloud security moves:
Apple will tackle the authentication problem, and likely attack it from multiple angles, all with a focus on simplifying a complex situation. No single approach has ever been shown to work at the scale at which Apple operates, so the challenge will be to simplify a range of options for different user demographics. Today Apple is, at best, average at this. With iCloud becoming the center of the Apple ecosystem, the company will need to break new ground. Even very few banks, if any, face the combination of internationalization, number of users, and diverse customer skills that Apple does.
Apple will use every cloud security option in the book, and aggressively adopt new approaches and technologies on a continuous basis. It’s the logical progression of a continual cat-and-mouse game as criminals constantly seek new ways of compromising user accounts. Apple has excellent server security, but account security requires different thinking and different tools.
At least I hope this is what Apple will do. One of my greatest fears is that Apple will focus more on trying to change user behavior, rather than improving the engineering of the systems. In a Wall Street Journal interview Tim Cook said, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece, I think we have a responsibility to ratchet that up. That’s not really an engineering thing.”
My guiding principle as a security professional is: “Don’t expect human behavior to change. Ever.” No one, not even Apple, is about to eliminate the need for passwords or come up with a single, near-perfect way to protect accounts. Nor can we rely on education or better security habits when hundreds of millions of users are involved. Apple most definitely had, and should have used, engineering options that could have reduced the chances of these attacks.
Apple just invested three years designing the first version of the Apple Watch. I look forward to seeing what the company can do with passwords and account takeovers once it truly focuses on the problem, assuming it chooses to do so.