Sophos Cloud Optix
Unless you’ve been on the moon this week, you will have heard about the Great Big Celebrity Naked Picture Theft.
Apple has confirmed it’s found no evidence of a security breach, but it does know that some individual iCloud accounts were compromised.
From a statement, released on Tuesday:
None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
The company said that the individual accounts were accessed the old-fashioned way – by figuring out the victims’ login credentials.
Which led to the following recommendation:
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
I couldn’t agree more. It is just unfortunate that Apple’s two-step verification is almost useless and would not have prevented these attacks at all.
This leads me to the conclusion that it is time for an intervention. Users of Apple products and services deserve choices that at least allow them to opt-in to security functions that have become industry standards.
I wrote about the limitations of Apple’s two-step verification last October, including that it was – at the time – only available in a handful of countries. Since then, very little has improved.
The only real difference is that people in more than 11 countries can now feel a false sense of security by enabling “two-step”.
To be sure this was still the case, I spent the day with my Apple devices trying every combination I could to create a situation that would prompt Apple to verify my identity using more than my password.
First I added my phone to my Apple ID and enabled two-step verification. I agreed to the multitude of warnings of how I would be on my own and no one could save me if I proceeded.
Not exactly reassuring for those who don’t understand what is going on behind the scenes.
I then proceeded to take a selfie with my iPad and allowed it to synchronize to my iCloud account. I set up a new Mac to access the same Apple ID and voila! I could see my photos with nothing more than the account password.
I became a bit more worried. What good is two-step verification if it doesn’t protect any of my information?
I proceeded to log into a second iPad and chose to delete the backup I made of my primary iPad. *BOOM*, deleted. No need to verify my identity, just gone.
The final test involved erasing the iPad after deleting the backup. A few clicks, I reaffirmed my password and gone. Deleted. Convenient if stolen, but a damning confirmation that two-step verification is not in any way helping protect your data.
What does it take to prompt you for the “second step”? I could only find two ways to make it happen.
- Attempt to modify the security settings of your Apple ID.
- Make a purchase from the App Store or iTunes from a unknown device.
This behaviour is not only unacceptable, but it is misleading. Here at Naked Security we have been advising our readers to enable two-factor (or two-step as Apple calls it) authentication to provide an extra security blanket that goes beyond passwords.
While it can occasionally be inconvenient, security and privacy minded individuals like the option to have a speed bump between a key logger and access to their entire digital kingdom.
The concern of the public about the security of their information shared in the cloud is valid and Apple’s response is only half baked.
At best, Apple’s suggestion of choosing secure, long and complex passwords is valid, but the suggestion that the two-step authentication option will secure its customers is simply wrong.
It’s genuinely disappointing. Apple has the tools, infrastructure and capability to offer more secure options to its customers, but up to this point has chosen not to.
This isn’t unusual for Apple, it always tries to be sure your experience is frictionless, but it seems to be a disservice to not offer security when all of the pieces are in place and so many of its customers desire more protection.
Should Apple extend its two-step authentication to not just protect your email and password, but also the sensitive data (photos, contacts, calendars and backups) you rely on iCloud for? Answer our poll and feel free to share your comments below.
Special thanks to Anna Brading for a kick in the pants to move this along and Paul Ducklin for advice on the efficacy of Apple’s choices.
Maybe it would be better not to take those kind of things in the first place, than to depend on some else to provide “security” to protect your junk?
Not that I support taking “Naked” photos of yourself and storing them online, because you can do what you like, besides that’s not even an argument unless you’re a prude. If it weren’t pictures that were stolen it could very easily be something of worth or value to someone and that is where the argument should be focused, not on what the content is but rather how it’s protected.
While you may be correct about the celebs and photos, it seems to me the photos were merely a trigger into this article. The article is exposing a much deeper rift in Apple’s security. They can “truthfully” say that their security wasn’t compromised, but only because they didn’t have much in the first place.
Ouch.
What a horrible argument. When a company you entrust to secure your data has been breached, the company should never tell its customer “you should not have created that data in the first place”!
Seems to me that when “The Cloud Storage” services started, I saw that as an opportunity for the bad guys. I don’t use cloud services. I do use a password generator and storage system to keep my password complicated and don’t remember them but for the master password. That has issues, also. Now just to convince some of my online services that 10 character passwords with no allowance for special characters is not acceptable. Took a while to allow the changing of usernames. That is big in my book, changing the user name which Apple does not allow.
Nude photos stored in the cloud? Really? That isn’t an issue?
Personally, I see zero point in allowing a third-party to have access to my photos “in the cloud”. Sure, it can make things super-convenient, but to the point where you have effectively given-up control. What is so difficult about syncing your data to a computer?
Also, “the cloud” is just a return to the old days of centralized data, i.e. mainframes, just wearing nicer-looking clothing. Tis why I never use it except where required by my employer.
AND one cannot use 2 step verification on Gmail if one is using an Apple computer and Apple’s mail program! Apple verified that with me when I called complaining to them.
There are two huge problems with that whole “Just don’t take nude photos or put them online” argument:
1) People (even technically savvy people) do things all the time that they expect will remain private. It’s called life and freedom and so on.
2) The line between “online” and not is extremely confusingly blurred. I am technically competent but I’m not going to pretend to know where my information footprint ends up without my ability to do or say anything about it. There is no clearly separated “local” and “online” any more.
The non-tech’s perspective is this: You use a phone to take a photo in your bedroom, and even if you don’t try to sync or backup or send it to anyone, it still ends up not only “out there” but impossible to delete even once you’ve removed it from your device.
Let’s remember that users are strongly encouraged to enable the “iClouds” and “Find my Phones” and data backup and recovery tools and all that when first setting up a device. They may never really know what they do or if they use them, but it seems like the sensible and prudent thing to do at the time.
My sympathies lie wholeheartedly and completely with the victims of this hack. It’s not their fault that they did private things in private.
The only take-away for all of us is that strong passwords and recovery questions have to be taken very seriously, and we really can’t trust any device or account without investing a good deal of time to dig into all the opt-ins, opt-outs and options generally. Even then it’s hit and miss, and who — other than a few of us paranoid tech people — really do that anyway?
G
So why doesn’t Apple FORCE strong passwords vs. just recommending them? Most of the general public, I bet, don’t have a clue as to what a strong PW is or the risk of compromise with weak passwords.
I suppose “the cloud” can be secure with proper implementation, but it has never seemed like a good idea to me except to provide redundancy as a part of a comprehensive backup strategy. It’s mystifying to me that anyone could entrust their data exclusively to cloud storage.
I use it as the fifth level of redundancy for a data server I administer. The first three levels are hard drives, the fourth is optical, and only then am I willing to use offsite “cloud” storage on an encrypted channel.
Even so, the cloud-stored data itself is encrypted. There’s no such thing as absolute certainty about security when others are holding your data. Once you entrust it to someone else, you’re at the mercy of their competence.
Apple can do much better. They should.
I agree two factor authentication is the way to go but you could extend it to say that other services should employ this 2FA such as Dropbox, Skydrive, Google Drive etc. as they are also exposed to the same simple social hacking. I don’t use icloud but I do the other services so do you have anything to say about them?
Dave
The point is that Apple issued advice that said: “To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.”
And yet Chester’s investigation shows that their implementation of two-step verification provides no protection against this type of attack (their words) at all.
We’re big advocates of 2FA across the board but this bogus advice was worthy of being called out.