Sophos Cloud Optix
In the fallout of last week’s celebrity nude photo publication scandal, the Wall Street Journal managed to get Apple CEO Tim Cook on the record about his company’s attitude to security.
It’s certainly fashionable to beat up on Apple over security.
One reason is the company’s self-contained, even secretive, approach to security issues.
Closed-source competitors like Microsoft and Adobe have adopted an ever-more open attitude over the years.
But Apple has remained, officially at least, unrepentantly tight-lipped:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
You’re entitled to be critical of this approach, not least because customer protection is often best served by talking about security problems before a patch is available.
That’s particularly true in the event of a hole that is already being exploited by crooks, if a practicable workaround is available while your customers wait for a patch.
To be fair to Apple, the company does occasionally break with protocol and make pronouncements before a patch is ready, as it did in case of the Pwnie-award-winning [7’47”] goto fail bug, for instance.
But, for the most part, Apple speaks on security only when it wishes to, not when you might prefer it to.
Of course, a lack of openness when you are at fault can rebound to your disadvantage when, strictly speaking, you aren’t at fault, and that’s just what happened to Apple over the nude celebrity photos.
At least some, if not many, of them had been stolen from iCloud, synched there (intentionally, if ill-advisedly, one assumes) by the celebrities themselves.
So early reports – rumours might be a better word – were quick to assume some sort of breach in iCloud itself: a security hole that might leave everyone at risk, no matter how carefully they had chosen their passwords and guarded their account from crooks.
That turned out not to be the case, and with no “necessary releases or patches” on the agenda, Apple understandably went into bat for itself, speaking publicly to all iCloud users:
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification.
But Apple’s two-step verification doesn’t protect your iCloud data, as Naked Security’s Chester Wisniewski verified soon after Apple’s advice came out:
Apple's suggestion of choosing secure, long and complex passwords is valid, but the suggestion that the two-step authentication option will secure its customers is simply wrong.
It's genuinely disappointing. Apple has the tools, infrastructure and capability to offer more secure options to its customers, but up to this point has chosen not to.
So, when the WSJ got Tim Cook to pronounce on the future of iCloud security, the article started encouragingly:
Apple Inc. said it plans additional steps to keep hackers out of user accounts.
The truth, it seems, falls a little short of keeping hackers out, and is more of a “telling you the stable door is unlocked after the horse has bolted.”
According to the WSJ:
Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.
If all else fails, getting a notification that a security breach has started is a lot better than nothing, provided, of course, that you don’t ignore the warning signs and go from bad to worse.
But Tim Cook’s security promise isn’t really what his well-informed users want, and it certainly isn’t what they need, which is two-step verification for recovering iCloud data in the first place.
We’d like to see more
Come on, Apple!
You insist that customers who want to turn on two-step verification should give you a phone number where you can send them one-time login verification codes, meaning that a stolen, lost, guessed or leaked password becomes much less serious: a crook needs that magic login code as well as your password.
You’ve extended the countries in which you support your SMS-based authentication from the original five countries to 59.
Now let your customers choose to require this extra layer of security whenever they want to restore their iCloud data, not just when they want to adjust their account settings.
What you’ve got at the moment is a bit like an ATM card that asks for the PIN only when you want to change your daily withdrawal limit, not when you actually do a withdrawal up to your limit.
Have your say
Do you agree with us?
Should Apple extend its two-step verification to iCloud, or is that just a step too far?
I care about a LOT of things…but not necessarily enough that I’ll actually DO anything about them.
I imagine Apple will care enough when it starts to affect their precious bottom line.
It’s rare to see a strongly worded article against Apple for all of this fallout, but this one hit the nail on the head. Apple has a lot to blame for this ordeal, and ponying up an excuse to use 2-step verification which does not even help iCloud, shows their true priority in attempting to misdirect the blame for the hack onto its users.
With the launch of the new iPhone tonight lets see if he says anything about this?
The two above links under “We’d like to see more” give me 404s.
As with Gmail’s 2-step, I want to receive a one-time code on my phone every time iCloud access is attempted from an unrecognized device. For iCloud they could add email delivery.
Is the foot dragging due to being afraid of complaints over hindering access to some of the routine features?
Ouch – thanks for that, the links are now fixed.
I can only assume that you’re right about why iCloud isn’t more vigorously protected by 2FA – it’s to make sure the service retains its convenience and so-called “frictionlessness.”
But what about an option that would allow security-sensitive users to increase their iCloud friction deliberately by opting in to stricter 2FA for their iCloud data?
It would seem the phone where the ‘lost password’ is sent would also have the email sync’ed on it. So, if someone picked up my phone they would have access to both the email and the phone number where Apple (or anyone else for that matter) sends the recovery information. What am I missing?
You don’t have to have the SMSes on the same device. (Indeed for a Wi-Fi only iPad, you can’t.)
But for the average iPhone, your email and SMSes are indeed likely to be reaching the same place. I presume that’s why Apple uses the terminology “two-step verification,” not “fwo-factor authentication,” because you could argue in many cases it’s more like one-and-a-half-factor authentication.
If you lock your phone with a decent password and a short timeout, though, a thief might not find it easy to access the phone. (You can make “recovery codes” for when you can’t receieve SMSes, and lock them away somewhere safe.) You’d want a PIN set on your SIM card, too. SIMs only allow three guesses then they freeze and need a 10-digit PUK. Ten guesses at that and they implode.
No. The issue was basic failings in password rate limiting and lack of additional controls on password reset.
2FA definitely good, but Apples failings were much more fundamental.
Why aren’t they being held to account?
This is a bit late in the game but just got this message from Apple a propos iCloud. Looks like they actually got the message.
Thank you for using two-step verification to protect your Apple ID. This email provides information about recent updates to your service.
Two-step verification now protects iCloud
Starting today, in addition to protecting your Apple ID account information, two-step verification also protects all of the data you store and keep up to date with iCloud. For more information, read the Two-Step Verification FAQ.
Sign in securely with app-specific passwords
If you use iCloud with any third party apps such as Microsoft Outlook, Mozilla Thunderbird or BusyCal, you can now create app-specific passwords that let you sign in securely even if the app you are using does not support two-step verification.
To generate an app-specific password:
1 Sign in to My Apple ID (https://appleid.apple.com)
2 Go to Password & Security
3 Click Generate App-Specific Password
App-specific passwords will be required starting on 1 October 2014.