We Can Fly to the Moon, but We Can't Secure the Cloud?
The entire freaking tech industry is falling down on the job, and Apple, my favorite company in the world, is stumbling around too. What's worse is that it doesn't seem to care.
Apple is the most profitable consumer tech company in the world, with billions of dollars in the bank -- so much that it's in the middle of a US$130 billion effort to return profits to shareholders. Yet the company can't seem to be bothered to imagine that iCloud user accounts could be compromised by brute force password attacks launched with a Python script offered up on GitHub?
As the nude celebrity photo hacking scandal unraveled over the last few days, Apple's iCloud services initially were the target of blame. Tech experts suspected that perhaps a flaw in Apple's Find My iPhone service let hackers repeatedly try to guess a user's password in order to crack the front door to Jennifer Lawrence's iCloud account -- and the iCloud accounts of other celebrities.
It turns out that particular flaw doesn't seem to have been used by the celebrity hackers, but it is this revelation -- not the boobies or bottom of some A-list celebrity -- that has caught my attention.
Let's get this straight: A hacker could gain access to an Apple customer's iCloud account by brute-force guessing a password? How is that possible in 2014? How did Apple not think of this? How could a massive blast of failed password attempts go unnoticed and not generate some sort of secure response?
I find that utterly mind boggling.
Sure, after the backside of Jennifer Lawrence was posted on image-sharing boards and forums, someone woke up at Apple and fixed the vulnerability.
Great. But it gets worse.
Apple, it turns out, released a company statement that claims that the iCloud accounts were hacked through more traditional efforts -- that the celebrity accounts were compromised after a very targeted attack on user names, passwords, and security questions. So through a certain amount of social engineering, phishing or guessing, iCloud accounts were compromised.
Oh, ok. There wasn't an actual breach in this case -- it was just some high-profile women -- who probably don't usually share their Apple ID or email address very often -- who were compromised.
The basic message from Apple sounds like this: It's all good in iPhone AppleLand folks, nothing to see here. Move along. Oh, and check out this obscure support page on our site where we advise all users to always use a strong password and enable two-step verification, which we've already clearly addressed.
Talk about tone deaf. The fact is, security is hard, and Apple would rather avoid the issue rather than stare it in the face and fix it. Or maybe it's all just about "hard choices," like choosing convenience over security. And Apple enables some security but errors toward the convenience that sells iPhones.
This is understandable, except that Apple's security system is barely serviceable. Apple's two-factor authentication isn't even used to protect all iCloud services. Once hackers obtain an iCloud password, they can easily view all sorts of photos and documents.
It gets worse: They can also download backups of your entire iPhone that were created months ago. In this way, a photo that you took while romping in the bedroom with your spouse -- giggled over, kept for a few days to remind you of good times, and then deleted -- can live on. This may have been the way Mary Winstead's were pulled from the so-called trash to gain new life on the Internet. Nice.
While Apple might not care about nipple shots, you would think the company would care deeply about corporate security and enterprise security. The celebrity hackers were after naked pics, but what if they were after infrastructure information about our nation's hydroelectric dams? Once a hacker breaks into an iPhone via Find My iPhone -- uh, doesn't that give a person location awareness of your iPhone? Like where you live? Where you go? Where you are right this minute?
I am so disappointed in Apple.
Excuses, Excuses, Excuses
Of course, if you think about the iCloud backup of your iPhone, what's the greater good? Apple's easy iCloud backup service helps thousands of people retrieve their entire iPhone after they break their iPhones. In this way, their photos are all saved. For example, a young single mother can have only one computing device, an iPhone, and back up all of her wonderful baby photos simply by using iCloud. That's marvelous, right?
Until someone gets obsessed with her child. Until someone figures our her Apple ID, which easily could be her email address. Suddenly her daughter's bathtime photos are being trafficked on shady bulletin boards or backwater channels -- maybe for years -- while she doesn't even know her iCloud account has been compromised. Or that the hacker knows where she is. This particular danger isn't limited to Apple, but I expect a helluva lot more out of Apple than I do other companies.
The thing is, what the naked celebrity pics have really revealed is that there are all sorts of tools and hackers for hire readily available to accept a little bitcoin to crack into a person's iCloud account and download everything.
Here is a another example: If your daughter's ex-boyfriend knows her iCloud ID -- and he's an ex-boyfriend for a good reason -- it's not a leap that he could buy some tools or pay someone in a foreign country to crack into her iCloud account so he can retrieve the naughty pics they took before they broke up -- or anything else.
Nic Cubrilovic dove into the dark underworld of celebrity data theft and found a loose organization of hackers, collectors and distributors:
"The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack and have stumbled onto one of the networks offering services via search terms or a forum they frequent. The new contributor will offer up a Facebook profile link, plus as much information as is required by the hacker to break the account, plus possible assistance in getting a RAT installed if required.Is one teenager's stupid selfie, distributed across a high school, any less damaging than Jennifer Lawrence's silly naked pose?
"In exchange the hacker and ripped will supply the person providing the lead with a copy of the extracted data, which they will also keep for themselves. This was one of the most unsettling aspects of these networks to me -- knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data."
So what do I expect? Is it Apple's job to prevent every bad guy from doing bad things?
I can get all righteous about this, but the fact remains that many users don't even come close to managing their own security with any reasonable measure of responsibility. Their password is "123abc" and they use it for everything. If they choose to answer a security question, do they actually use a true answer that they will remember? Some of Apple's so-called security questions include the first name of your best friend from high school. Find a few yearbooks online, figure out who is in photos together with your target, and boom, there's an answer. How about your favorite sports team? Step through a series of tweets and it'll likely appear. Or guess the hometown teams.
This stuff is barely there security. More the point, the tech experts and security pros seem to think it's the fault of users for not coming up with -- and remembering -- made-up false answers.
What's the name of your best friend from high school? Huckleberry Sticker Wrench. That's tough to guess, right? It's also tough to remember -- and it assumes that everyone has a safe place to write this stuff down. Does a college kid who lives in a dorm with three other kids have a safe place? Not exactly. Never mind people who have more difficult lives than your average middle-class American.
It's the User's Fault!
In fact, the whole username and password system sucks, but somehow the attention goes less toward the system and tools and more toward how to deal with the system. All the ridiculous trappings tech companies and security professionals add to the username and password system don't make it suck any less. Make your combinations unique. Make them ridiculously long. Make them more complicated. Change them frequently. Give false answers to security questions. Remember everything -- but not in a place where someone else can find your list.
These are the recommendations for millions of people in 2014? When you stop and think about it, we put human beings on the moon in 1969 -- and brought them back safely to Earth. And we can't somehow manage to figure out how to delete a naked bedroom pic taken among consenting adults so it's actually deleted?
So what's the answer? Better biometric ways of identification, like Touch ID? Think about it: It's one thing to have Touch ID data resident on a device in your control. It's another thing to let that information hang out on Apple's iCloud servers, which we've already seen aren't secure -- in 2014 -- against even unimaginative password-guessing scripts. And if you lose your iPhone with Touch ID, does that mean you have to find a new Touch ID reader somewhere?
You could walk into an Apple Retail Store, place both hands on the counter to scan them, as well as a get a map of your eyes, and step up for a quick dose of radiation for a dental x-ray, and make it much harder to crack into your accounts -- but who wants that?
You want an RFID tag inserted into your palm? A special iRing device? A sticker? An iWatch as a secondary key? An Apple TV in your home?
So how do you make something secure that's easy to use and that's convenient for millions of people who live in widely different conditions around the world?
I don't know... but I sure as heck expect Apple to figure it out. Why? Apple is the most profitable company. It has the most money and nearly infinite resources. It controls most every portion of its magical ecosystem -- the hardware, the software, the services.
Why can't Apple do a better job with security? Why can't Apple come up with a better way?
Why can't Apple launch a marketing campaign to educate millions of consumers on how to use security properly -- and tell its customers, in no uncertain terms, exactly what is covered, how it is covered, and for how long it might sit somewhere on some server in the sky dormant until someone with power or guile comes after it?
Is this a lack of corporate will? Sure as heck seems like it.
What do we have coming this fall from Apple? HomeKit, so Apple devices can manage Internet-connected home automation appliances and devices. HealthKit, so Apple devices and apps can know you more personally than ever -- and communicate with doctors and such. CarPlay, so iOS can be in your car, too. What's Apple's answer here? Are the keys to your kingdom all riding on one password? On some dumb security questions? On two-factor authentication that isn't even invoked when someone wants to download the entire contents of your backed-up iPhone?
The thing is, I want Apple to have better answers. I think Apple has the resources it needs to create better answers. If you took, say, a billion dollars of spare cash, do you think you could come up with some better solutions? I'm guessing that more than a few readers could make some improvements to consumer security with a billion-dollar budget. I don't believe that Apple cares enough to find the answers.
What's worse is that Apple also has the power and resources needed to influence the social aspects of security to create industry change. Apple can spends tens of millions of dollars on slick television ads that inspire people to create their own "verse" and yet can't even create a damn video that walks a customer through two-factor authentication?
There are a lot of ways Apple could improve security. If we're lucky, the brouhaha over high-profile celebrity nakedness might be the kick in the pants Apple needs to get innovative and easy with security. I can't think of any company better positioned to get the job done. Like I said, Apple controls the entire product stack: hardware, software, and services.
I expect more from Apple.