Last Friday, The Verge revealed the existence of a dead-simple URL-based hack that allowed anyone to reset your Apple ID password with just your email address and date of birth. Apple quickly shut down the site and closed the security hole before bringing it back online.
The conventional wisdom is that this was a run-of-the-mill software security issue. "It’s the kind of server misconfiguration you see on the internet ten times a week," one might say. "And it’s not as if your iTunes password even gets you to real money. This is why Apple added two-step verification." Or, "Apple saw the hole and shut it down before most users even knew it was there. This is how things are supposed to work."
No. It isn’t. It’s a troubling symptom that suggests Apple’s self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn’t going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple’s entire ecosystem of devices, stores, software, and services.
"You'd think that if you were the security team at Apple... what you'd really be focusing on is that iForgot system."
"Apple's iForgot server is essentially the master password reset for its entire cloud service," says cryptographer Matthew Green, a professor at Johns Hopkins University (and self-described "Apple fanboy"). Apple IDs have become the point of entry "for all of the data that people store on their phones, for all of the email they sort through iCloud. All of that data can be accessed essentially by resetting somebody's password on iForgot."
"You'd think that if you were the security team at Apple, and you had limited resources to devote to any part of the system, what you'd really be focusing on is that iForgot system," adds Green. "You would have it audited both internally and also by at least one outside reviewer. And the fact that this very kind-of-stupid bug made it through whatever process Apple put in place, to me makes it seem very unlikely that Apple did those things."
Apple ID isn't just used for iTunes. Here are just some of the services underpinned by Cupertino's universal login:
- Apple Online Store
- Apple TV
- Bookmarks. Notes, and Reminders
- Calendar, Contacts, and Mail
- Documents in the Cloud
- Find My iPhone
- Find My Friends
- Game Center
- iBooks and iBookstore
- iTunes Store
- iPhoto and Aperture Purchases
- iWork Publishing (publish.iwork.com)
- Mac App Store
- My Support Profile
It’s not clear that Apple security immediately understood the nature of its server vulnerability even after it was disclosed. According to iMore’s play-by-play, Apple initially simply put a maintenance sign over the iForgot page, preventing ordinary password resets. But even then, a hacker could still force a password reset and skip Apple’s security questions simply by entering in a URL as if the page were still accepting resets, fooling the still-online server into thinking those two questions had been successfully answered. When it became aware that user passwords were still vulnerable, Apple then took the iForgot server completely offline, which it could (and arguably should) have done straight away until the security hole had been plugged.
The most common response to the hacks was for users to enable two-step authentication, a long-awaited, recently-deployed security measure that requires access to a registered device as well as a password to access Apple ID services. Unfortunately, at the time of the hack, an option to enable two-step authentication for iCloud accounts had been introduced to the US, UK, Australia, Ireland, and New Zealand — and nowhere else. Many users who tried to turn on two-step authentication were subject to a mandatory multi-day waiting period before the password hack had even been fixed.
So Apple’s response to this crisis actually wasn’t perfect. It was sloppy, slow, and uneven. Just like the approach to ID security which got Apple and its customers into this mess.
Apple ID: your password is your passport
What harm could someone do with access to a user’s Apple ID? If the motive is simple vandalism, like in the case of Wired writer Mat Honan, Apple’s "Find My..." services make it easy to remotely wipe a user’s phone, tablet, or computer. Email, iMessage, iChat, or Facetime allows hackers to read or send private messages as the user, and iCloud would allow them to read, create, or deface other files as well.
More startling is the possibility that a password reset allows the hack to spiral out, iterating from one user to the next and from online to offline. Access to a user’s contacts gives a hacker access to a fresh pool of email addresses and dates of birth; access to iMessage gives them the specific email address associated with those contacts’ Apple IDs. "Find My iPhone," "Find My Friends," and Calendar can let you know where, when, and with whom a user and his or her contacts can likely be found. This can be particularly devastating if it’s a hack targeted at a particular user, with the specific goal of causing physical or material harm to that person or someone close to them.
But the real play here for both vandals and professional criminals is for personal data and documents. With an unlocked Apple ID, data can be harvested either through services like email or iMessage, or more likely by cracking open cloud backups of users’ devices. These backups contain app data, app and system settings (but not passwords), as well as photos and videos, text messages, voice mails, and other data.
It’s the equivalent of breaking into someone’s home by opening a first-floor window someone forgot to lock
"Apple doesn't give a lot of detail about what gets backed up, but presumably everything on your phone is now in the cloud, assuming you do the default setup on an iPhone," says Green. "So that's a lot of data that's now protected using essentially the same security system that was just protecting your iTunes account" three or four years ago.
It would be easy to retrieve copies of device backups, documents, contacts, mail, and messages from the cloud but otherwise leave a user’s profile intact; by the time a user knows something is amiss, he or she would only be aware that his or her old password is no longer functioning. Criminals don’t need continued access to users’ digital identities if they can browse full copies of their cloud data at leisure. Even strong encryption can be broken when time is no longer a factor.
All of this underscores the seriousness of Apple’s security lapse with iForgot. This was a high-priority system defeated with an extremely common form submission hack. It’s the equivalent of breaking into someone’s home by opening a first-floor window someone forgot to lock. Then imagine it happening again and again and again.
But Apple’s status as the largest technology company in the world, and the unique level of trust Apple users have in its systems, actually makes it worse than that. "Imagine that the Secret Service left the front door of the White House unlocked, forgot to turn on the security system, and then it was discovered that the entire protection detail had gone out to a bar, leaving the president completely unprotected," says Green. "That's the analogy that I would give to this particular bug."
This was a high-priority system defeated with an extremely common form submission hack
The unsexy bits of data security
These systems may be defended like a castle, but bandits have plenty of places to chip away
As alarming as the consequences of an insecure Apple ID might be, what it says about Apple’s security procedures is even more frightening. "You know the Secret Service does a lot of other things besides protect the president," Green says. "So if they're not getting this one, extremely high profile job done right, then what about the other things — the much more complicated and subtle things — that don't get anywhere near as much attention? How can we trust that they're doing those things right?"
Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe
A server-side attack on Apple’s cloud could get customers’ credit card numbers and addresses, device backups with their encryption keys — as well as contacts and Apple IDs — anonymously and in bulk. Those systems may be defended like a castle, but bandits have plenty of places to chip away at private information at the periphery: intercepting wireless location data, cracking the still-private protocols for services like FaceTime or iMessage, or imitating iTunes updates to install to take over a user’s phone.
There’s nothing sexy about securing these systems. None of them contribute directly to Apple’s bottom line. And when it came to securing a business netting it an estimated $2 billion each year, Apple locked the screen door and left the front door open, without asking anyone else to check that the house was safe.
Becoming a mature cloud company
To be fair, Apple takes many measures to secure data in iCloud. Except for email, notes, and music, data is encrypted (with at least 128-bit AES) both on Apple’s servers and in transmission. New Apple ID passwords are required to be "strong," i.e., a mix of letters and numbers, upper and lower case, at least 8 characters long and without more than 3 consecutive identical characters. (iTunes passwords used to be embarrassingly weak, and many weak passwords are still grandfathered into the system.) Apple now allows device-based two-factor authentication in some countries. To make big account changes, like changing a password or registering a new device, you need to answer two randomized security questions. (This was the security step bypassed by Friday’s hack.) After Mat Honan’s hack, Apple customer service no longer leans toward skipping any of these steps. Application passwords aren’t stored in the cloud and can only be stored locally when encrypted. The policies guiding Apple employees’ access to personal data and what they can do with it (or allow someone purporting to be you to have them do with it) are regularly audited and reviewed, at least by internal teams at Apple.
What do other cloud companies do?
All this is good. It compares favorably with other consumer-grade data storage solutions, like Dropbox. But even Dropbox, when it’s had big data breaches, has brought in third parties to review its security. Meanwhile, Apple’s lack of transparency, its unwillingness to open itself up to outsiders or even its own developers and customers, which has served it so well developing new consumer electronics, works against it when it comes to securing the cloud.
When Ars Technica investigated security issues in iCloud last year, it found that "your data is at least as safe as it is when stored on any remote server, if not more so," but that its weaknesses lay in Apple's lack of disclosure of its security processes (even Ars' assessment depends on a fair amount of guesswork), its prioritization of ease-of-use over full security, and its retention of encryption keys to iCloud data on its own servers. Apple's defense has traditionally been that its security processes are "industry-standard." But in the still-young consumer cloud, Apple is one of the leading companies helping to define that standard.
"The reality is that the Apple way values usability over all else, including security," Echoworx's Robby Gulri told Ars. "If you can see it in a browser, they can see it on the server." This means customer data can be made accessible to Apple employees or law enforcement. Gulri, who owns an iPhone and iPad and uses iCloud, recommends that Apple users only make data available to iCloud that they would be comfortable with either of those two groups potentially seeing, like music or photos. He also recommends that Apple, like all cloud providers, have its encryption chains and security processes regularly audited and verified by a trusted third party.
"If you look at companies like Amazon, which is recognized as a cloud provider, and Microsoft, you see that they have very big security teams, they have processes in place," says Green. "Nobody ever talks about what Apple's security process is, and that's partly because Apple is a secretive company and they keep to themselves, but seeing things like [Friday’s hack] makes you wonder if it's because they haven't fully developed their security strategy."
"Apple is a secretive company and they keep to themselves, but… this makes you wonder if it's because they haven't fully developed their security strategy."
Both Amazon and Microsoft have detailed, extensive, public privacy and security policies for their cloud services. Both companies have every point in their systems audited by independent third parties. They have multiple certifications, which are used both within industry to establish reliability and verify that the services satisfy laws governing things like private medical information or use by government services. They permit their customers to deploy their own penetration testing. They’re members of the Cloud Security Alliance, a nonprofit that establishes industry best practices for data security. The CSA also includes Google, Box, HP, Rackspace, VMWare, Intel, Adobe, Oracle, and nearly every other company with a significant presence in cloud computing and storage.
Apple’s not part of the CSA. In fact, Apple does none of these things. It doesn’t have or advertise any of the external certifications available for IT security. And Apple won’t disclose how its security audits are conducted, or by whom.
Reached by The Verge, Apple declined to answer whether iCloud security had ever been audited by a third party. Apple won’t disclose whether any part of its cloud security is even audited internally apart from that governing its customer service group. Pressed on these questions, an Apple representative sent links to its public security FAQs, which doesn’t address them.
"The reality is that the Apple way values usability over all else, including security."
It's time for everyone to grow up
Really, consumers should be demanding the same level of security verification and transparency for their data that enterprise customers have come to expect from cloud wholesalers. It’s not just a problem for Apple; Google Drive, Microsoft’s SkyDrive, and Dropbox all face similar issues. But of these, Apple’s cloud storage is the most likely to be switched on by default and remains the least well-understood.
Meanwhile, Apple has also promoted iCloud as a solution for developers to sync data between apps on different devices. Apple doesn't detail its security processes to developers either. The Verge has reported on how Apple hasn’t devoted the technology and personnel resources to make other parts of iCloud’s service competitive and useful. Apple hasn’t been able to keep Core Data in sync, and the company hasn’t been responsive to third-party inquiries and complaints. In "A tale of two iClouds," Matthew Panzarino tries to distinguish between the (good) iCloud that Apple uses for its own services and the (bad) iCloud developers use, but when it comes to security issues and third-party auditing, there is no distinction. There are simply two instances of the same pattern.
"They need to recognize that they are the guardians of people's data."
In the absence of concrete, concerted demands from customers, developers, security experts, and the wider technology community, change is unlikely. "Microsoft has taken a lot of flak over Windows security vulnerabilities, and it's become a problem for their brand," says Green. "In response to that, they developed a security process. Not necessarily because they wanted to, but because they had to: because if they did not do it, then they were at risk in terms of their perception in the marketplace," he explains.
"I don't know that Apple has really faced that same kind of pressure," Green adds. Apple executives "need to recognize that they are the guardians of people's data, that that data is important, and that obviously, nobody expects them to be perfect, but they should start to at least educate their users on what the risks are and what the limitations of what they're doing are."
Apple needs to demonstrate that its cloud can be counted on. All the evidence suggests that much like Apple Maps or MobileMe, iCloud simply isn’t at the level of polish and performance we’ve come to expect from Apple. Security is just a symptom.
There are three components to Apple’s business: hardware, client software, and cloud services. Apple currently does two of these things very well. iCloud acts as if it "just works." In reality, much of it is very broken.