Three Things Apple Can Do to Fix iCloud's Awful Security

Apple’s reality distortion field makes for epic product launches. But it doesn’t keep sext-snatching hackers out of your iCloud account. As the glow of Apple’s new iPhones and watch announcements fades, the company has yet to fix the security issues that resulted in a highly public violation of its users’ privacy: the leak of dozens […]
icloudhacktoolsinline
Then One/WIRED

Apple’s reality distortion field makes for epic product launches. But it doesn’t keep sext-snatching hackers out of your iCloud account.

As the glow of Apple’s new iPhones and watch announcements fades, the company has yet to fix the security issues that resulted in a highly public violation of its users’ privacy: the leak of dozens of nude photos of celebrities including Jennifer Lawrence and Kate Upton, seemingly stolen from iCloud backups. And as the photos spread across the web last week, the conversations on scummy forums devoted to hacked nudes like Anon-IB made clear that Apple’s security weaknesses were still being exploited.

Chief executive Tim Cook has vowed to tighten the company’s protections for its users’ private parts. Users will be sent an email when someone restores their iCloud account from a new device, a warning that Apple neglected to send in the past, he told the Wall Street Journal. And its two-factor authentication system, which requires the user to have access to a temporary code sent to his or her phone, will be extended to iCloud and more strongly suggested to users. Apple didn't respond to a request for more information on the new measures, which are expected to kick in this week.

But Cook’s promised changes sound like band-aids, not fundamental fixes. Warning users after a hacker has already gained access to their account isn't exactly reassuring. And practically speaking, the vast majority of users won’t turn on a technical-sounding feature that adds another hurdle to their login process. “I wouldn’t be surprised if the adoption rate remains at less than one percent, and people still get hacked,” says Nik Cubrilovic, a Sydney, Australia-based security consultant who wrote a deep analysis of the iCloud hack earlier this month. When Cubrilovic added two factor authentication to his own iCloud account, he says he waited three days for it to come into effect. “What’s the awareness rate? How many people are going to sign up and wait three days? But next time someone gets hacked, Apple can shift the blame. They can say ‘it’s out of our hands.’”

Instead of that security theater performance, Cubrilovic and others who have tracked Apple’s security nightmare suggest a few unorthodox changes that go to the root of iCloud’s leaks.

Kill the Security Question

Asking users about their “first job,” “first car” or “city where your parents met” to reset their password has long been a laughably weak link in authentication schemes. Those answers are far more easily guessed or dug up with research than a password---especially for celebrity stalkers or those hacking their acquaintances or ex-significant others. Password reset questions are the idiocy that led directly to the devastating hack of WIRED’s Mat Honan two years ago, and nothing has fixed them since.

Far safer is to require that users who forget their password retrieve a reset link from their email. And in the slim subset of cases where users no longer have access to that email address, their snail-mail addresses can serve as slower stand-ins, argues iOS forensics expert Jonathan Zdziarski. If Apple requires users to keep a physical mailing address on file, Apple could mail them a one-time recovery key. To cover the cost of the stamp, he suggests Apple even charge users the shipping costs. “If you’re daft enough to not only lose your password but also access to your email, you should have to pay 50 cents or a dollar to mail you that piece of paper,” Zdziarski says. “Call that the ‘stupid tax.’”

Make Password Delinquents Show Up in Person

Cornell computer security professor Ari Juels has a suggestion for a faster last resort recovery method: Demand that password amnesiacs prove their identity in person.

People are accustomed to having to prove their identity with physical documents, argues Juels, who recently left a position as chief scientist at authentication security firm RSA. And Apple already has a network of meatspace retail outlets across America and Europe. So it could require users who want to reset their password to show up at one of its Genius Bars to prove themselves. To extend the fix to places without Apple Stores (sorry Wyoming, Montana, and the Dakotas) Apple could partner with post offices and banks---what Juels describes as “authentication authorities.” The company even has some of those relationships already: As it announced last week, its Apple Pay system will require users to go to a cooperating bank branch to add a new credit card number to their phone.

Juels admits that showing up in person is less convenient than security questions. But faking physical identification is far harder than Apple’s paper-thin safeguards against digital impersonation. “For the moment, convenience is king, and it’s not convenient to show up at the Apple Store to recover your password,” says Juels. “But eventually the problem may be so acute that we do try physical presence.”

Make Two-Factor the Law of the Land

With those new recovery options in place, Apple could then make its two-factor authentication more than a fig leaf. Instead of merely allowing or even encouraging users to turn it on, it could make two-factor the default for all new accounts, suggests Cubrilovic. ”There’s practically no reason why they can’t do that,” he says.

Requiring a second device be used to generate temporary login codes would nix the risk of account takeovers even when users have weak passwords or fall for phishing attacks that trick them into giving up their credentials. (Sophisticated phishers could steal the temporary code, too. But they’d need to use it immediately, making the attack less practical.)

For existing users, Apple could aggressively remind them to set up the second-device security measure rather than offering polite suggestions. And Cubrilovic also calls for Apple to cut the three-day wait time to put that measure in place, which doesn’t exist with similar services from Twitter and Google.

The barrier until now to universal two-factor authentication has been the risk that users might be permanently locked out of their accounts if they lose their second device and also can’t access their email. But Zdziarski’s and Juels’ ideas of snail-mail and in-person password resets could solve those corner cases.

The full set of new security measures they suggest would require Apple to invest in serious new infrastructure and user education. But Zdziarski argues that Apple owes it to its customers to take their security seriously, rather than treat them as hackable dolts. “Apple is the biggest company in the world right now. They should already be implementing these solutions,” he says. “To some degree, they’ve underestimated the sensitivity of users’ data. If you value it, you’re going to need to take steps to protect it.”