Apple is still fighting a hotly-debated legal battle over law enforcement requests to bypass encryption on its iPhone handsets. But the consumer electronics giant is also reportedly working to strengthen the security of iCloud, which is currently the weak link in Apple’s arsenal.
This is important for two reasons. First, iCloud has already been hacked, sort of, via phishing attacks aimed at celebrities. And second, because Apple does hold the encryption keys for iCloud, it cannot refuse—and, to date, has not refused—law enforcement requests for data held there.
That could be changing, according to a report in the Wall Street Journal.
Apple’s plan—only vaguely stated in the report—is to improve the security in iCloud so that not even Apple can access encrypted customer information stored in the service. But doing that comes with risks: If a user forgets their password and other security information, it’s possible that they could lose a lifetime of photos or other important personal data. So the trick is an age-old one: Improve security while not harming users or making the system too complex to use.
This is important because most iPhones are configured to automatically backup their data to Apple’s iCloud service. And iCloud, to date, has been left wide open, with Apple proving to be much more forthcoming in providing iCloud-hosted data to law enforcement, in part because it really does have access to that information.
More topically, Apple’s iCloud also sits at the center of the San Bernardino terrorism case: The terrorist in question manually turned off automatic iCloud backups from his iPhone a few weeks before the attack. So while Apple was able to give law enforcement the data in those older backups, it has refused to break past the controls on the iPhone that would let the FBI hack into the phone and gain access to newer data and whatever clues or information that might provide.
Now, it is working to cut off its own access to iCloud data, in effect putting the same controls on the cloud that it current provides on its hardware. The plan, it appears, is to simply take itself out of the equation when law enforcement needs help.
“This is another example of Apple taking steps to better secure its products, while contemporaneously reducing its role in government investigations,” a former federal prosecutor told the Wall Street Journal.
In an op-ed piece in The Washington Post last week, Apple senior vice president Craig Federighi never mentioned iCloud or “cloud” explicitly. But he did state that “security is an endless race, one that you can lead but never decisively win.” And by encrypting iCloud and throwing away the keys, so to speak, Apple could stay ahead of “those who would exploit technology in order to cause chaos.” That’s a more positive position than blocking law enforcement, of course.
But Apple has already experienced some of that chaos. In September 2014, when an anonymous individual—now known to be 36-year-old Ryan Collins of Pennsylvania—leaked hundreds of explicit and private images of celebrities online. Mr. Collins had accessed dozens of iCloud accounts over a two-year period, obtaining the pictures without being detected. And he didn’t hack iCloud using traditional methods: Instead, he used a social engineering technique called phishing in which he posed as an Apple employee and emailed celebrities directly. In doing so, he gained the information he needed to access their accounts, along with their private photos.
Apple didn’t really improve the security of iCloud in the wake of these attacks, so it’s curious that it would do so after a publicly-challenged and legitimate law enforcement request. But then encrypting iCloud won’t prevent phishing attacks, either. All this change can really do is make the data safer from the prying eyes of law enforcement.
Regardless, court hearings about the iPhone encryption issue begin next Tuesday, on March 22. Yes, one day after Apple is expected to launch a new iPhone model.