Apple: Untrustable

As excitement of Apple’s new product announcements dominate today’s press coverage, and the memory of the celebrity iCloud hacks fade to obscurity (already seemingly long forgotten), completely un-remarked and un-addressed at today’s event (a good PR move, to be sure), I felt it might be worth posting some of my personal thoughts on the matter, as the silence from Apple on the issue has been quite disquieting.

To be clear, I’m a long-time fan of Apple design and engineering, and today’s keynote is a reminder of
Apple’s best-in-class in hardware and device software. I also own a not-insignificant amount of AAPL shares, but while I’d like to give them the benefit of the doubt, it seems to be increasingly clear that Apple should not be trusted with my personal information.

It’s famously well known that despite their technical prowess in hardware and software, Apple is just not very good at hosted services. Terrible at it really. From their earliest web-based apps, to their ongoing capacity problems, or their laughable attempts at building social services (Ping, anyone?), Apple’s online components are sometimes passable or on par, but more commonly they are mediocre, not-well thought out, clunky, outdated, or just plain broken; “not serious,” was the phrase a friend used. The problem is that today, the online components are as integral to a product as the device hardware or software. They are bound together, and sadly, the weakest link will cause the chain to break. Also, unfortunately, these traits seem to carry through for security for these services as well, which is definitely serious.

Over two years ago now, a friend, Mat Honan, had his Apple account (and digital life) hacked, in much the same way (via an almost identical vector) as the recent celebrity hacks. He’s a journalist, so he wrote all about it, and got a fair amount of press along the way, appearing on news shows, getting writeups, and generally making a big hubbub about it.

If you’re not familiar with that incident, it’s worth taking a look. Also worth reading is some of the analysis on the latest compromises:

Apple issued a terse official statement last week which denied any “breach” in any Apple systems and claimed that the accounts were compromised due to “targeted attack[s].” From a lawyerly perspective, this is perhaps technically accurate, aimed at deflecting blame and absolving responsibility, if not liability. Of course, like most such statements, especially looked at in context of the afore-mentioned writeups, it is quite misleading.

The attacks used to reset passwords via security questions and acquire iCloud access and backups were so frequent and common-place that discussions and communities had formed not just on the darknet, but on public forums/websites.

Either Apple’s security was so incompetent or negligent that they have not been aware of what was going on, or they knew, but actively ignored the issue and decided that it was not worth fixing. I’ll leave it to the reader to decide which scenario is worse.

Today, Apple announced their “Most Personal Device Ever”. They also announced Apple Pay (the only mentions of “security” and “privacy” in today’s event), and are rolling out health tracking and home automation in iOS 8.

Given their feckless track record, would you really trust Apple with (even more of) your digital life?

Some notes:

  • Last week, the same day where the big Apple news was the hiring of designer Marc Newson, Mike Hearn published a fascinating writeup of his anti-spam/abuse work at Google. Maybe unfair, but it struck me as an interesting contrast.
  • Over the years that these compromises have been happening, I haven’t heard of anyone that has been informed by Apple of a compromised account, or any information on their customer-facing forensic abuse team. Ignoring the larger issues of systemic security-holes (Apple can talk about “no breaches” but between non rate-limited/info-leaking endpoints, allowing resets via VPNs, lack of device pinning/access notices, they’ve left the door wide open for widely known attack vectors), what kind of support does Apple give you once your information is stolen?
  • Much hoopla has been made on 2FA. iCloud’s 2FA is less useful than you might think.
  • Not Safe For Not Working On – Dan Kaminsky writes about some of the implications of cloud security; also worth a read is What if I was a cloud? by iBrute‘s author. It’s obvious that cloud services need to seriously rethink how they store and authenticate personal information.
  • If you’re not already using fake security answers to security questions, you should. If you are, it may also be worth considering using a password manager to store unique nonsense answers for those questions