Enlarge image
Advanced data protection in iCloud: Secure even if Apple's servers are hacked
Photo:
Apple
Hacker attacks are becoming more and more sophisticated and complex, and Apple knows that too.
The company can no longer ignore even state-controlled or supported operations, as comparatively rare as they may be.
That's why it tightened its security measures for iMessage and iCloud - to the annoyance of authorities.
The three new features are called iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud.
Translated, this means in detail:
iCloud gets end-to-end encryption
that goes further than before.
In the future, instead of 14, 23 data categories in Apple's cloud service will be encrypted in such a way that they can only be decrypted on the user's devices classified as trustworthy from which the data was originally uploaded to iCloud.
Even if Apple's cloud servers were hacked, the perpetrators would not be able to do anything with the data stored there.
The FBI is not amused
New additions include photos, notes and entire backups of devices.
So far, this has been the easiest way for investigators to get data from a suspect if they used the cloud service, knowingly or unknowingly: Because Apple itself owned the keys, the company was able to release user data from the backup at the request of the police and did that too.
This also included iMessages that could be read in plain text, which were end-to-end encrypted during transmission and therefore could not be easily intercepted and read.
Apple is blocking this detour in the USA from now on, in the rest of the world at some point in early 2023, as the Cupertino-based company announced.
Prosecutors are unlikely to be enthusiastic about this.
The US federal police told the Wall Street Journal: “This limits our ability to protect US citizens from criminal acts such as cyber attacks, violence against children, drug smuggling, organized crime and terrorism”.
The authorities need an access option »by design«.
From the user's point of view, the possible release of data could already be avoided by using only backups stored locally on the company's own hardware - a possibility that will also be retained in the future.
However, the extended protection function also has its limits: E-mails, contacts and calendar entries in iCloud will not be end-to-end encrypted in the future either.
Apple cites technical reasons for this.
The support of hardware security keys for the Apple ID
(Security Keys), also
announced for early 2023 , as well as
contact key verification for iMessage
(Contact Key Verification), is primarily intended for users who are particularly at risk.
Apple cites media professionals and politicians as examples.
According to the company, 95 percent of all Apple customers already use two-factor authentication to secure access to their Apple ID.
In the future, external security keys that meet the current FIDO standard can be used as a second factor.
Apple wants to prevent the second factor, together with the password, from reaching unauthorized persons, for example through successful phishing, which would allow them to log into the account from a new device.
Apple will do it like Signal in the future
The upcoming verification of participants in an iMessage chat is reminiscent of the Messenger Signal: If third parties succeed in linking into such a chat, the participants will receive a warning that an unknown device has been added to the conversation.
If you want to be sure that you are really communicating with the person you want, you can start by comparing a code displayed in iMessage – on a different channel.
If the other person says a different code on the phone, someone else is trying to pretend to be that person in the iMessage chat.
After the introduction of "blocking mode" in July, which is intended to protect against surveillance Trojans, Apple is again expanding its options for iPhone users who have to fear sophisticated hacker attacks (regardless of who) against them.
All new functions are
opt-in
, i.e. not automatically active.
All participants in a chat must have contact key verification activated.
As the "Wall Street Journal" further reports, Apple is discontinuing the development of another function: the intention, first announced in August 2021, to automatically scan photos of all iPhone owners for depictions of child abuse
when uploading them to iCloud
, will not further pursued.
While the plan was welcomed by law enforcement agencies, it was heavily criticized by civil rights organizations and others.
