After a series of nude pictures and videos were leaked out to the public via iCloud, Apple plans to adopt new security features in the coming weeks. The move was designed to counter the methods used in a mass theft of sensitive photos of more than 100 women, including Jennifer Lawrence, Kate Upton, and Mary Elizabeth Winstead.
The company will use email and push notifications to alert users when someone tries to change an account password, restore cloud data on a new device, or connect an unfamiliar device to an existing Apple account.
CEO Tim Cook told The Wall Street Journal that the new notifications would start in two weeks, and users would be empowered to take back the accounts immediately.
Apple also plans to widen its use of two-step authentication. That option, available on most email or file-sharing platforms, is a second, temporary password that usually arrives in the form of a text message.
Cook has concluded hackers were able to force their way into the photo collections through phishing attempts, guessing passwords or figuring out answers to the celebrities' security questions.
Well-guarded systems only let users guess passwords a handful of times before blocking access. But until this week, Apple's iCloud service allowed people to guess passwords over and over again. It would never lock out. Eventually, hackers hit it right.
Apple, however, assured the public the hackers did not break into the company's core computer systems, which house all of its users' data. So iCloud itself was not hacked.
The problem is that there is an easy way around the two-step authentication that will not keep hackers out of your account.
Anyone can grab any Apple device, synchronize it with your iCloud account and download all of your private files. All it takes is your username and password. That sounds like a lot, but it's actually the very thing two-step authentication is meant to prevent. For iCloud, two-step authentication is currently useless.
That's why Cook is wrong to say the problem lies with users - not Apple's system.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he told The Journal. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
The revelation that Apple can't keep your data private is terrible timing. The company is expected to unveil several products and services on 9 September 2014, all deeply interconnected with data sharing - and requiring your trust.
The company will use email and push notifications to alert users when someone tries to change an account password, restore cloud data on a new device, or connect an unfamiliar device to an existing Apple account.
CEO Tim Cook told The Wall Street Journal that the new notifications would start in two weeks, and users would be empowered to take back the accounts immediately.
Apple also plans to widen its use of two-step authentication. That option, available on most email or file-sharing platforms, is a second, temporary password that usually arrives in the form of a text message.
Cook has concluded hackers were able to force their way into the photo collections through phishing attempts, guessing passwords or figuring out answers to the celebrities' security questions.
Well-guarded systems only let users guess passwords a handful of times before blocking access. But until this week, Apple's iCloud service allowed people to guess passwords over and over again. It would never lock out. Eventually, hackers hit it right.
Apple, however, assured the public the hackers did not break into the company's core computer systems, which house all of its users' data. So iCloud itself was not hacked.
The problem is that there is an easy way around the two-step authentication that will not keep hackers out of your account.
Anyone can grab any Apple device, synchronize it with your iCloud account and download all of your private files. All it takes is your username and password. That sounds like a lot, but it's actually the very thing two-step authentication is meant to prevent. For iCloud, two-step authentication is currently useless.
That's why Cook is wrong to say the problem lies with users - not Apple's system.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he told The Journal. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
The revelation that Apple can't keep your data private is terrible timing. The company is expected to unveil several products and services on 9 September 2014, all deeply interconnected with data sharing - and requiring your trust.
Comments
Post a Comment