Devastating Report Says Apple Is Being Dangerously Secretive About iCloud Security

Screen Shot 2013-03-29 at 1.50.14 PM

If you think that last week’s huge security hole that allowed anyone with your Apple ID email address and birth date to reset your password was just a fluke, this damning report by Tim Carmody over at The Verge might just change your mind.

It’s a compelling argument that says that Apple is being extremely negligent and sloppy when it comes to your iCloud data’s security.

The piece is far too long and detailed to fully summarize here, but this is the major point of the piece:

Consumers should be demanding the same level of security verification and transparency for their data that enterprise customers have come to expect from cloud wholesalers. It’s not just a problem for Apple; Google Drive, Microsoft’s SkyDrive, and Dropbox all face similar issues. But of these, Apple’s cloud storage is the most likely to be switched on by default and remains the least well-understood.

Why is this a big deal? Because no one knows how Apple is protecting their iCloud data, there’s no reason to trust Apple beyond their past history… and Appl’es past history with both the cloud and security isn’t good. Last week’s password reset SNAFU was so dumb and obvious that it’s the equivalent of being robbed after leaving your window open. How many other exploits like this exist, just waiting to be found?

The stakes are very real, because Apple is a high-profile target that stores massive amounts of personal and financial data on each and every one of its customers on its servers, by default:

With an unlocked Apple ID, data can be harvested either through services like email or iMessage, or more likely by cracking open cloud backups of users’ devices. These backups contain app data, app and system settings (but not passwords), as well as photos and videos, text messages, voice mails, and other data…

It would be easy to retrieve copies of device backups, documents, contacts, mail, and messages from the cloud but otherwise leave a user’s profile intact; by the time a user knows something is amiss, he or she would only be aware that his or her old password is no longer functioning. Criminals don’t need continued access to users’ digital identities if they can browse full copies of their cloud data at leisure. Even strong encryption can be broken when time is no longer a factor.

The Verge makes a strong argument that Apple needs to be held publicly accountable for the security of the iCloud, and submit to third-party audits just like Google, Amazon, Microsoft and other cloud service providers. The stakes here are just too important for Apple to be secretive about?

What do you think? Do you agree? Let us know in the comments.

Related

About the author

John BrownleeJohn Brownlee is a Contributing Editor. He has also written for Wired, Playboy, Boing Boing, Popular Mechanics, VentureBeat, and Gizmodo. He lives in Boston with his girlfriend and two parakeets. You can follow him here on Twitter.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: , , |