Apple Security Upgrade: Hits and Misses

Apple Pay Gets High Marks, But Full iCloud Fix Still Missing
Apple Security Upgrade: Hits and Misses

Security experts have lauded many of the information security and privacy changes introduced this week by Apple as part of its unveiling of iPhone 6, iPhone 6 Plus and Apple Watch.

See Also: Managing Identity, Security and Device Compliance in an IT World

In addition to a raft of security improvements planned for the upcoming release of iOS 8, Apple has introduced updated biometric fingerprint readers for its devices, which will be required to make payments using the newly announced Apple Pay payment system.

But some security experts say Apple's many announcements this week failed to fully address the iCloud vulnerability that was exploited by hackers who released celebrity photos that had been stored on iOS devices. Plus, an unresolved iOS vulnerability means that data stored on locked devices can still be retrieved using digital forensics tools.

New Features

Many of Apple's security-related moves had been well-documented before being officially announced this week. Those include HomeKit, which is Apple's framework for managing Internet of Things devices, and HealthKit, which stores a user's health and fitness data in encrypted form on a device, including the newly announced Apple Watch. But with the release of the iPhone 6, Apple has now also tweaked the TouchID biometric fingerprint reader built into the device.

More detailed reviews and teardowns of those features will have to wait until Apple begins selling devices built to use the services - and releases iOS 8 - this fall, followed by the release of Apple Watch in early 2015.

Sizing Up Apple Pay Ecosystem

Apple made a big splash with its announcement of the Apple Pay payments platform, which taps near-field communication technology built into the forthcoming iPhone 6, iPhone 6 Plus and Apple Watch.

Despite some details still being scarce, reaction to the new feature has been largely positive, both from a security perspective - including Apple not storing or transmitting any credit card numbers - as well as on the payment card ecosystem front, including backing from industry powerhouses Visa, MasterCard and American Express.

"It's the most secure combination of technology that we've ever deployed," James Anderson, group head of mobile product development at MasterCard, tells The Wall Street Journal.

Based on the details that have been announced to date, Apple's approach sounds quite secure, many experts say. "Apple is doing NFC right, that is, by one-time token passing rather than simply passing the credit card number," says security consultant William Hugh Murray. "This requires partners. As they did with music labels, they have lined up a big enough list of key brands to achieve critical mass."

The country's four biggest banks - including JPMorgan Chase and Bank of America - have signed on to Apple Pay, and five more should be compatible with the system soon after it launches. Discover has also tweeted that it's in discussions to become compatible with Apple Pay.

Just one problem: Currently, only 2.4 percent of U.S. retailers have point-of-sale systems compatible with NFC. Apple CEO Tim Cook acknowledged as much during the Sept. 9 Apple event, saying only 220,000 stores - including McDonald's, Staples, Subway and Target - will be able to accept Apple Pay when it launches.

Still, payment-fraud expert Tom Wills, who runs Singapore-based firm Secure Strategies, says strong support for Apple Pay from those card issuers and retailers means it will have a good chance of succeeding, despite previous attempts to spark mass adoption of smart phone-based NFC payments, such as Google Wallet. "The other strong feature is that Apple Pay is designed to work with both physical point-of-sale and e-commerce transactions via a single consumer wallet."

Fingerprint Secures Payments

Of course, NFC credit and debit cards are already available. But the other notable feature of Apple Pay is that it will only work with the latest version - built into iPhone 6 and iPhone 6 Plus - of Apple's TouchID biometric fingerprint reader, or else with Apple Watch, which will pair with the iPhone 5 and newer devices. "There's extra safety compared to using your NFC credit card: on the iPhone, you'll need to tap to pay with your finger on the fingerprint scanner," says Paul Ducklin, who's head of technology for Asia Pacific at security vendor Sophos. "So even if someone steals your unlocked phone, chances are they won't be able to tap to pay in place of you. That's not the case with an NFC credit card, which has no way of deciding whether you or a thief is holding it."

NFC expert Randy Vanderhoof, who's executive director of the Smart Card Alliance, notes: "The use of the secure element to store [a] device-specific account number and the biometric authentication of consumers raises the bar for transaction security on a mobile device."

Waiting For iCloud Patch

While Apple this week debuted a number of new products, services and features, it didn't address one highly publicized security problem - the threat posed by only a valid username and password being required to access device backups stored on iCloud.

The image hackers behind the recent celebrity photo leak appear to have grabbed the images they stole by compromising celebrities' actual usernames and passwords, using malware and social engineering attacks. With those credentials - and easily available software tools - the attackers were able to retrieve celebrities' iCloud backups and extract all data, including images and videos, stored therein.

To prevent those types of attacks, security experts have recommended that Apple begin restricting access to those backups, using two-factor authentication, or encrypting all backups using a separate password. But both of those fixes would take time to develop.

"It was a bit disappointing that Apple didn't announce anything more for securing iCloud accounts. But realistically, they were quick to issue a statement explaining their position and initial investigation," says Bob West, chief trust officer at cloud security vendor CipherCloud. "Anything more would have to be on the technology side."

Surveillance, Privacy Risks Fixed

Apple has previewed many of the new features and functionality to be found in iOS 8, which is the latest generation of its mobile operating system, due to be released in October.

But what Apple didn't highlight this week were the numerous under-the-hood security and privacy fixes it's made to iOS 7, says iOS digital forensics expert Jonathan Zdziarski in a blog post. In particular, Apple has now addressed "a number of risks for wireless remote surveillance, deep logical forensics, and other types of potential privacy intrusions fitting certain threat models, such as high profile diplomats or celebrities, targeted surveillance, or similar threats." Zdziarski first brought those iOS 7 vulnerabilities to light via a research paper released in March.

Based on his tests of the most recent beta version of iOS 8, Zdziarski says Apple appears to have addressed almost all of the flaws he spotted, which could have been used not just to spy on phones, but potentially also to jailbreak them. In particular, there was a risk of the File Relay service being used for "dumping large amounts of personal data from the device and bypassing the user's backup encryption password."

While the File Relay service still exists in iOS 8, Apple now appears to have disabled both wireless and USB access to the service, Zdziarski says. "This is good news for consumers, as it not only eliminates the risk of wireless surveillance through this mechanism, but also prevents law enforcement forensics tools from accessing this information - at least in their present form."

Forensics Risk: Application Sandboxes

But Zdziarski says one vulnerability Apple has yet to address is the ability to access application sandboxes on iOS devices. Currently, even when an iOS device is locked, iTunes can still access applications, for example, so that it can synchronize data with the device.

That feature has obvious usability upsides, because it allows users to sync their phone without having to unlock it.

But numerous third-party digital forensics software developers - including AccessData, Cellebrite, Elcomsoft and Oxygen - have piggybacked on that feature and created tools that are able to extract data from locked iOS devices. At least for now, that vulnerability remains.

News Writer Jeffrey Roman contributed to this story.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network