There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)
But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions.
[Update: Tim Cook has confirmed these were the two methods used] …
Security questions were, when first introduced, a fairly obvious solution to a common problem: people forgetting their passwords. The typical 9to5Mac reader probably uses a password manager to have strong, unique passwords for each site, but the average person on the street doesn’t. They either use the same password for almost everything, or they do their best to use different passwords and end up forgetting half of them.
Why security questions are hopeless
The problem, of course, is that if the legitimate owner of an account can use security questions to reveal or reset their password, so too can anyone else. Which wouldn’t be a problem if we could choose our own questions, and set them to things so obscure not even our best friend could guess the answer, but that’s generally not the case.
iCloud is a case in point. iCloud requires you to select three security questions, but each one has to be selected from a choice of just six questions (I’ve pulled all three sets into a single graphic for convenience):
Now, I’m not going to get specific here by revealing any personal information, so I’m going to use made-up examples, but I’m betting that most people can’t answer half of these questions. For example, did you have just one favorite singer or band in high school, or did it change numerous times? Can you remember the first film you ever saw in a theater? Do you have the faintest recollection where you flew to the first time you went on a plane?
So in reality, the choice of questions open to us is even smaller than it first appears.
Of the remaining questions, how many of them are known to multiple people? If you have a dream job, chances are you’ve mentioned it to quite a few friends. Your childhood nickname is known by everyone who went to school with you, and maybe to all of your friends today if you’re still known by the same nickname.
Of the ones that aren’t known, how many could be googled by someone who knows you? How many of them, in fact, can be found on your Facebook page?
If you’re a celebrity, the situation is a thousand times worse because you’ve given countless interviews where you’ve likely revealed all kinds of trivia about yourself, like your first pet or the model of your first car or … Well, most of these questions, in fact. Even if you haven’t answered the question yourself, there are numerous fan sites where people post trivia they’ve unearthed.
So security questions are a terrible form of protection for most of us, and an absolutely hopeless one for celebrities.
Ok, you might argue, but iCloud – like quite a few other online services these days – offers the alternative of two-factor authentication. I use it myself, of course, and the more observant will have spotted that’s how I grabbed the security questions above: by pretending I wanted to switch it off.
For anyone unfamiliar with it, two-factor authentication requires you to enter a one-time code to access a service. This code might be generated by an app (Google Authenticator is a popular one) or sent as a text message, for example. But while iCloud offers two-factor authentication, it doesn’t require it for everything. It doesn’t require it for rather critical things, indeed.
I managed to spill wine on my iPhone a couple of days ago, effectively killing it. So yesterday I went to an Apple Store and took advantage of the fixed-price repair option to get a replacement (so at least I’ll have a shiny new one to ebay when I get an iPhone 6). In the store, I needed to use iCloud to first remove the old phone from my list of devices, and second to restore the iCloud backup to the new phone. Despite the fact that I accessed my iCloud account on an unknown device (a MacBook in the Apple Store), I didn’t need two-factor authentication for either task.
[Update: Apple will use push notifications to alert uses when a device is restored or someone logs into iCloud from an unknown device.]
What should Apple do?
There is always a balancing act to be achieved between security and convenience. We could make iCloud, or any other service, incredibly secure by doing things like requiring a 256-character password with no elements within it found in a dictionary, require us to change that password monthly and add in compulsory two- or even three-factor authentication.
That kind of extreme clearly isn’t realistic, so we have to strike a sensible balance between protection and usability.
Apple is well aware of this. It’s the reason it introduced Touch ID on the iPhone 5s – because too many people either weren’t using a passcode at all or were setting too long a time-out, giving a thief plenty of time to gain access.
Touch ID will appear on the new iPads launched in the fall, and it can only be a matter of time before it makes it to Macs too. But I think there are four more things Apple should do.
First, make two-factor authentication the default option for everything, and mandatory for critical things like accessing iCloud on an unknown device and restoring from an iCloud backup. Sure, we might need workarounds for the worst-case scenario – an iPhone is the only Apple device someone owns and they just lost or destroyed that – but where two or more devices are owned, there is certainly no reason not to require confirmation via a second device.
[Update: Apple will be “aggressively encouraging” users to use two-factor authentication]
Second, allow people to choose their own security questions rather than select them from a dropdown. Then they can choose things that only they will know, and can make them as obscure as they wish.
Third, there was a really good specific idea posted by the ACLU today (via Gizmodo): build in a Private mode to the standard camera app. If someone wants to take a … sensitive photo, they can flip a toggle and that photo is stored only on their phone and excluded from iCloud backups.
Fourth, fix a vulnerability pointed out by Business Insider: stop confirming to anyone who wants to try that a particular email address is an Apple ID:
Steps you can take in the meantime
There are a number of things you can do to increase your own security in the meantime.
First, if you don’t already have strong, unique passwords for each online service and website you use, set aside a couple of hours to correct that. If you don’t have the time, make it. Online services get compromised all the time, and the first thing a hacker does with a bunch of login credentials from one service is to try them on a whole bunch of other ones. If you’re using a single login for multiple sites, the question isn’t whether you’ll get hacked, only when.
You can’t possibly remember a mass of strong passwords, but it’s painless enough if you use a password manager, and our own guide to will tell you everything you need to know.
Second, if you own your own domain, you can add even greater security to online logins by having unique email addresses as well as passwords. I have a domain I use for accessing online services, and can have whatever I like before the @ – all the emails arrive in the same place – so I have different email addresses for different services. Using a password manager, it’s no more hassle to have a gibberish email address than it is a gibberish password.
Third, don’t use real data unless you have to. If the passport office or my bank asks for my date of birth, I have to use my real one, but that doesn’t apply to the vast majority of websites out there. I have a fake date of birth I habitually use for websites that have no need to know the real one, which reduces my risk of identity theft. I’m so used to typing the fake date, I have to be careful when accessing those few sites that really need the correct one!
Fourth, just because you’re stuck with a limited range of security questions doesn’t mean you have to give truthful answers. Your answers needn’t even have anything to do with the questions, just so long as you have a technique for memorizing them, known as a mnemonic.
For example, when asked for the name of your first pet, you could have a mnemonic that runs pet = petting = first girlfriend. Or mother’s maiden name = maid = Marian. (No, these aren’t mine, I just made them up.)
You do need to remember that balance between security and convenience, of course. You don’t want your two-factor authentication to fail when your iPhone falls into a river and then realize you can’t remember the answers to any of the security questions. But half an hour spent memorizing some links for common security questions can vastly improve your security until such time as security questions are consigned to where they belong: history.
Finally, if you are taking photos you wouldn’t want other people to see, leave your iPhone and wifi-equipped camera alone and use a good old-fashioned non-connected one!