How safe is my iCloud?
With the recent compromise of celebrity accounts on Apple’s iCloud, most likely due to a vulnerability that allowed unlimited brute forcing, there is understandably some debate about how such services can be used securely. Whilst as security professionals we inevitably come back to the point that no technology will ever be 100% secure, it does appear that in this instance the attack was relatively trivial in nature. What made it so effective was that victims (and many users alike) were unfamiliar with
the syncing process used in Apple devices. Although only iCloud was affected in this instance, other mobile services such as Google Drive used by Android and Chrome do have similar features and may be targeted in a similar fashion.
It’s quite easy to get into the realms of victim blaming (which isn’t necessarily fair – after all, who deserves to have their private life splashed all over the Internet without recourse?). More importantly, a lot of people will now be wondering “how safe is my iCloud account?”
As such, we’ve pulled together a couple things that, as a security company, we might recommend to help limit your exposure.
First things first: check whether your device is configured to synchronise with a cloud service, such as iCloud, Google Drive, or Dropbox – make sure you know where your photos/information is stored.
Next, think, do you really need internet access to your data? If it’s not required, don’t use it. Its one less place for somebody to gain access.
Also, don’t be afraid of password managers such as KeePass or LastPass and make sure your password is strong and unique. No birthdays or pet names!
The obvious (yet mostly ignored) one; avoid connecting your device to “public” wireless access points.
Avoid using your “real” date of birth etc. on public forums such as Facebook.
Avoid using any publicly available information for building passwords, passphrases or security questions that could be employed in the account password restore process.
If you need to sync data between multiple devices, try only to use applications and services that support two factor authentication and ensure that it is enabled.
For services that store files, encrypt data where possible before you upload it.
Regularly review the data you store and remove any that is no longer required.
If you can only take one thing away from this, then let it be two factor authentication!
Whilst most of this advice should be self explanatory, we realise that two factor authentication (2FA) may not be something that all of our readers will have come across before.
What 2FA does is enforce an authentication model where “something you have”, e.g. a phone or physical token, is employed in addition to “something you know” i.e. your password. In the case of Apple iCloud, Google, Facebook and Twitter, for example, your account is tied to your mobile device. When it is enabled, any attempt to authenticate from an “untrusted” device to any of these services (and others like them) will result in a text message being sent from the service to your phone containing a magic number that must be entered into the “untrusted” device before you can continue.
2FA configuration for common services can be found at:
You will need to be logged in to access these configuration options.
Other services will likely have similar functionality that can be employed.
Don’t just assume your device is safe or that it won’t happen to you, be active in protecting your information and you can enjoy your devices without the worry of an invasion of privacy.