iCloud Backups Not as Secure as iOS Devices to Make Restoring Data Easier

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Mar 2, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Apple's ongoing fight with the FBI over whether the company can be compelled to help the government unlock the iPhone 5c used by San Bernardino shooter Syed Farook has brought the full range of Apple's privacy policies into the spotlight.

    The details surrounding the case have made it clear that while Apple is unable to access information on iOS devices, the same is not true of iCloud backups. Apple can decrypt an iCloud backup and provide the information to authorities when ordered to do so via a warrant, as it did in the San Bernardino case.

    In a piece posted on The Verge entitled "The iCloud Loophole," Walt Mossberg takes a look at Apple's iCloud backups and explains the reason why iCloud data can't be made as secure as data stored solely on an iPhone or iPad.

    Apple is able to decrypt "most" of the data included in an iCloud backup, and an Apple official told Mossberg that's because the company views privacy and security issues differently between physical devices that can be lost and iCloud. With iCloud, it needs to be accessible by Apple so it can be used for restoring data.
    iCloud backups contain iMessages and texts, content purchase history, photos and videos, device settings, app data, voicemail password, and health data. Backups don't include information that's easily downloadable, such as emails from servers or apps, and while iCloud backup does encompass iCloud keychain, Wi-Fi passwords, and passwords for third-party services, that information is encrypted in a way that makes it inaccessible to Apple.

    Mossberg suggests customers who don't want to upload data to Apple via an iCloud backup make local encrypted backups through iTunes using a Mac or PC, and he points out that other cloud storage services, like Dropbox, are no more secure.

    Mossberg's full exploration of iCloud is available over at The Verge and is well worth reading for anyone interested in the security of data stored in the cloud.

    Article Link: iCloud Backups Not as Secure as iOS Devices to Make Restoring Data Easier
     
  2. Mac 128 macrumors 601

    Mac 128

    Joined:
    Apr 16, 2015
  3. Mums Suspended

    Mums

    Joined:
    Oct 4, 2011
  4. RiddlaBronc macrumors 6502a

    RiddlaBronc

    Joined:
    Oct 14, 2013
    Location:
    Mcallen Tx
    #4
    I dont back up to icloud. At least i hope not.
     
  5. Rigby macrumors 68040

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #5
    Technically Apple could absolutely offer a cloud backup solution where even they couldn't access the data. For example, they could let the user pick a backup password (same as they already do for encrypted iTunes backup) and use it to encrypt the data before uploading to iCloud. Of course this means that users who forget the password couldn't restore their backup, which is why they should probably make this optional and give the user a proper warning. And, BTW, there are cloud services that use similar approaches to encrypt their users' data, e.g. Spideroak and the backup service Crashplan.
     
  6. appleguy123 macrumors 603

    appleguy123

    Joined:
    Apr 1, 2009
    Location:
    15 minutes in the future
    #6
    Wouldn't Apple would have to store enencryption keys in the cloud though to make it work on a different device than the original phone?
     
  7. Rocco83 macrumors 6502

    Joined:
    Jul 3, 2011
    Location:
    Ohio
    #7
    So I guess it is a good thing my iCloud storage is filled with phantom backups and I can't save backups there anymore without purchasing more space. I always figured it was a ploy for Apple to force me to buy more space. Now I know it is just their way of protecting all the sensitive pictures on my phone.
     
  8. Rigby macrumors 68040

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #8
    No. The encryption key would be derived from the user-supplied password using a secure hash function. So decryption would only require knowledge of the password. Again, this is how encrypted iTunes backups already work today. I see no reason why they couldn't use the same system for the cloud too.
     
  9. RedOrchestra Suspended

    Joined:
    Aug 13, 2012
    #9
    Now everyone will want a 1TB iPhone, since they won't want to be backing up all that secure stuff they own to the iCloud.
     
  10. tentales macrumors 6502a

    tentales

    Joined:
    Dec 6, 2010
    #10
    I always backup locally only. No cloud will ever be secure unless the data placed there is already encrypted with a strong algorithm, although Apple might now develop or claim to develop a secure cloud solution on the back of this case.
     
  11. iapplelove macrumors 68030

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #11
    I have been backing up to both my Mac through iTunes and iCloud. I wonder if I cancel my iCloud subscription my iCloud backups will just disappear ??
     
  12. ParanoidDroid, Mar 2, 2016
    Last edited: Mar 2, 2016

    ParanoidDroid macrumors 6502

    ParanoidDroid

    Joined:
    Sep 15, 2013
    Location:
    Venusville, Mars
    #12
    I guessed that already, but now it's a fact on public record. The only 'safe' solution is to delete all our iCloud backups data, and not use any iCloud services.

    But here is the problem! Apple is increasingly integrating iCloud services deep into its iOS and Mac OS X. It's almost impossible to use Apple products without iCloud. This is scary... :eek:

    We're all already trapped deep in total surveillance by the NSA and god knows by whom else. The orwellian society is real! :(

    I feel like a chimp sitting in a zoo while constantly being watched. Welcome to the 21st century's privacy striptease.

    The only way out of our modern tech zoo is going low-tech and to move to an isolated island, dig a cave there (beware spy satellites), and hide there forever.
     
  13. mantan macrumors 68000

    Joined:
    Nov 2, 2009
    Location:
    DFW
    #13
    Totally agree. Local encrypted backup is the only way to go.
     
  14. goobot macrumors 603

    goobot

    Joined:
    Jun 26, 2009
    Location:
    long island NY
    #14
    They could just use the Apple ID's password that is associated with the back up.
     
  15. tentales macrumors 6502a

    tentales

    Joined:
    Dec 6, 2010
    #15
    1TB hard drives are very inexpensive nowadays. Unless you don't have access to a computer, backing your iPhone up to an encrypted drive or two or three, storing one in a bank vault, you're more secure than backing up to any cloud.
     
  16. Rigby macrumors 68040

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #16
    True, but theoretically the FBI could force them to intercept that password e.g. when you use it to log on to the icloud.com web site.
    --- Post Merged, Mar 2, 2016 ---
    To Apple's credit, this has been known all along since it's well documented in their iOS security guide. They are more open and transparent about their security practices than most other companies.
     
  17. a120 macrumors newbie

    Joined:
    Mar 2, 2016
    #17
    No mention of iCloud email security here -- are we to assume Apple, like Google, will turn over iCloud email with a warrant?
     
  18. Rigby macrumors 68040

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #18
    Yes they will. Everything that you can access on icloud.com is technically accessible to Apple too (since they have to be able to decrypt it on their end in order to display it on the web site) and thus potentially subject to a warrant.
     
  19. modemthug macrumors regular

    Joined:
    Apr 20, 2010
    #19
    So this really proves that the FBI is 100% full of **** on the San Bernadino case. They know full well they can just subpoena the iCloud backup and be done with it, they just want an easy way into phones so they can subvert due process.
     
  20. tentales macrumors 6502a

    tentales

    Joined:
    Dec 6, 2010
    #20
    No they won't. Your access to them will, but Apple keeps multiple realtime backup locations and authorities would be able to subpoena those records. Going forward, new data won't be backed up.

    Although, given the spotlight on this issue, there's now the distinct possibility of silent backups for law enforcement, until the next Snowden-type revelations.
     
  21. JPSaltzman macrumors regular

    JPSaltzman

    Joined:
    Jun 5, 2011
    #21
    The only thing I use iCloud for is "Find my iPhone." Everything else is an encrypted backup on my computer via iTunes. I have never trusted Apple's cloud services through all its various incarnations, beginning with me.com, mobile me, mini me, no more mini me, and what are they calling it now, by the way? /s
     
  22. ParanoidDroid macrumors 6502

    ParanoidDroid

    Joined:
    Sep 15, 2013
    Location:
    Venusville, Mars
    #22
    THE INTERNET NEVER FORGETS!

    As Edward Snowden revealed, the current surveillance programs do "full take" (https://en.wikipedia.org/wiki/Tempora) of all your traffic. Once your data ran through any web server, it was captured and stored forever! Even if we assume that Apple deletes your iCloud backups, a copy was already saved on some NSA/GSHQ server farm, indefinitely.
     
  23. iapplelove macrumors 68030

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #23
    lol that's what I figured. Oh well
     
  24. goobot macrumors 603

    goobot

    Joined:
    Jun 26, 2009
    Location:
    long island NY
    #24
    They already got the iCloud back ups. But there were no backups a month from the event. They want to get into the phone to get more recent data.
     
  25. tentales macrumors 6502a

    tentales

    Joined:
    Dec 6, 2010
    #25
    Email & security are mutually exclusive. Unless you encrypt your email with strong encryption prior to sending and your opposite party knows the key, email data in motion is clear text and can be intercepted at any ISP or man-in-the-middle PoA, eg. when you're connected to public WiFi.
    --- Post Merged, Mar 2, 2016 ---
    and the FBI shot themselves in the foot by changing the iCloud password and thereby preventing the iPhone from backing up. As we all know, this isn't about this one phone.
     

Share This Page