SecureMac, Inc.

Checklist 171: Here, FIDO!

January 23, 2020

On this week’s Checklist, we’ll see how private your iCloud backups really are; we’ll examine the strange story of how the richest person in the world got hacked; and finally, we’ll look at a technology that promises a better way to do 2FA.

This week on the Checklist:

Considering iCloud and end-to-end encryptionA WhatsApp bromance gone badIf you’ve got an iPhone, here’s FIDO!

 
What happens in your iCloud…

We’ve known for a while that iCloud backup data isn’t protected by end-to-end encryption — meaning that encryption keys aren’t stored only on the user’s device, …

Checklist 171: Here, FIDO!

On this week’s Checklist, we’ll see how private your iCloud backups really are; we’ll examine the strange story of how the richest person in the world got hacked; and finally, we’ll look at a technology that promises a better way to do 2FA.

This week on the Checklist:

 

What happens in your iCloud…

We’ve known for a while that iCloud backup data isn’t protected by end-to-end encryption — meaning that encryption keys aren’t stored only on the user’s device, but are also held by Apple in the event that they need to access the data. Bear in mind that this means that iMessages are potentially available for Apple to unlock, because while the messages themselves are end-to-end encrypted, their backups in iCloud aren’t — which may shock users who’d always assumed that at least iMessage was completely private!

But none of this should really come as a surprise, since we know that Apple routinely complies with court orders to turn over iCloud data to law enforcement in criminal investigations, which they couldn’t do if they didn’t have some way to access and decrypt that data.

What we didn’t know, however — and what surfaced in a Reuters report this week — was that the reason Apple doesn’t provide end-to-end encryption for iCloud backups is because the FBI asked them not to … at least according to the report, that is.

So this raises a very basic question: Is privacy-focused Apple really compromising its principles to appease the government? Or is there, perhaps, something else going on here?

Some have speculated that Apple’s acquiescence to the FBI was motivated by pragmatism: a desire to avoid negative publicity and the impression that they were shielding criminals from the authorities. In other words, it was a PR move.

But this explanation doesn’t account for the fact that Apple has repeatedly resisted calls to implement a similar “encryption-light” scheme for iPhones, which has resulted in the company taking plenty of heat — including public accusations of “siding with terrorists” by members of Congress.

A more probable explanation is that Apple, in this case, had a good reason to go along with the government’s requests (and one that had nothing to do with issues of privacy and patriotism): namely, people forget their passwords all the time, and want to be able to ask Apple to help them recover their backups when this happens. 

If Apple offered end-to-end encryption of iCloud data by default, they’d never be able to offer this service to users, because they’d have no way of accessing the encrypted data: Anyone who lost their password and wanted to restore files from iCloud would simply be out of luck. By keeping a copy of everyone’s encryption key on hand in case of an emergency, Apple can help users who have lost their passwords to recover their backups. 

In other words, this may be a case of Apple humoring the FBI by doing something they were planning to do anyway — both avoiding unnecessary confrontation with the government while simultaneously preventing a rash of disgruntled customers unable to access their iCloud data.

Still, all of this may leave some folks feeling a bit disillusioned, given how often Apple touts its commitment to privacy. Yet there are other examples that demonstrate that the company isn’t really as absolutist about privacy as many people (as well as their marketing department) make them out to be. For example, Apple has said publicly that it uses image recognition software to autonomously scan images uploaded by iCloud users for signs of illegal content, such as child exploitation. Ordinarily, no one at Apple ever sees the images — but if the software detects what it thinks is illicit content, it raises an alert and the image is reviewed by a human being. If anything illegal is found, appropriate action is taken. 

Apple, it seems, is attempting to strike a pragmatic but principled balance between upholding their core value of privacy, preventing criminals from abusing those privacy protections to harm the innocent, and creating a positive user experience for a customer base made up of people who want their tech to “just work”.

However, if you do want end-to-end encryption for your iPhone backups, and you happen to own a Mac, you’re in luck. You can backup your iPhone to your Mac and enable FileVault, a tool which encrypts the contents of your computer’s hard drive so that no one but you — not even Apple — can access them.

 

Phishing for whales

File this one under “couldn’t make it up if you tried”: Apparently Amazon CEO and world’s richest man Jeff Bezos was hacked after receiving a phishing message in the form of a malicious video file. Somewhat strange already, but even weirder is the following detail: According to reports, the message was delivered via the popular WhatsApp messaging app and came directly from the personal number of Mohammed bin Salman, the crown prince of Saudi Arabia. Bezos reportedly lost a significant amount of data in the incident.

So what’s really going on here?

Saudi officials, perhaps predictably, are denying that the Kingdom of Saudi Arabia had anything to do with the hack, calling the very idea “absurd”.

Some observers have raised the possibility that the Israeli cybersecurity firm NSO Group could be involved in some way, since they have been known to create tools to hack phones using WhatsApp in the past. However, the fact that this is public knowledge — and that NSO Group has been sued by Facebook because of it — makes one wonder what they would have to gain by continuing to draw attention (and legal trouble) to themselves.

While the details of the incident are likely to remain fuzzy, there are still some important takeaways here — even for those of us who aren’t friends with royalty!

First, it seems that WhatsApp doesn’t have much in the way of malware detection or file scanning in place to protect its users from malicious downloads. Suffice it to say, then, that we should treat all incoming files in third-party messaging apps as potentially malicious, just as we would in our email inboxes.

Second, at least on this issue, iOS users shouldn’t consider themselves any safer than those with Android phones: Bezos was reportedly using an iPhone when the WhatsApp hack went down. The exact nature of the exploit used to steal Bezos’s data is unknown, but it is a bit surprising that any file downloaded onto an iPhone was able to access sensitive areas of the device and exfiltrate data, raising the possibility that Apple may have some security holes to plug. While iOS is generally a very secure platform, it’s still just another operating system, and thus vulnerable to well-crafted attacks.

Third, this is yet another reminder that it’s important to only download files from people you know and trust, and even then, that it’s probably best to scan downloads with a reliable third-party malware detection tool before opening them.

Lastly, the fact that the malicious code came as a video file sent through a messaging app reminds us that hackers have any number of tricks up their sleeves when it comes to delivering phishing attacks. In phishing awareness trainings, we’re typically taught to look out for suspicious links or executable files sent via email, but the reality is that there are a wide array of phishing tactics available to bad actors — some of them incredibly tricky and difficult to spot. If you aren’t familiar with the more esoteric forms of phishing, spend 10 minutes taking our phishing awareness quiz so that you can learn more about how to defend yourself against the full spectrum of attacks.

 

FIDO for iPhones

We’ve talked about two-factor authentication quite a bit on The Checklist, but this week we have something new to say about it: Google has now updated its Smart Lock app so that iPhones can be used as FIDO security keys.

FIDO, which stands for Fast Identity Online, is a way of unlocking websites using a physical security key — essentially a second authentication factor considered even more secure than the single-use SMS codes frequently seen in 2FA. In the past, this meant using a USB dongle, but now smartphones — with their powerful biometric security features adding another layer of security — are starting to replace the old physical FIDO USB keys. 

Using FIDO as a second authentication factor is similar to using an authenticator app running on a smartphone, but is arguably even more secure and, in most people’s experience, provides a better user experience.

People with Google accounts have been able to use Android phones with the Smart Lock app as FIDO authentication keys for the past year, and now a recent update to the app makes it possible to use iOS devices in the same way (at least to log in to websites on the Chrome browser). 

If you’re going to use your iPhone for FIDO authentication, then you’ll need an iPhone running iOS 10.0 or later, and, of course, the iOS Smart Lock app itself. Keep in mind that this technology works via Bluetooth, so your device will have to be physically close to the computer you’re trying to log in to.

At this point, using an iPhone as a FIDO key with Smart Lock may be of limited interest to most people, since it only seems to work for Google accounts (though perhaps more services and sites will follow in time). However, if there are companies which use Google Docs for data storage and project management, and if they have a “bring your own device” policy, this could offer a real cost savings, since setting up employees with USB FIDO keys is expensive. Now, anyone with an Android phone or an iPhone will be able to use this more-secure version of 2FA. All things considered, even if the use cases for the technology are still somewhat limited, this is a positive development for digital security. 

Would you like to learn more about cybersecurity and digital privacy while you’re waiting for the next Checklist? Delve into our show archives for past episodes and complete notes going all the way back to the very first podcast. And if you come across something that makes you want to know more, write to us at Checklist@SecureMac.com and ask us about it — we love getting questions from our listeners and are always happy to answer them by email or as part of a future show.

Get the latest security news and deals