When the FBI wants to get into a phone, they usually go to Apple first. Often, Apple can provide them with iCloud backups of the device. This can include messages, photos, contacts, and calendar items, allowing the FBI to see what a person was doing on a given day. It’s basically like cracking into your phone, but you’ll never know it happened, and it requires a warrant. Apple secures these backups themselves, it’s not based on your own encryption keys.
This, of course, isn’t the most secure backup solution. People at Apple could have your data, and hackers could be able to crack or bypass Apple’s encryption and have access to someone’s iPhone data. Furthermore, there have been leaks. A few years ago, hackers found a way to get celebrity photos through their iCloud backups. Apple promised to begin encrypting iCloud backups so only their customers could access their own data. Apple wouldn’t be able to get it, which means hackers using social engineering tactics wouldn’t be able to get in. Your photos meant only for your significant other would be safe.
But Apple abandoned that plan, despite its popularity with consumers. According to an exclusive Reuters report, this is because Apple didn’t want to upset the FBI any further than they already have.
With potentially no hope for a truly secure wireless backup solution, here’s what you can do to keep your phone backed up and secure.
In This Article:
Why Did Apple Abandon a Popular Feature?
(Unless they have a warrant.)
Even Reuters admits that the FBI may not have been the only factor in Apple’s decision. Reuters claims that sources with in Apple have told them that, “Legal killed it, for reasons you can imagine.” Another former Apple employee clarified further, stating that the plan was dropped, but that they weren’t told why, or if the FBI was involved with it at all. Yet another claimed that Apple “decided they weren’t going to poke the bear anymore.”
But that last statement should make you think twice about this story. What bear? The FBI? Politicians? Apple to this day assists law enforcement agencies in any way they can, insisting on only strongly encrypting your devices because they’re easy to lose, thieves could take them, and you want that important data secure. Is this “poking the bear?” According to Trump, many in his party, and some people at the FBI, it is, but Apple’s actually extremely helpful when it comes to law enforcement.
Police departments can get more data on you than at any time in the history of humanity, and that’s thanks to companies like Apple, Google, and Microsoft. They can do so now without their target ever knowing that they went to a company for their personal information. The idea that Apple’s somehow holding back the FBI? That’s just something politicians and the FBI claim as they desperately grab for more power. It’s an appeal to far-right voters who want to see politicians being tough on “leftist companies” like Apple. The truth is, technology has given them capabilities law enforcement of the past could have only dreamed of.
Apple’s not poking the bear, they fed it and tucked it in it for a cozy hibernation.
Perhaps that’s why yet another former Apple employee that Reuters talked to claimed that the encryption feature was dropped to avoid locking more users out of their accounts. You already need a password, what do they mean by that?
Instability of Security
Apple did try encrypting your iCloud information at one point. The problem? Many people lost their data entirely. Encryption required keys generated at random, long strings of characters that you’d have to store somewhere, hopefully protecting with yet another layer of encryption and an easier to remember password. This way you password would decrypt the encryption key, rather than all of the data in your account. This would allow you to change your password often, without having to decrypt and then encrypt all of the data in your account with a different key. If you ever forgot your password, that randomly generated key could decrypt your account and allow you to reset your password.
But people weren’t storing that key. I remember when it came out. I stored the key in multiple places to reconstruct if need be. The result? I would have had a hard time, but I could have recovered my data if I needed to. Still, that’s a little crazy to expect of people, especially people who don’t understand technology.
So Apple scrapped it.
Now your account is protected by two factor authentication, a second approved device that can verify logins. This creates a keyed system to protect your data. However, Apple still holds the master encryption keys. People don’t lose their data now, but it’s less secure.
When it comes to backups, which is more important? Being able to recover the data when it’s desperately needed, or that it’s flawlessly secure? Usually the former. You need that data more than you need to protect that data. Most people wouldn’t mind Apple or the FBI peeping into every moment of their life, or at least they could do so without consequence. As a result, they don’t have to worry about security as much as they want the security of knowing their device is always backed up.
How Bad is This?
This isn’t as bad as if Apple made a backdoor into all iOS devices for the FBI. In fact, it’s far more secure than that. Still, you’ll be relying on Apple’s security to protect all of your backups. Even if they have a unique key for each account, which they likely do, those keys are still protected only by Apple’s own encryption. That relies on the people who have access to Apple’s key to uphold strict security protocols. In the past, there have been systems in place to sidestep those protocols. For example, the iCloud backup hack that leaked celebrity nudes a few years ago was the result of an oversight in the Find My iPhone app, which allowed a hacker to brute force a password without being locked out and bypass two factor authentication. This isn’t possible anymore, but other such flaws could exist. To date, hackers have not cracked Apple’s encryption, so this is secure enough for most people.If you use unique passwords and two-factor authentication, you should be safe.
The other issue is social engineering. Let’s say you’re a hacker. You call up Apple support, claiming to be your victim. You act befuddled, claim you may have used false information when you signed up just to rush through the process, and they may reset your password for you or tell you your victim’s information. With that, you’ve gained another tool for cracking your victim’s accounts. Not you have more information on them or a way to reset their account information. If you can crack their email account, you can reset their password and gain access to their Apple-encrypted backups, which they’ll provide to you. However, Apple has safeguards in place, and won’t just hand over information that easily. They’re not your cellphone company, after all.
Basically, since Apple doesn’t allow you to hold the only encryption keys to your account, they’ve created a labyrinth around your data and stationed guards in key areas. But a hacker could still theoretically make their way through that maze to unlock your information, it just hasn’t happened yet.
How Can You Protect Yourself?
Don’t want to end up with your nudes leaked as a few celebrities had happen a few years ago? That’s understandable. To protect yourself from hacks, you’ll have to stop using iCloud backups. The process of backing up your device won’t be as “Apple-like,” but it’s the price you pay for peace of mind.
Encrypt Backups Locally
First, back up your device to your computer. Since we’re deleting your iCloud backup, you don’t want a single moment where you could potentially destroy all the data on your iPhone permanently. To do this, you’re going to have to break out some ancient technology… a cable. Specifically a USB to Lightning cable, the one that came with your iPhone. Use this, along with a dongle or adapter, if you have a MacBook, to connect your iPhone to your computer. We’re going to skip the absurdity of needing an adapter to connect two Apple devices together, but… wow.
Once they’re connected, open either iTunes on older versions of macOS, or Finder on Catalina or newer (10.15). In Finder, you’ll find your iPhone under “Locations.” In whatever you’re using, open the iPhone (or iPad) tab. Under Backups, select to back up your iPhone to your computer. Then select to encrypt the backup and add a password. Once the backup is done, just remember to connect your device on occasion. You can sync over WiFi as well, and therefore sync to your computer while your iPhone is on the same network and charging, but this won’t perform a backup. For that, you’ll have to connect your device with a USB cable.
Remember whatever password you use for this. Write it down or write down hints or reminders for it. Create your own code if you must. Just find a way to ensure you’ll never forget that password. Personally, I use codes and encrypted notes. It’s important, if you lose this, and you lose your phone, everything that’s on it will be gone forever.
Back Up Your Backup
Remember how I said you don’t want all of your information in one place? It’s true. That place could, at some point (like while upgrading to a new device) be the backup on your computer. You should have multiple backups of your computer if you store important information on it. Store those backups in different locations. You may choose to encrypt your backups or only encrypt sensitive information, that much is up to you. Most data recovery experts would tell you to set up a secure partition on your drive, encrypt that, and only put important information in there, leaving the rest unencrypted so you could recover it. This is because, even with the encryption keys, data storage can decay, and eventually even the right password might not be able to unlock your data.
Time Machine on macOS is one option. I also like to do occasional disk image backups using Carbon Copy Cloner, which copies your disk, bit by bit. It’s more time consuming, but it ensures that nothing is lost between backups.
Turn off and Delete iCloud Backups
Once your data is secured, backed up, and backed up again, it’s time to delete your iCloud backups and ensure the feature is turned off on your iPhone, iPad, or other iOS device. You can do this by going into Settings, and tapping the account info at the top. From there, tap iCloud. Then scroll down to “iCloud Backup.” Turn it off. Go back one level, back to iCloud. Scroll to the top and tap “Manage Storage.” Here you can delete all the iCloud backups for your account.
Even if you do use iCloud for backing up your device, you may choose to do this on occasion to remove old backups and deleted information.
Turn off Photo Syncing
If you’re most concerned about your personal photos, you can also use the iCloud portion of settings to turn off photo syncing. To do this tap Photos and then turn off iCloud photos and Photo Stream. You can then also delete them from your existing iCloud account by selecting “Manage Storage” again, and deleting all stored materials. Just make sure you’ve backed up everything locally and your most important photos in other ways!
You may want to also do this for your contacts, calendar events, or any other info you’d like to protect. iCloud syncs a lot of information.
Use Two Factor Authentication
This is an Apple-approved security measure. It’s not necessarily here to back up your iCloud backups, but it’ll protect your Apple ID, anything you do store in iCloud. You should have this turned on no matter what. If it’s not, go to appleid.apple.com. Sign in. Under Security, select Edit and turn on Two-Factor Authentication. You’ll need to come here to generate app-specific passwords for any applications that may access your Apple account, such as Fantastical for your calendar. While you’re here, review your devices. You may have access granted to some devices you’re not using anymore. Be sure to remove them if you’re done with them.
Once this is enabled, anyone, including yourself, will need more than your password to get into your Apple account. You’ll also need an approved device. Log in to your account and you can start approving devices you own, such as a computer, iPad, or iPhone. This is a more secure form of two-factor authentication, as it doesn’t use text messages. Since stealing your phone number from your cellular provider is actually quite simple, two factor authentication using SMS is barely more secure than a password alone.
What About iMessage?
When you turn off iCloud backups, your iMessage keys will be downloaded to your individual iOS devices. This means they’ll only exist on your device. You’ll still be able to read messages across devices though, so don’t worry, it’ll be as seamless as ever, though your device will hold your keys, rather than Apple’s servers. I tested this with sending a few text messages, and can confirm they download across your devices as fast as they do with iCloud backups on.
Should I be Worried?
Honestly? Probably not. If you’re extremely security conscious, you may want to take these steps to secure your backups, but nothing has changed. However, for most people, having the backups accessible to Apple (and therefore law enforcement with a warrant) is not a huge problem. Your apartment, your safe, your filing cabinet, it’s all less secure than your data in iCloud anyway. Still, if you want to ensure your security, you can back up all your information on drives you own. Keep them in your home, your office, maybe a family member’s house. Just make sure your data is secure, wherever it is.
Reuters may have overblown the issue. It’s possible that Apple will encrypt iCloud backups in the future. It’s also possible that we don’t have those encrypted backups in iCloud because the feature isn’t complete or isn’t user friendly, not due to FBI pressure. Still, for now, I won’t be using Apple’s iCloud backups. I prefer to own my own data in full. But for many people, this won’t be a big deal at all. In fact, if you’re not a techie, I wouldn’t recommend managing your own data unless you’re worried about it ending up in the wrong hands. If you’re a techie or you’re worried about your data, perhaps it’s time to consider backing up your own information?
Sources:
- John Brodkin, Ars Technica
- Luke Dormehl, Cult of Mac
- Kate O’Flaherty, Forbes
- Joseph Menn, Reuters
- Rene Ritchie, iMore