Apple certainly loved the press it received when the FBI very publicly wasn’t initially able to break into an iPhone owned by one of the San Bernardino shooters. The fact that the FBI had to pay security professionals to crack in suggested that Apple’s security is tight, locked down from all prying eyes. On Thursday, however, The Intercept cited a security firm that says Apple is secretly sending your phone call logs back to its servers where it’s no longer safe from law enforcement or anyone else.
Vladimir Katalov, CEO of Elcomsoft, explained to The Intercept that Apple uploads and stores all sorts of information about first party and third party phone calls, including those placed using apps like Skype, WhatsApp and Viber. Private data such as the length of the call, the time it was placed and how long the call lasted are all stored for up to four months on Apple’s private servers, Katalov explained.
Typically, this is the sort of data that law enforcement goes after wireless companies to provide, especially if they’re trying to get data on criminals. It’s worrisome, however, in light of programs like PRISM that were revealed by Edward Snowden, proving to the public that there was widespread collaboration between the US government and tech companies that were allowing the NSA to search through private data.
Apple says there’s a reason it stores your phone data
Apple actually isn’t shying away from the fact that it’s storing your phone data but doesn’t quite admit the full extent of which it does, and instead, refers to it as “history syncing.”
“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices,” an Apple spokesperson told The Intercept. “Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
The problem is that I don’t think any of us really knew about it. Perhaps there’s a line deep in Apple’s EULA — The Intercept says there’s no notification or warning — but Apple hasn’t said it stores this data specifically. In fact, here’s what CEO Tim Cook said in 2014 when Edward Snowden and the NSA were making headlines:
“We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us,” Cook said. “And if you change your mind later, we make it easy to stop sharing with us. Every Apple product is designed around those principles. When we do ask to use your data, it’s to provide you with a better user experience.”
If this is true, where’s the option to use iCloud but opt out of call logging? Perhaps that’s something Apple can add in the future. There’s another problem, though.
Elcomsoft has the tools to crack data from iCloud accounts, so long as it has a user’s credentials. Those are easy to get through phishing scams, but The Intercept explains they aren’t always needed. “In some cases Elcomsoft’s tool can help customers access the iCloud even without account credentials if they can obtain an authentication token for the account from the accountholder’s computer, allowing them to get iCloud data without Apple’s help,” the news outlet explained.
Worse, Elcomsoft counts law enforcement branches among its customers. In other words, while Apple promotes and promises a super secure experience, iCloud is actually one gaping vulnerability in the whole system. As The Intercept explains, law enforcement could request the data and then use Elcomsoft’s tools to decrypt it, even if Apple promises customers that its data is safe from prying eyes.
If law enforcement can do it, then hackers are already two steps ahead. The safest bet would be to turn off iCloud functionality altogether.