Apple this week announced three new security features for users of its products
Apple this week announced three new security features for users of its products. The company said it is immediately expanding the scope of end-to-end encryption used to protect data stored on iCloud. And in the new year, Apple said it will add support for physical security keys as a verification method for logging in to an Apple ID, and will also provide a supplemental messaging contact verification system intended for users at a higher risk of being compromised.
“Advanced Data Protection for iCloud” expands the scope of end-to-end encryption supported by iCloud. Apple noted that iCloud already protects fourteen iCloud data categories by default, such as iCloud Keychain, which provides password management features, and the data associated with the company’s Health application, which can link out to medical service providers to import (and export) specific health data such as laboratory test results. The new Advanced Data Protection feature raises that total number to 23, Apple said. With Advanced Data Protection, notes, photos, and device backups made using iCloud are all encrypted end to end.
“The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems,” explained Apple.
New anti-phishing and anti-spyware measures
Apple describes Security Keys for Apple ID as an additional layer of security on top of two-factor authentication (2FA), which has been a cornerstone of the company’s security since 2015 and, according to Apple, is already used by more than 95% of active iCloud Accounts. Apple’s existing 2FA requires users to present a password and a six-digit code sent to a trusted device. The optional new feature will require users to verify their identity using a physical security key made by a third party. A screenshot Apple provided in the feature announcement shows that it supports hardware security keys that can be physically plugged in to an Apple device, as well as those that use wireless Near-Field Communication (NFC).
“This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam,” said Apple.
By Apple’s own admission, the other new security feature arriving in 2023, iMessage Contact Key Verification, is probably overkill for most.
“The vast majority of users will never be targeted by highly sophisticated cyberattacks, but the feature provides an important additional layer of security for those who might be,” said Apple.
Without naming names, Apple’s new verification feature seems aimed at mitigating the possibility of eavesdropping through tools like NSO Group’s Pegasus spyware. Apple said it’s aiming the new tool at users in high-risk environments, such as journalists reporting on totalitarian regimes, government officials, and high-profile celebrities.
“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications,” explained the company.
What’s more, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call, said Apple.
Advanced Data Protection for iCloud debuts this week in the United States, for customers that opt in to Apple’s beta software program. The company anticipates making a general rollout of the new feature by the end of the year. The company said it will roll out the feature to users worldwide starting early next year. iMessage Contact Key Verification will debut globally in 2023. The company said it plans to roll out Security Keys for Apple ID in early 2023.
Putting the kibosh on CSAM scanning
The security improvements Apple announced comes amidst news that the company has abandoned its previously announced plans to scan devices for evidence of child sexual abuse material (CSAM). Apple first announced plans to do so with the introduction of iOS 15 in 2021. The company immediately faced backlash from consumer privacy groups including the American Civil Liberties Unions (ACLU), Electronic Frontier Foundation (EFF) and others. Opponents to Apple’s proposed technology expressed concern that the same mechanisms Apple planned to use to weed out CSAM could also be abused, to censor protected speech and threaten individual privacy.
Apple confirmed putting its previous plans to rest in an interview with the Wall Street Journal.
“Child sexual abuse can be headed off before it occurs,” said Apple’s VP of software engineering Craig Federighi. “That’s where we’re putting our energy going forward.”