A report from the Russian digital forensics firm ElcomSoft on Thursday said that Apple automatically uploads
iPhone call logs to iCloud remote servers, and that users are left with no way to disable this feature
other than to completely switch off the iCloud drive.
The uploaded data could include a list of all calls made and received on an iOS device, as well as phone numbers,
dates and times, and also duration, the firm mentioned.
Cloud-based data is retained for up to four months, according to ElcomSoft’s report. It includes stuff like calendars,
wallet, books, notes and other data synced with iCloud.
A two-factor authentication system that requires an iCloud token along with an Apple ID and password is on what Apple currently relies,
but ElcomSoft’s new Phone Breaker 6.20 software can allow law enforcement to bypass those defenses.
Apple has been defending the fact that the data is backed up on the cloud.
“Apple is deeply committed to safeguarding our customers’ data,” the spokesperson said.
“That’s why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode,
and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.”
Privacy or Security?
The Russian firm made its announcement not to call attention to the potential weaknesses in Apple’s data storage practices,
but to address how easily its own software can obtain the information. It is billed as a tool for law enforcement,
but it’s not too hard to for hackers to utilize similar tools for nefarious purposes.
“It is very concerning, as this can’t be something that is a surprise to Apple;
it is baked into their design for the product and services,” said Jim Purtilo,
associate professor of computer science at the University of Maryland.
These iPhone users may believe their data are encrypted and secure,
“which is mostly true, even if only on their actual device, while [Apple]
is still working accommodatingly with the feds, who get tremendous value from the traffic
analysis made possible by these saved data,” Purtilo added.
Who Guards the Guards?
The fact that this information is being uploaded to the iCloud is important,
given the confrontation that Apple had with the FBI over its ability to obtain
information from an iPhone belonging to Syed Rizwan Farook,
who was the man who carried out last December’s terrorist attack in San Bernardino.
Farook’s phone was protected cryptographically.
Apple disputed more than 11 orders to assist in providing access to the phone,
which were issued by the United States district courts under the All Writs Act of 1789.
The question is whether the FBI confrontation was necessary, based on ElcomSoft’s findings.
A lot of the data might have been on the iCloud and hence accessible.
“If most users rely on iCloud services, then police largely don’t
need the actual device in order to investigate someone; the data have already
been disclosed for far more convenient access by whoever asks,” explained Purtilo.
“Consumers should be so lucky that only the police are accessing their data;
in this news, we more or less need to presume other less upstanding groups have been accessing the data too,” he added.
For a large part of the users this may not matter much, noted Pund-IT’s King.
“Most criminals and ne’er-do-wells probably know enough not to use their personal
phones for conducting illegal business,” he suggested.
“How threatening the practice may be is hard to say, but with Apple actively
trying to pitch its products for enterprise applications and use cases,
companies considering deploying iPhones and iPads may want to question how their employees’
call data is being collected and secured,” King added.
“Personal communication is the lifeblood of many businesses,
to the point that any threat of injury and hemorrhage should be avoided.”