Responding to the increasing complexity of the global cyberthreat environment, Apple has released three new security features: iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud.
The new security solutions are specifically designed for high-value users who face extraordinary digital threats — journalists, human rights activists, government members and others.
iMessage Contact Key Verification and Security Keys for Apple ID will be available globally in early 2023. The iCloud Advanced Data Protection feature was rolled out to U.S. members of the Apple Beta Software Program on December 7 when it was announced. The company assures it will expand cloud protection to all U.S. users by the end of 2022 and globally in 2023.
Why Apple is adding special security layers
Whaling, spear phishing and nation-state attacks — where cybercriminals attack celebrities, public figures, C-suite executives and other high-value targets —- have been on the rise.
In Apple’s recent report, “The Rising Threat to Consumer Data in the Cloud,” the company found that corporate login credentials are sold for as much as $120,000 on the dark web. The Microsoft Digital Defense report 2022 adds that password attacks rose by 74% in just one year, translating to 921 attacks every second globally.
SEE: Mobile device security policy (TechRepublic Premium)
More than 1.1 billion personal records were exposed internationally in 2021, and 290 million Americans were victims of data breaches that same year, according to Apple. On the other hand, the role of nation-state attacks, driven by bad actors linked to Russia, China, Iran and North Korea, has reached crisis levels and is today a top priority for the industry.
The new Apple security solutions are building and expanding on features that the company presented in the past months. Last November, Apple announced new threat notifications to protect its users from state-sponsored attacks.
“Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent,” Apple said.
In October, the company announced another feature, Lockdown Mode, describing it as an optional, extreme protection “designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”
The company recognized that most users are never targeted by attacks of this nature.
“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications,” said Craig Federighi, Apple’s senior vice president of software engineering.
iMessage Contact Key Verification
To strengthen security for users that face extraordinary digital threats, Apple will globally release iMessage Contact Key Verification in the coming months.
All Apple users’ SMS are secured via end-to-end encryption — only senders and recipients can read the messages. The encryption also extends to FaceTime to keep conversations private and secure. Now, with iMessage Contact Key Verification, high-value users can further verify that they are messaging only with the people they intend (Figure A).
Figure A
Users who enable iMessage Contact Key Verification will receive automatic alerts when an “exceptionally advanced adversary” succeeds in breaching cloud services and inserting their own device to spy on encrypted communications. Additionally, users will also be able to compare a Contact Verification Code in person, on FaceTime or through other methods to add a layer of security.
Hardware Security Keys for Apple ID
Apple also announced Security Keys for Apple ID. With this solution, users can use third-party hardware security keys to further strengthen their devices. The company explained that this product was also specially designed for high-value targets, who face increased threats to their online accounts due to their public profile.
For those who activate this feature, the hardware keys will act as one of the factors of Apple’s two-factor authentication system.
“This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam,” Apple said.
Instead of receiving an SMS or notification with an authentication code, hardware keys can be inserted in ports to secure and verify logins. They are considered to have the highest security standard (Figure B).
Figure B.Â
Apple explained that when prompted for two-factor verification on Apple ID, users can insert the key in the port or bring it near the top of the device if they have a near-field communication key. NFC keys are wireless, enabling contactless data transfers.
Advanced Data Protection for iCloud
Finally, responding to the increased attacks on cloud infrastructures, Apple announced Advanced Data Protect for iCloud.
“Advanced Data Protection is Apple’s highest level of cloud data security, giving users a choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption,” said Ivan Krstić, Apple’s head of security engineering and architecture.
By default, iCloud already offers built-in security and protection for 14 sensitive data categories through end-to-end encryption. This includes passwords in iCloud Keychain and Health data. Now, for users who enable Advanced Data Protection, Apple will increase protected categories to 23, including iCloud Backup, Notes and Photos (Figure C).
Figure C
iCloud Mail, Contacts and Calendar are not protected by this feature because they require interoperability with the global email, contacts and calendar systems. Cloud data protection can safeguard users even if the cloud is breached, because their data is heavily encrypted.
A new chapter in the FBI-Apple encryption controversy
While some privacy and security experts applauded the move to encrypt data in the cloud for Apple users; the announcement did not come without controversy. The Washington Post reported that the FBI was still deeply concerned with Apple’s security features.
“This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism,” the FBI said in an emailed statement.
The FBI wants technology companies to provide encryption systems that providers can decrypt when serviced with legal orders. The bureau added that “lawful access by design” is vital to conduct investigations and keep up with “adversary tradecraft.”
The Washington Post noted that the new features will likely spark opposition from governments of multiple countries, including top law enforcement officials in the U.K. who already oppose this type of technology.
The saga between Apple, the FBI and other law enforcement is not new. Clashes over requests to unblock and decrypt Apple users’ data have been intensifying since 2019. In 2020, the controversy reignited when the FBI asked Apple for the data of two iPhones that belonged to the gunman in the shooting of the naval base in Pensacola, Florida.
Apple maintains that end-to-end encryption is the most secure option it can provide to its users.
If you’re hungry for more Apple-related articles, take a look at our iOS 16 cheat sheet and news about the company debuting new and enhanced watches, iPhones and AirPods.