Reuters has reported that Apple is not encrypting iCloud backups due to FBI complaints.
Many of us are aware that the FBI would like access to the backups to catch criminals and terrorists. These needs, however, are beyond the scope of this article designed to help you implement best practices to protect your organization from hackers.
The news that iCloud backups are not encrypted as of two years ago is quite scary as it could mean many corporations and other entities have run afoul of compliance and cybersecurity best-practices without even being aware.
While iCloud is considered "secure," it is possible that unencrypted information contained in these backups which consist of healthcare patient information in the form of emails or financial data in an application, could be accessed by a hacker if they have the credentials to get into a user’s iCloud account. This can be somewhat easily accomplished using a SIM Swap Attack.
On a related note, information from backups of 6,000 accounts was handed over to law enforcement last year.
Between SIM swaps and the chance of a leak of data or theft from an Apple employee, companies are at increased risk of a compromise from a source they may not have realized could be an issue.
From this point onward, companies must look at iPhone applications that do not explicitly encrypt data end-to-end as potential weak links in their privacy and cybersecurity chain.
It may be advisable to start storing backups on local machines instead of iCloud which is a huge inconvenience but may be the best way to deal with this new issue.
Users must be instructed as such.
All Apple services are subsequently suspect and can leak information. Location data, customer communications via the Apple message apps, phone calls and more.
Low hanging fruit is advising users to never store passwords in the Notes app.
Even encrypted apps like WhatsApp could be accessible via iCloud.
The challenge the enterprise faces is the iPhone can have significant storage and users sync much of their activities to their phones.
Often, cyber attacks come from the threat vector you least expect. Hopefully, every CSO will start thinking about the iPhone and iCloud as a weak link in their cybersecurity and data privacy chain.
They must advise users accordingly and explore other alternatives which have inherent security built in – without giving Apple the ability to store unencrypted data in their cloud.
Over time – we will learn more about what apps are and aren’t secure and which can be accessed by Apple. In the meantime – many have just found themselves out of compliance and not adhering to cybersecurity best practices.
If you found this story useful – contact Apex Technology Services to learn how we can help with your IT, tech support and cybersecurity needs - in Manhattan, greater New York, the tri-state area and beyond.