iCloud is NOT Secure… STOP Believing this LIE! Apple

thinkogram-apple-icloud-encryption-lies-stop-using

There is an old saying I heard a locksmith say when I was training to break into locking systems for my job. It went something like this, ‘The door is locked if only you have the key’. I never forgot this from the old guy called Charlie. He was a skilled locksmith and always managed to sum things up swiftly. It is this key and only you having a copy that helps me understand the basic principles of end-to-end encryption. That is why I know Apple have been lying for years about their iCloud Backup services having end-to-end encryption.

Firstly, it is important to note, Apple do implement encryption techniques and your backup is infact encrypted. However, there are many forms of encryption and end-to-end encryption is something totally different.

It is this difference in encryption techniques where the weakness and the Apple iCloud Backup lies stem from. Remember, this has been going on for many years because of the way the services are described and advertised.

The door is locked if only you have the key…

Charlie – Professional Locksmith – 1998

What is End-to-End Encryption?

This type of encryption relies on a simple principle… that being only you know the password which allows the data to be decrypted. When you encrypt data, the contents are scrambled. This should render the data unreadable without knowing the password. If you want to read the scrambled data, you must first know the password. By entering the password, this will allow the data to be decrypted and present it in a readable format.

The above is clearly a simplistic method of understanding the basic functionality of encryption. There are far more complex methods and proceedures involved in encrypting data securely. However, the topic is beyond the scope of this short essay. If you want to know about encryption methods, do take the time to DuckDuckGo the topic.

What does this have to do with Apple iCloud?

I am glad you asked that question. It is really important to remember the principle of encryption mentioned above. Apple want you to use iCloud by default and it is enabled when you first setup your Apple device. We all know Apple want you to use their iCloud because you will need to upgrade from the free plan after a few months. You only get 5GB of data storage in your free Apple iCloud account. It is a money grabbing tactic because you and only you are responsible for your data. If Apple lose it, you cannot claim anything because it’s in their terms and conditions. This is similar to most cloud service providers. To read more about cloud services and how they are not to be treated as a true backup, you can read the following article I wrote: Cloud Storage – Safe or Myth.

It is important to accept Apple does indeed use encryption within their devices, and within the Apple iCloud services. However, the way in which they supply the encryption and fulfil this directive is the issue.

Apple by default encrypt the data on your local device. This could be your Apple iPhone or iPad for example. They have done this as standard for quite some time (much to the annoyance of governments around the across the globe). If you save your data to Apple iCloud, this data too is encrypted but with a slight change in how the encryption can be decrypted. This is where the difference is… are you storing locally on your device or are you using the cloud services to backup your data (be it, in an encrypted format)?

Local Storage Method

If you do not use the iCloud features, your data is fully encrypted with End-to-End Encryption methods. This means, your password and certain device information is used to create an encryption key. It is this key that will allow your local data to be decrypted so you can read it. Only your password can be used to decrypt the data because the encryption key is also encrypted on your device at a deep operating level (although, there are two levels and the level your phone remains in most of the time, is the less secure one). Without your password, it becomes very hard to decrypt your data because you cannot get access to the encryption key without your password do being with.

Cloud Storage Method

If you do use the Apple iCloud features, your data is still encrypted on your device, but a copy of your encrypted data will the be stored on the Apple iCloud services. Surely you say, ‘This is a good thing. It provides encryption and backs up my data?’. I agree, using an encryption method compared to zero encryption is always better. However, remember the encryption key mentioned in the local storage method above? This key allows the data to be decrypted on your device, or allows the encrypted backup data to be decrypted too. We know, this encryption key is stored on your device locally. Great! MMMmmmm… What happens when Apple decide to store your actual encryption key in the cloud along side your encrypted backup?

Importance of the Encryption Key Storage

If I have a small money safe in my home and I place all my life savings into this safe. I then lock the safe with the provided key and place the money safe in a cupboard. Great. My money is locked away and I go hide the key somewhere, or keep it on my person. What would you think of me if I decide to place the key with the money safe? You would be screaming at me telling me how stupid I was and how at risk my money was right? Hopefully, you would not be screaming too much and kindly tell me that my actions are beyond the line of no return for stupidity.

Replace the physical key to the money safe with your encryption key. Now replace the money safe with your encrypted data backups. Now put them both together and bam! We have a problem surely? This is what Apple technically are doing with your encryption keys which you assume only you can access on your device.

Apple when using the iCloud services not only upload your encrypted backup data files, but also your encryption key along with it. Yes. I am fully aware that Apple don’t actually store your data backups on servers they own. They use third-party servers instead. This technically means, your key is not physically stored right beside your data. Apple also split your encrypted backup data into different packets and spread the backup across different cloud servers. This can make it quite hard to try get access to the encrypted backup. So where is the encryption key stored?

Apple store the encryption key for your data on their own servers. This ultimately means, you are not the only one whom can get access to your data. Apple can clearly decrypt all your secure data using this encryption key. Apple are well know for releasing your data to governments and police requests along with your encryption key. This means, your data is not actually end-to-end encrypted. The reason I say this… your encryption key is copied and stored in another location. This key is then released to those bodies whom legally request it along with your data.

In order to have true end-to-end encryption, you must always remain in control of your encryption key. Like the locksmith Charlie said, ‘The data is secure if only you have the encryption key’. I know, back then, encryption was not very well know but you get Charlie’s point right?

Why is then, people are still under the impression their data is safe when using Apple iCloud services? The basic principles of encryption are not truly applied here to secure your data. Apple store your encryption key on their own servers and are happy to release this key to those whom request it (governments, police and other agencies).

Apple Encryption Summary

Apple are well known to have a working partnership with governments all around the world. They have full policies and proceedures that enable police forces to ask for your data. Yes. Apple release your data in encrypted format but that makes no difference if they also release your encryption key they stored along with it.

Apple do not hide this fact completely. They do actually state this fact and the method of encryption key storage on their website. As I quote directly from their website:

If you have iCloud Backup turned on, your backup includes a copy of the [encryption] key protecting your Messages [data].

Apple iCloud Security Overview – 2021

If you do care about your privacy and your right to have your data stored securely, please do turn off your iCloud instantly. By using iCloud you are actually undermining the purpose of having encryption on your device to begin with.

By using iCloud you are actually undermining the purpose of having encryption on your device to begin with.

ThinkOgram – 2021

I personally do not use Apple iCloud services on my devices. I do not use any form of third-party cloud storage at all. I am looking into ridding myself of all mainsteam operating systems for all devices. However, due to compatibility issues, and having the ability to communicate with others both personally and for work-related reasons, I have still not taken the leap. I do use a number of operating systems and I lock the operating systems down as much as I am able to (including all mobile devices too).

I do operate my own backup servers which are fully encrypted and only I have the encryption keys. This is End-to-End Encryption people. All my devices are encrypted by default to a certain degree (as some other encryption methods used are still not secure on your other devices).

If you care about your data and security, STOP using Apple iCloud services this instant… and turn it off.

ThinkOgram – 2021

Invest in a small NAS (Network Attached Server) and use full encryption you are in control of. You can even setup this server to act as a local cloud service. Your data can then be backed up on your very own, fully end-to-end encrypted storage device.

Further Reading…

Apple,. 2021. iCloud Security Overview – Apple Support [WWW Document], Apple Inc. Available at: https://support.apple.com/en-us/HT202303 (Accessed on 16.01.21).

Oleg Afonin,. 2021. Apple Scraps End-to-End Encryption of iCloud Backups [WWW Document], Elcomsoft. Available at: https://blog.elcomsoft.com/2021/01/apple-scraps-end-to-end-encryption-of-icloud-backups/ (Accessed on 16.01.21).

Vladimir Katalov,. 2021. Apple, FBI and iPhone Backup Encryption: Everything You Wanted to Know [WWW Document], Elcomsoft. Available at: https://blog.elcomsoft.com/2021/01/apple-fbi-and-iphone-backup-encryption-everything-you-wanted-to-know/ (Accessed on 16.01.21).

Chris Smith,. 2021. Apple abandoned full iCloud encryption after FBI complaint [WWW Document], Routers – BGR. Available at: https://bgr.com/2020/01/21/iphone-icloud-backup-isnt-fully-encrypted-and-its-the-fbis-fault/ (Accessed on 16.01.21).

BBC,. 2021. FBI ‘persuaded Apple to halt iCloud Encryption [WWW Document], BBC News. Available at: https://www.bbc.co.uk/news/technology-51207744 (Accessed on 16.01.21).

Branko Vlajin,. 2018. Has iCloud Gotten Safer? Apple’s Cloud and Security [WWW Document], Cloudwards. Available at: https://www.cloudwards.net/apples-cloud-and-security/ (Accessed on 16.01.21).

Apple Discussions,. 2019. Disable iOS backup encryption [WWW Document], Apple Community. Available at: https://discussions.apple.com/docs/DOC-12031 (Accessed on 16.01.21).

Oleg Afonin,. 2020. Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored [WWW Document], Elcomsoft. Available at: https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/ (Accessed on 16.01.21).

Oleg Afonin,. 2020. The iPhone Data Recovery Myth: What You Can and Cannot Recover [WWW Document], Elcomsoft. Available at: https://blog.elcomsoft.com/2020/07/the-iphone-data-recovery-myth-what-you-can-and-cannot-recover/ (Accessed on 16.01.21).

Aatif Sulleyman,. 2017. WhatsApp quietly encrypts iPhone messages backed up to iCloud [WWW Document], Independent. Available at: https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-backup-icloud-iphone-messages-encryption-apple-messaging-app-a7728116.html (Accessed on 16.01.21).

Chris Foresman,. 2012. Apple holds the master decryption key when it comes to iCloud security, privacy [WWW Document], Arstechnica. Available at: https://arstechnica.com/gadgets/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy/ (Accessed on 16.01.21).

By The Editor

With an adventurous desire to change; this blogosphere aims to evolve discussions by penetrating deeply into the thought of knowledge, an attempt to stimulate and translate cognitive points in question… The goal of ThinkOgram is to contribute substance to a chosen subject matter by sharing an opinion to create a different viewpoint so others can comment, reflect, and discuss in further depths the topics raised. We like to call it, 'A Profound Cognitive Movement'.