How Safe Is iCloud?

Justin Pierce, MPS-CRM, CNDA, CEHSenior Cybersecurity Engineer @ NASA | Certified Ethical Hacker | Combat Veteran
CERTIFIED EXPERT
Dream not of today. ~ Jean-Luc Picard
Published:
Updated:
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
"Hey, Hun…Can you make sure my pics are in the cloud? I took some beautiful shots of my mom and Lilia today, and I just want to make sure they’re there. Thanks.” my wife says before she begins her intense at-home workout routine. 

"Sure Love, but I can tell you they’re already there.” 

That’s a quick scene of how things tend to play out in my house when my wife wants to make sure the technology we're using is syncing up all of the precious moments she has captured. 

So the question that begs to be asked is, how did I know that her pictures were already in the cloud.

I knew that they were in the “Cloud” because we use Apple’s ultra-convenient iCloud to sync all of our information, but how secure and reliable is iCloud?

Didn’t ‘Celebgate’[3] in 2014 show that Apple was hacked and that iCloud isn't as secure as Apple says it is?
These are great questions, but are very serious and in-depth, and need to be discussed one at a time.
 

Cloud Basics


Before we dive headfirst into the details, let’s quickly go over some foundational knowledge. Here is what iCloud truly is...a room full of servers. It’s owned by Apple, and runs these services: Calendars, Contacts, Bookmarks, Notes, Reminders, Photos, iCloud Drive, Backup, Find My iPhone, Find My Friends, iCloud Keychain, and Mail.

So, it’s just a server? Yep. There’s nothing magical about the “Cloud”. It’s a server that has dedicated services running to keep your digital life in sync across all of your Apple devices (iPhone, iPad, and Mac).You access these services with your AppleID (which is your email) and password. 

Apple has made it easy for you to access your portion of the iCloud, by letting you jump on any device that connects to the Internet by visiting “icloud.com”. From here you type in your AppleID, ex. joeschmoe@gmail.com (it doesn’t have to be an Apple email, just the one you signed up with and use to buy apps in the App Store) and password (which consist of a 12-13 combination of upper and lowercase letters and special characters). 
 

Is it Safe?


Now we can go back to the matter at hand, is Apple’s iCloud secure and safe for you to use. 

Since we are dealing with how electronic data travels, let’s have you keep an image in your mind to make it a bit easier to visualize. Let the image be your house, your street, and then Apple’s HQ building in Cupertino. There are actually many more buildings with routers and switches that you go through, but this image will suffice. Also, every time you go down your street (connecting to iCloud.com) you get to ride in the Batmobile. The Batmobile, in this case, is called a secure sockets layer (SSL), which is why the address in your browser starts with “https" (the “s” means that you’re riding in the Batmobile, instead of your clunky, unsecured Prius). 

Alright, let’s start with the simple process of accessing the information from the Calendar app on your iPhone. You tap the app and up comes your information for each day of the year that you need to remember. By tapping the Calendar app you essentially jumped into the Batmobile, sped down your street (called “In transit”), and skidded (why not) into Apple’s HQ to access your part of server. The “In transit” (going from your house down the street to Apple’s HQ) is encrypted, as well as the information sitting on the server (information like the birthday event for your significant other). 

What is your information encrypted with? 128-bit AES encryption is what Apple uses for all of their services, minus the iCloud keychain, which uses 256-bit AES encryption. 

Isn’t 256-bit AES better than 128-bit AES? Yes, but 128-bit is plenty safe and here’s why. 

That birthday that’s coming up soon will need at least one gift to make it an awesome party, but you’ll need to hide this gift from prying eyes until the big day comes. In 128-bit AES you have the option to hide this gift behind 2128 doors. 

How big is that really?

A brilliant man named Jeffrey Goldberg at AgileBits (the people who made the wildly popular app called 1Password) wrote it out, "three hundred forty undecillion, two hundred eighty-two decillion, three hundred sixty-six nonillion, nine hundred twenty octillion, nine hundred thirty-eight septillion, four hundred sixty-three sextillion, four hundred sixty-three quintillion, three hundred seventy-four quadrillion, six hundred seven trillion, four hundred thirty-one billion, seven hundred sixty-eight million, two hundred eleven thousand, four hundred fifty-six” [1]. 
What this means, is if your significant other had a billion friends, it would take them 10 quadrillion years to search only half of the doors (by the way, checking every door is what’s called a brute force attack)[1]. In short, your information is safe with 128-bit AES encryption. 

Now that your brain hurts, let’s continue on. As I said above Apple uses 128-bit AES encryption for all services (Contacts, Bookmarks, Notes, Reminders, Photos, iCloud Drive, Backup, Find My iPhone, Find My Friends, and Calendars) and that encryption takes place going from your home, down the street, all the way to Apple’s HQ (this is what Apple means when they say “In transit”)[2]. In addition, all of your information from these services (from your contact named Bob to that photo you took on your iPhone, all which sync-up with your iCloud account on Apple’s server) is encrypted again as it rest on the server waiting for you to make the journey from your home to Apple's HQ. 
 

Other Security Features


Apple also uses secure tokens for authentication purposes. For brevity’s sake, think of the secure token as a code word that you would use to get into a speakeasy (those secret clubs during the 20-30s). Since we’re not living in the 20’s or 30’s your "code word" is your fingerprint. Yep, that’s why Apple gave the iPhone's Home Button the ability to read your fingerprint (it’s called two-factor authentication). Of course, there are other types of secure tokens but this article would triple in size if I wanted to explain them in detail. Oh, if you have an older iPhone then the numbers you type in to get into your iPhone (your PIN) is also a type of secure token (meaning, Apple didn’t forget you).

Whew! Now that you understand why your iCloud account is safe, you might ask “Why does iCloud Keychain use 256-bit AES encryption.” You had to ask, didn’t you? 

Well, there are probably a billion different reasons, but I bet my old boss (Mr. Tim Cook) would say “money”. iCloud Keychain is used to house sensitive information like your passwords to all the sites you go to (if you let it store your login information) and most importantly the credit card information you use for payment (again if you allow Keychain to store it). To be brief, Apple loves its customers, understands that no one wants their information stolen, or their hard earned money to be spent on a yacht for some thief to be cruising the Azorean islands on. So, bumping the encryption from 128 to 256 allows for Apple to defend your information against future machines (that hackers will eventually use) that will have quantum computing capabilities (much faster than today’s supercomputers)[1]. 
 

The Weak Link


Wow! So, with all of these secure tokens and 128/256-bit AES encryption, hackers were still able to grab indecent pictures of Hollywood stars from Apple’s servers? Yes and no.

Yes, they (actually one guy) stole the pics, but he didn’t “hack” Apple’s iCloud server by breaking the encryption or cutting off some actor/actresses pinky finger to scan on their iPhone. He simply did what’s called “Phishing”[3]. 

This ultimately means he sent one of those fake emails that you’ve seen in your inbox and asked them for their login information. Once he got the info, he logged in with their credentials and stole private photos.

You’ve heard the phrase that a chain is only as strong as its weakest link, right? Well, you (the user) are the weakest link. Apple can give you a Batmobile to drive, a “code word” to use at the door, encrypt your data on their server, and it still isn’t enough protection because you can give it all away. 

To sum all of this up, iCloud is safe to use. But for the love of goodness, don’t go giving your username or password to anyone.


References

1) Guess why we're moving to 256-bit AES keys Jeffrey Goldberg- https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/ 
2) iCloud security and privacy overview https://support.apple.com/en-us/HT202303 
3) Stealing Nude Pics From iCloud Requires Zero Hacking Skills -- Just Some YouTube Guides, Thomas Fox-Brewster - http://www.forbes.com/sites/thomasbrewster/2016/03/16/icloud-hacking-jennifer-lawrence-fappening-apple-nude-photo-leaks/#1c8a10767b88 



 
6
28,023 Views
Justin Pierce, MPS-CRM, CNDA, CEHSenior Cybersecurity Engineer @ NASA | Certified Ethical Hacker | Combat Veteran
CERTIFIED EXPERT
Dream not of today. ~ Jean-Luc Picard

Comments (6)

Jaime LewisMarketing Account Manager

Commented:
How much of the iCloud storage is free?
Justin Pierce, MPS-CRM, CNDA, CEHSenior Cybersecurity Engineer @ NASA | Certified Ethical Hacker | Combat Veteran
CERTIFIED EXPERT

Author

Commented:
Hi Everyone!

5GB Free
50GB $.99/month
200GB $2.99/month
1TB $9.99/month
2TB $19.99/month

I use the 200GB plan. It's more than enough for all of my stuff.
Kyle SantosQuality Assurance
CERTIFIED EXPERT

Commented:
I use the 50GB $.99/month
I love it.

My setup is pretty sweet too.

On my Macbook I have Photos set to download originals in the cloud and on the macbook.
On my iPhone I have this setup:
Go to Settings
Photos & Camera
iCloud Photo Library toggled ON
Optimize iPhone Storage checked
Upload to My Photo Stream toggled OFF
iCloud Photo Sharing toggled ON

When I take a photo on my phone, that is eventually (when connected to Wi-Fi) uploaded to icloud.com and to my macbook.  This way my iPhone's storage is not used up and I can manage my photos from my iPhone, mac or icloud.com  Its quite brilliant that Apple does this and I love how this all works.  It can be quite the setup to figure out though!
Jaime LewisMarketing Account Manager

Commented:
It sounds pretty great, but if you have family sharing turned on is your music/data/etc automatically synced to all devices on the plan? Or are there specific controls for that?
Justin Pierce, MPS-CRM, CNDA, CEHSenior Cybersecurity Engineer @ NASA | Certified Ethical Hacker | Combat Veteran
CERTIFIED EXPERT

Author

Commented:
Hi Everyone,

If you use on Family Sharing you have to set it up in the beginning. You do that by inviting members by name (it searches your Contacts app)  or email address (you can create an AppleID for a child if they don't have an email address). Once everything is setup, you the "Organizer" agree to pay for iTunes, iBooks, and App Store purchases for everyone that's in your Family Membership. The cool thing about Family Membership though is that "all songs, albums, movies, TV shows, books, and apps ever purchased by family members are immediately available to everyone else in the group" (that's all done automatically if they're in your Family group). Here is the skinny on Family Sharing: Link.

To touch on the music sharing, you will need to buy a Family plan ($14.99 a month), which is good for sharing up to 6 people. If you want just music for yourself it will cost $9.99, but for those college students who need music to keep them going, it will cost $4.99. Yep, Apple cares about you Under/Grad students who live off of noodles and PB&J.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.