The increasingly cloud-centric design of Apple's iPhone 6 and 6 Plus – and their owners' increasing use of the devices to store all kinds of personal information – will increasingly make them targets for cyberthieves seeking to exploit security loopholes, security firm ThreatMetrix has warned.
The new models – which have set Apple sales records after the company received 10 million preorders within the first few days after the launch – are heavily dependent on iCloud, which ThreatMetrix chief products officer Alisdair Faulkner said in a statement is “like a remote control for users' lives.”
“Consumers making the switch to the iPhone 6 should be aware of the pros and cons of doing so,” Faulkner continued. “Consumers need to be mindful that the data they sync to iCloud is now likely only protected by a weak username and password combination.”
Exploitation of those credentials could prove problematic for iPhone 6 adopters.
“If a hacker gains access to a username and password, which is often shared across sites,” he added, “they can use the Find My Phone feature to not only disable Apple Pay purchasing from your device, but also get access to backup photos and remotely delete and reset your password as well.”
Last month, weaknesses in Apple's iCloud authentication methods led to the high-profile extraction and publication of large numbers of compromising photos from dozens of celebrities' iCloud accounts.
An “outraged” Apple responded fiercely to the compromise and has subsequently introduced two-step verification for iCloud account users – even as [[xref:http://www.cso.com.au/article/554219/russian-made-tool-grabs-nude-selfies-from-icloud-accounts/ |tools emerge for automating the extraction of photos from iCloud backups.
Despite the availability of stronger protections for those willing to upgrade to two-factor authentication, however, the advisory warned that few consumers are likely to do so because such measures involve inconvenience and added effort.
ThreatMetrix also fingered the new financial functionality added into Apple's iPhone 6 – specifically, the expanded capabilities of Apple's Passbook application and the Apple Pay payments ecosystem that will emerge in the US next year – as potential weak spots in the devices' profiles, although Passbook's secure information-storage approach was heralded as a “net positive for transaction security”.
Cybercriminals are likely to shift their efforts from retail channels to online channels as widespread adoption of Apple Pay helps secure conventional transactional streams, but the iPhone 6 devices' collection of health-related information was also fingered as a potential weak spot.
Privacy concerns about the bundled HealthKit software would also prove tricky for users, ThreatMetrix noted: although Apple was encrypting and storing the health metrics in its phones, the analysis warned that “there may be future business pressure to better monetize Apple's iAd network....consumers do not have good ways of ensuring their data remains protected once data is stored off their phone.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- The week in security: OAIC promotes breach notification as Apple, Google hit
- Here are the limits of Apple's iOS 8 privacy features
- Apple's iOS 8 fixes enterprise Wi-Fi authentication hijacking issue
- Apple pulls iOS 8.0.1 update after crippling phone, Touch ID
- The week in security: Snapchat, Dropbox deny culpability for photo, account leaks
- Security tools taking too long to detect new malware, analysis warns