Continuity and Spotlight highlight the need to closely examine where our data goes

On Monday, I dutifully installed iOS 8.1 to enable Apple Pay on my iPhone 6, intending to test it out later in the day. (Spoiler: I did not.) This also let me turn on Continuity, the suite of seamless connection features between iOS and Mac OS X devices signed into the same iCloud account. My mid2011 MacBook isn't capable of Handoff and Instant Hotspot, but it can manage SMS forwarding and phone calls.

Later in the day, three seemingly unrelated events occurred. First, I logged into Twitter in a browser that wasn't currently authenticated, and because I have two-factor authentication (2FA) enabled, Twitter sent me a text message after I successfully entered the password--and it appeared on my Mac, as Apple advertised. Huh, I thought.

Second, I read a detailed account of the information that Yosemite sends Apple for Spotlight suggestions, which could provide enough detail to pinpoint an individual, and associate search terms and other factors with a user. Rrrrmmm.

Third, in the evening, The New York Timesreleased a story about a man-in-the-middle attack in China against Chinese users to swipe login information from iCloud users following the release of the latest iPhones. Humphf.

Taken at face value, these are three unrelated issues: a reduction in security for SMS-based 2FA, a leak of private data, and an attempt to disrupt the integrity of a secure connection. I'm neither going to spin conspiracy theories nor misstate the severity of any of these things.

Rather, I want to highlight how we should always examine new paths of information, and not offer a knee-jerk dismissal of associated concerns. Because our digital identifiers are so easily spread, stolen, and misused, anything that changes where data is sent--or how it's interrupted--should be examined thoughtfully.

Take SMS forwarding. Most of the two-step/two-factor systems used in business require a hardware token, an authentication app, or specialized software to produce the second factor that validates a login. (See last week's column for more background on these two-part logins, and I'll be writing more in the future about them as well.)

Twitter is an exception with a footnote. When you enable its version of 2FA, "login verification," you can opt between having an SMS message sent with a code each time or using the Twitter app (in iOS or Android) to confirm your login. I've opted for SMS, because I prefer to not even have the Twitter app installed, and many people I know are in the same boat. (SMS can also be useful if you lose a phone or are restoring one, before you complete the loop to install and verify the login within the Twitter app!)

A common rubric of two-factor authentication is combining something you know (a password) with something you have, typically a physical device that generates or receives a unique token or that, by mere possession and unlocking, you prove ownership and can verify at least that you have the physical thing. Apple's "trusted device" model for iCloud two-step logins qualifies: you have to have an iOS device that you can unlock to view the code. Apple also lets you, however, choose to send a SMS code instead of using a trusted device. (A third kind of factor, something you are, relies on biometrics.)

It troubled me, therefore, to see the SMS message with my Twitter second-factor verification code appear on my Mac, even though the Mac is something I have, because prior to SMS forwarding, such text messages only appeared on a single device: my iPhone, which I carry with me or have nearby always. If I am logging in from a Mac and the code appears on the same Mac, albeit through a different path, have I subverted some or all of the benefits of the second factor?

Apple's implementation of SMS forwarding allows all logged-in iCloud accounts, no matter on what network they are, to receive the SMS message. The way in which an iPhone or other iOS device will signal receipt will vary depending on your alert settings and whether Messages in OS X is the frontmost app.

Where it gets complicated is only in cases in which someone manages to obtain my password (what I know) and can also have access to my computer (what I have) in an unlocked state while I'm not in proxmity. While all other Continuity features require either a Bluetooth connection or to be on the same local Wi-Fi network, SMS forwarding works whenever your phone and any other device have access to the Internet. That would seem to magnify the risk--that the computer and phone could be half a planet apart.

But in practice, it's hard to imagine a scenario in which that's an issue unless you give someone your password, have written it down, or left it in a readable place on your computer and routinely leave your computer in an unlocked state, where a roommate, partner, child, or parent--or burglar or thief--could gain access.

In any scenario in which that was true, it's easy to make sure you don't fall victim to it: don't share your password or make it available in any easy to find way; and in Security & Privacy, set Require Password to a low interval. (Remember that it's your sleep or screen saver delay, whichever is less, plus the interval after Require Password before the computer is locked.) I also always recommend using Find My Mac and FileVault for remote locking and data encryption.

The other two Monday situations were of a different nature. The "fix macosx" folks examined the kind of data that Yosemite sends in its default installation to improve search results for the new integrated Spotlight. Again, the situation isn't necessarily surprising or disturbing, except for three elements: sending user information is on by default; disabling it requires at least two settings; and Apple didn't disclose enough information as it provided a heaping of additional detail to the Verge after the "fix macosx" site went up.

Apple's fuller explanation assuages fears, but doesn't explain why one has to turn off as many as three settings, including Location Services, and why it wasn't so elaborate in its user disclosure. As Caitlin McGarry wrote a couple of days ago, "Apple is wading into sensitive territory with new features in Yosemite and iOS 8 and on new iPhones.... The company has to prove it can be trusted with search results if people are going to hand over more personal data."

One could argue that Apple should offer a skippable, simple tutorial before it enables the sending of information that would inform users precisely what it's sending. (In brief, it attaches "blurred" location information and other data to a token that it says persists no longer than 15 minutes, and doesn't retain IP addresses.)

Should we have just shaken our head at the original report and said, we're sure Apple is doing everything right? Absolutely not, an opinion aided by its need to more fully disclose.

Finally, the attempt, likely by the Chinese government, to intercept iCloud authentication sessions would seem unrelated, but it ties into one part of this pattern of needing to observe and be aware in our risky world. The subversion attempt uses a man-in-the-middle (MitM) attempt with privileged network resources that stand between a user and Apple's servers. But because of Apple's encryption, that MitM can only present a forged Web security certificate.

As Apple notes in a page it posted to help people understand the problem, an invalid certificate produces an error in browsers that shouldn't be bypassed. Over time, browser makers have made it more complicated to accept an invalid certificate as both the risk and the actuality of MitM attacks has grown.

If we are trained to ignore security red flags, we might see these warnings and think, "Oh, it's the Internet. I'm just going to click click click to bypass these alerts, because I'm trying to get something done."

We can't let ourselves be lulled into complacency; we need Apple and others to highlight the security implications of any changes so that we all--the technically minded and average user alike--continue to pay attention.

Join the CSO newsletter!

Error: Please check your email address.

Tags SpotlightAppleiCloudsecuritycontinuityprivacyApple Pay

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place