iCloud leaks: Why the Lock-In might be the most dangerous tech idea

The recent leaks of celebrity photos expose the ugly side of “one account for all” services

The recent celebrity nude photos leak lead attention to a very unfortunate iCloud vulnerability, that allowed (until it was quickly fixed) someone with just small skills of “hacking” to brute force any iCloud password, causing Kirsten Dunst to ironically tweet “Thank you iCloud” with 6K retweets. Here’s why the tight integration of everything to the OS is a bad idea and how can you protect youself from being the next Jennifer Lawrence.

Some day a hacker could rob your house

In the last WWDC -the biggest gathering of Apple developers- the plan of making every part of your tech life controlled by a single service began to take shape: The company launched HomeKit and HealthKit, two components of Apple’s operating systems that allows “Internet of Things” hardware manufacturers like wi-fi door locks and weareable devices upload and control user’s information trough iCloud accounts.

If you are an apple enthusiast, the same account technology that was compromised in the infamous leaks is the one that will keep your home safe from burglars and your health in-check. This event should make people against of the “one service for all” philosophy but as Hacker News user herghost pointed out, people still use Playstation Network even after their credit card records leaked.
With rumors of Apple talking to Visa and American Express about a new iCloud wallet service, the ecosystem will be complete and a new vulnerability could not only leak your nude photos, but literally gain access to your whole life.

Another particularly scary technology by Apple is the iCloud Keychain service, which advertises “security” and “criptography” by generating different, strong, passwords for every site and managing them on the cloud, again, accesible by your iCloud account.

While in principle having a different password for every service is a good idea, It is even worst to have all your passwords accesible with just one that allows you to remotely download them all. So if any of this celebrities used the iCloud Keychain service they also exposed their passwords of bank accounts, e-mail and even social media unless they used the two factor authentication option which isn’t enabled by default.

So why people in Cupertino think this is a good idea? Like Jaron Lanier points out, might be because of the Lock-In strategy that fuels the war between Google and Apple. By having a user rely on one single company to store and backup their photos, documents, passwords, and basically their entire digital lives they would probably choose the same OS for every future device they purchase. Also, by doing this they prevent smartphones and every other gadget in the “ecosystem” to become a commodity so they can control the prices of both the hardware and the storage capacity of cloud accounts, which by market reference are way overpriced. Lock-ins also mean that your purchased books, music and TV shows are not compatible with Google’s (and theirs also not compatible with yours). So in the end, Lock-Ins do not give users any benefit or security and is just a mechanism for price control.

How to protect yourself

This are some basic tips for security. Of course there are more sophisticated techniques but this are better than Average Joe’s:

1. Do not use your primary e-mail address to log-in into important accounts: The iCloud brute force attack was only possible if the attacker knew the victim’s e-mail. This could be very easily obtained unless you create a separate account just to login to important services like banks or social media.
2. Even better is to use a catch-all account: That is a domain name which every possible combination of recipients leads to one inbox, for example purple@cristiangk.com would be for my twitter account and orange@cristiangk.com for my bank account. Both of them work as a single inbox so you won’t have to log in into different accounts. A catch-all can be easily created with Google Apps for Business.
3. Never use auto-fill password services provided by Apple or Google: Choose third-party and more specialized software like 1password.
4. Levels: If you don’t like 1password and would like to use your trusty old brain memory, create “password levels”. A “level one” password can be used for your most important stuff (bank, social services, e-mail). “level two” is for your social media accounts and “level three” for everything else. You could always restore two and three from your level one account so you’ll be safe if you forget them.
5. Every device should have a wake-up code or password. If you get one of them stolen, some sensitive information about you can be obtained and used to guess passwords. For example if you get your backpack stolen with your phone and computer your gmail account can be recovered via SMS.
6. Your Wi-Fi password should not be a dictionary word. Actually, any password should not be a dictionary word but sometimes people forget that wi-fi is also on the food chain of attackers. Even worse, the attack can be made from a across the street. It does not matter if you use the strongest WPA2 encryption, a brute force attack on a weak password can be done on a matter of minutes and the devices connected to your network exposed if they have upatched vulnerabilities.
7. Having a strong password is not just a matter of adding numbers and symbols.