No More iPhone Thefts: Apple’s Security Changes to Protect Users
By Fred Wilson, a cybersecurity expert and an avid iPhone user.
If you are an iPhone user, you probably know how valuable your device is. Not only does it store your personal data, photos, contacts, and messages, but it also connects you to the cloud, where you can access your iCloud, Apple ID, iMessage, and other services. But what if someone steals your iPhone, or worse, hacks into your cloud account and accesses your data without your knowledge? How can you protect yourself from these threats?
Fortunately, Apple has recently introduced some new security features that aim to protect its users from iPhone thefts and cyberattacks. These features offer you important new tools to safeguard your most sensitive data and communications from highly targeted cyberattacks, such as those from private companies developing state-sponsored mercenary spyware. In this article, I will explain what these features are, how they work, and why they are beneficial for you.
What is iMessage Contact Key Verification?
One of the most popular features of the iPhone is iMessage, which allows you to send and receive encrypted messages, photos, videos, and audio with other iPhone users. iMessage uses end-to-end encryption, which means that only you and the person you are communicating with can read or view the content of your messages. No one else, not even Apple, can access or decrypt your iMessage conversations.
However, end-to-end encryption is not enough to protect you from sophisticated adversaries who may try to compromise your iMessage account. For example, if an attacker manages to breach Apple’s cloud servers and insert their own device into your iMessage account, they could potentially eavesdrop on your encrypted conversations. This is known as a man-in-the-middle attack.
To prevent this from happening, Apple has introduced a new feature called iMessage Contact Key Verification. This feature allows you to verify that you are communicating only with whom you intend, by receiving automatic alerts if an exceptionally advanced adversary were ever to succeed in breaching cloud servers and inserting their own device to eavesdrop on your encrypted communications.
How does iMessage Contact Key Verification work?
How does iMessage Contact Key Verification work? When you start a new iMessage conversation with someone, your device generates a unique cryptographic key pair, consisting of a public key and a private key. Your public key is shared with the person you are messaging, and their public key is shared with you. Your device then uses these public keys to encrypt and decrypt the messages you send and receive. Your private key is never shared with anyone, and it is stored securely on your device.
However, if an attacker somehow manages to add their own device to your iMessage account, they will also generate a new key pair and share their public key with you and the person you are messaging. This means that they will be able to intercept and decrypt your messages, without you or the person you are messaging noticing anything.
To prevent this, iMessage Contact Key Verification allows you to verify the public keys of the devices that are associated with your iMessage account. You can do this by scanning a QR code or comparing a numeric code that is displayed on your device and the device of the person you are messaging. If the codes match, it means that you are communicating with the correct device. If they don’t match, it means that there is an unauthorized device in your iMessage account, and you will receive an alert.
By using iMessage Contact Key Verification, you can ensure that your iMessage conversations are secure and private, and that no one can spy on them.
What are Security Keys for Apple ID?
Another feature that Apple has introduced to protect its users from iPhone thefts and cyberattacks is Security Keys for Apple ID. This feature enables you to require a physical security key to sign in to your Apple ID account, providing an additional layer of protection against phishing or social engineering scams.
What is a security key? A security key is a small device that you can plug into your computer or smartphone, or use wirelessly, to authenticate yourself when you sign in to an online service. A security key works by generating a unique code that is valid only for a specific service and a specific device. This code is used to verify your identity and prevent anyone else from accessing your account.
Why do you need a security key? A security key is a more secure way of authenticating yourself than using a password or a one-time code sent to your phone or email. Passwords can be guessed, stolen, or reused, and one-time codes can be intercepted, spoofed, or bypassed. A security key, on the other hand, cannot be copied, hacked, or phished, and it requires your physical presence to use it.
How do Security Keys for Apple ID work?
To use Security Keys for Apple ID, you need to register one or more security keys with your Apple ID account. You can use any security key that supports the FIDO2 standard, which is an open and interoperable protocol for strong authentication. You can also use your iPhone or iPad as a security key, by enabling the Find My feature on your device.
Once you have registered your security key, you can use it to sign in to your Apple ID account on any device that supports security keys, such as a Mac, an iPhone, an iPad, or a Windows PC. When you sign in, you will be asked to insert your security key, or tap it if it is wireless, or unlock your iPhone or iPad if you are using it as a security key. You may also be asked to enter your password or a PIN, depending on your settings.
By using Security Keys for Apple ID, you can prevent anyone from accessing your Apple ID account, even if they have your password or your phone. This way, you can protect your iCloud, iMessage, App Store, Apple Pay, and other Apple services from unauthorized access.
What is Advanced Data Protection for iCloud?
The third feature that Apple has introduced to protect its users from iPhone thefts and cyberattacks is Advanced Data Protection for iCloud. This feature uses end-to-end encryption to provide Apple’s highest level of cloud data security, allowing you to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.
What is end-to-end encryption? End-to-end encryption is a method of encrypting data that ensures that only you and the intended recipient can access it. No one else, not even the service provider, can access or decrypt your data. End-to-end encryption is different from standard encryption, which only encrypts data in transit and at rest, but still allows the service provider to access and decrypt your data.
Why do you need end-to-end encryption? End-to-end encryption is essential for protecting your data from hackers, thieves, or government agencies that may try to access your data without your consent. Standard encryption may not be enough to protect your data from these threats, as the service provider may be compelled, coerced, or hacked to hand over your data or the keys to decrypt it. End-to-end encryption, on the other hand, ensures that only you have the keys to decrypt your data, and that no one can access your data without your permission.
How does Advanced Data Protection for iCloud work?
To use Advanced Data Protection for iCloud, you need to enable it in your iCloud settings on your iPhone, iPad, or Mac. You can choose which iCloud data you want to protect with end-to-end encryption, such as iCloud Backup, Photos, Notes, Contacts, Calendars, Reminders, and more. You can also choose to protect your iCloud Keychain, which stores your passwords and credit card information, with end-to-end encryption.
Once you have enabled Advanced Data Protection for iCloud, your iCloud data will be encrypted on your device before it is uploaded to the cloud, and it will be decrypted on your device after it is downloaded from the cloud. Your encryption keys will be stored securely on your device, and they will never be shared with Apple or anyone else. You will also be asked to create a Recovery Key, which is a long and random code that you can use to access your iCloud data in case you lose your device or forget your password.
By using Advanced Data Protection for iCloud, you can ensure that your iCloud data is safe and secure, and that no one can access it without your knowledge or consent.
Conclusion
Apple has always been committed to protecting its users’ privacy and security, and the new features that it has introduced are a testament to that. By using iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud, you can protect yourself from iPhone thefts and cyberattacks, and enjoy the benefits of Apple’s cloud services without compromising your data. These features are available for all iPhone users with iOS 15 or later, and they are easy to set up and use. If you are an iPhone user, you should definitely take advantage of these features and enhance your security today.
Summary Table
| Feature | Description | Benefit |
|---|---|---|
| iMessage Contact Key Verification | Allows you to verify the public keys of the devices that are associated with your iMessage account, and alerts you if there is an unauthorized device. | Prevents man-in-the-middle attacks on your iMessage conversations. |
| Security Keys for Apple ID | Enables you to require a physical security key to sign in to your Apple ID account, providing an additional layer of protection against phishing or social engineering scams. | Prevents unauthorized access to your Apple ID account and services. |
| Advanced Data Protection for iCloud | Uses end-to-end encryption to provide Apple’s highest level of cloud data security, allowing you to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more. | Prevents anyone from accessing your iCloud data without your permission. |
