“Apple has a hidden feature for you in its iPhones: call logs going back as far as four months are stored in near real-time in the iCloud,” Thomas Fox-Brewster reports for Forbes. “That’s the warning today from a Russian provider of iPhone hacking tools, Elcomsoft, which claimed the feature was automatic and there was no way to turn it off [except for] shutting down iCloud Drive altogether.”
“Whilst it was well-known that iCloud backups would store call logs, contacts and plenty of other valuable data, users should be concerned to learn that their communications records are consistently being sent to Apple servers without explicit permission, said Elcomsoft CEO Vladimir Katalov. Even if those backups are disabled, he added, the call logs continue making their way to the iCloud, Katalov said,” Fox-Brewster reports. “‘Syncing call logs happens almost in real time, though sometimes only in a few hours,’ he added. ‘But all you need to have is just iCloud Drive enabled, and there is no way to turn that syncing off, apart from just disabling iCloud Drive completely. In that case many applications will stop working or lose iCloud-related features completely.'”
Fox-Brewster reports, “Apple said the syncing did exist, a spokesperson explaining: ‘We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data. That’s why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.'”
“Jonathan Zdziarski, a noted iOS forensics expert, told FORBES he believed Elcomsoft’s find was new and of concern, but was likely down to Apple oversight,” Fox-Brewster reports. “Zdziarski said the research should give Apple further encouragement to add proper end-to-end encryption to the iCloud.”
Read more in the full article here.
MacDailyNews Take: The sooner Apple moves iCloud to end-to-end encryption, the better.
SEE ALSO:
Security expert: Apple’s iMessage and FaceTime are not ‘end-to-end’ secure – August 6, 2015
Edward Snowden supports Apple’s stance on customer privacy – June 17, 2015
U.S. appeals court rules NSA bulk collection of phone data illegal – May 7, 2015
Apple’s iOS encryption has ‘petrified’ the U.S. administration, governments around the world – March 19, 2015
Apple’s Tim Cook warns of ‘dire consequences’ of sacrificing privacy for security – February 13, 2015
A message from Tim Cook about Apple’s commitment to your privacy – September 18, 2014
Apple will no longer unlock most iPhones, iPads for police, even with search warrants – September 18, 2014
Yeah. End-to-end encryption is needed, ASAP. One of the places Democrats and Republicans largely agree is that federal agencies should be allowed to spy on Americans. And, that is NOT one of the areas where “rebel” Trump disagrees with the establishment. From what he’s said, he’d push it even harder.
…And that’s not all! For anyone who uses Apple mail and does a clean install, guess what they find under “Previous Recipients”? Answer: The names and e-mail addresses of everyone with whom they’ve ever exchanged e-mail with, despite the user “deleting” these names and e-mail addresses. Don’t let Apple fool you: They are like every company: Gathering information for the government while feigning righteous indignation over privacy rights! Yeah, right! When I think of Apple, I can’t help but be struck by the irony of its famous Super Bowl commercial about 1984. For anyone who thinks Apple isn’t collecting data on you, I have some prime swampland for sell.
Cue the Apple apologists who think that Apple cares about your privacy. iCloud is just like any other rented server — as soon as you put your data in someone else’s hands, it will be datamined.
Apple claims to secure your data, but iCloud users don’t actually know how, or when, the many loopholes in the user contract kick in.
I have yet to hear a case where Apple handed over iCloud information to any government entity without a fight (and full public disclosure). I do remember that there were instances where government came with a warrant, and where date wasn’t encrypted, they complied, and those cases are fully documented.
Be that as it may, as suggested above, full, end-to-end encryption, same as in iOS now, should be the only way Apple can stay consistent with their claims of protecting the privacy of the consumers.
As for call, contact and other private data in the cloud, So far, Apple has led us to believe that nobody but Apple (and the actual consumer) ever gets to see or use that data, not even in aggregate. Unlike Google, for whom their users are their product which they sell to their paying customers (advertising networks), for Apple, the user is the actual paying customer, so there should be no need to sell any customer information to anyone. So far, nothing suggests that Apple had been doing that.
Predrag, Apple’s official policy is that, when given a subpoena, they deliver what data they can. That includes entire iCloud backup files, which they can and do decrypt. That’s why end-to-end encryption is needed. They would then be able to honestly say “we can’t decrypt it for you.”
Furthermore, subpoenas and especially National Security Letters often come with a restriction where the company is forbidden from telling the public that data was collected. Apple’s hands are tied there, at least until they build in end-to-end encryption. That’s why it’s so important.
The bad news is that it is possible for a (stupid/evil) government to outlaw end-to-end encryption. That could really throw a wrench into things.
Not sure how end-to-end encryption could work for call logs in the iCloud since those are ‘owned’ by the communications company which can be subpoenaed.
https://support.apple.com/en-us/HT202303
See the entry for iCloud Drive. It’s been there for awhile, at least a year.
Like this is news?
Every land line phone and cell phone provider has a log of every call you’ve ever made. The difference is Apple will not hand any collected information easily and surely not without a court order. As for the rest of the companies…..whenever anyone asks.
You imagine a difference where there is none. It is amazing how much faith is given to Apple when there isn’t a shred of evidence to indicate that Apple does anything different with your files than any other cloud purveyor or telecommunications company.
Go ahead a pull up videos showing the baseless claims that Cook makes about Apple respecting user privacy — he talks a great game. But that’s just show. This is the same dude who has an impressive pipeline that he raves about too. Real trustworthy. What does the user agreement say? It is comprehensive: all that you upload belongs to Apple.
Then Apple rents servers from Amazon, Google, and others. You assume it’s encrypted, but you can’t actually prove it, and since you didn’t encrypt it, why would you assume that Apple doesn’t holds the keys to open anything of yours on the iCloud, and use it to their profit? That is all Apple does these days, maximize profit. Users be damned.
And so people get upity on something that that has been happening for years, elsewhere. I tend to believe this is a part of a service, Apple is providing to me, instead of the government.
This is effectively meta data. We all know what happens to meta data.
Ah yes I’ve noticed this. When I travel, I keep my home SIM card in a 4S at home while I take my 6 away with me. If I get a call on my 4S back home, the logs are synchronised across all my devices.
I can see the rationale, perhaps the implementation needs to be improved.