Apple unveils new cybersecurity measure for iMessage, iCloud and more

Apple announced several new security features designed to better protect users from an array of emerging threats. 

On Wednesday, the tech giant unveiled three new features: iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud.

The new features for iMessage will allow users to verify that they are only sending messages to the intended person and the Apple ID tool will give customers the chance to mandate that a physical security key is needed to sign into their Apple ID account.  

Advanced Data Protection for iCloud will allow users to deploy end-to-end encryption on iCloud data, including iCloud Backup, Photos, Notes, and more.

“As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market: from the security built directly into our custom chips with best-in-class device encryption and data protections, to features like Lockdown Mode, which offers an extreme, optional level of security for users such as journalists, human rights activists, and diplomats,” the company said.

“Apple is committed to strengthening both device and cloud security, and to adding new protections over time.”

Advanced Data Protection for iCloud is available in the U.S. now for members of the Apple Beta Software Program, and will be available to all U.S. based users by the end of the year. The feature will roll out for the rest of the world in early 2023. 

iMessage Contact Key Verification and Security Keys for Apple ID will both be available globally at some point in 2023. 

The company also provided a more granular examination of the tools in its platform security guide alongside data breach research from MIT Sloan School of Management Dr. Stuart Madnick. 

The study notes that the total number of data breaches more than tripled between 2013 and 2021, exposing 1.1 billion personal records across the globe in 2021.

Apple said that while the iMessage Contact Key Verification is available to everyone, it is targeted at users who “face extraordinary digital threats — such as journalists, human rights activists, and members of government.”

The feature gives a second level of verification that they are messaging only with the people they intend. While Apple noted that the vast majority of people will never be targeted by highly sophisticated cyberattacks, the tool is an extra layer of security for those who may be.

“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications,” Apple explained.

“And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call.”

Security Keys for Apple ID was designed for more high-profile users who face “concerted threats to their online accounts, such as celebrities, journalists, and members of government.”

More than 95% of active iCloud accounts already have two-factor authentication but the security keys offer people another layer of protection – requiring a hardware security key as one of the two factors.

The feature was built to withstand phishing scams, preventing anyone from obtaining a person’s second factor. 

Ivan Krstić, Apple’s head of Security Engineering and Architecture, said Advanced Data Protection is Apple’s “highest level of cloud data security” and gives users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.

For those who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud, according to Apple. The platform already uses end-to-end encryption by default for 14 data categories like passwords and health data. But the new program expands the feature to 23 data categories including iCloud Backup, Notes, and Photos.

The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems, Apple said. 

“We constantly identify and mitigate emerging threats to their personal data on device and in the cloud,” said Craig Federighi, Apple’s senior vice president of Software Engineering. 

“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications.”

In July, Apple previewed a hardened “Lockdown Mode” that’s designed to thwart sophisticated attackers, including spyware sold to governments. Several spyware makers have marketed tools designed to break into iPhones and steal sensitive data.

Apple filed a lawsuit last year against NSO Group, the Israeli company behind Pegasus, a powerful spyware and surveillance platform capable of infecting and taking over even the most secure and up-to-date iPhones.

Apple cited the repeated abuse of this tool to breach and spy on innocent victims by oppressive regimes.

“Researchers and journalists have publicly documented a history of this spyware being abused to target journalists, activists, dissidents, academics, and government officials,” the company said.

Tanium's Melissa Bischoping called the changes a "step forward in meeting industry best-practices for modern security and privacy" and explained that keep iMessage and iCloud "competitive with other privacy-focused messaging solutions."

"The Apple userbase is vast, and while these protections are of key interest to those in sensitive positions like activists, journalists, and political/government employees, the benefits are also valuable as regular consumers continue to see their data stolen," she said.

UPDATE: The FBI told reporters from the Wall Street Journal that it opposed several of the changes announced by Apple.

The FBI said it "continues to be deeply concerned with the threat end-to-end and user-only-access encryption pose."

"This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism," the FBI said.

"End-to-end and user-only-access encryption erodes law enforcement's ability to combat these threats and administer justice for the American public."

The FBI went on to claim that it needs "lawful access by design" in order to conduct investigations.

New: FBI responds to Apple’s encryption announcement today, says it needs “lawful access by design” in tech to do its job effectively pic.twitter.com/Acjt1ag2NZ

— Dustin Volz (@dnvolz) December 8, 2022