With Apple expected to unveil its new generation of iPhones next week, the tech firm is on a quest to turn your smartphone into a universal remote control for your life: Want to open your garage door, set your thermostat or look over the stats for your weekly workout? Your iPhone can handle it.
But just as the company wants consumers to let their smartphones run more aspects of their lives, Apple is facing a backlash from the recent news that hackers were able to obtain and publicize photos from a handful of celebrities’ iPhones — raising new questions about how much users can trust their most sensitive data with not just Apple but other companies, as well.
The promise of a more convenient, wired life is now showing a darker side, with constant reports of breaches and hacks. And security experts say that companies are routinely rolling out new enticing features and products without first firming up the security of the data consumers are giving up in exchange.
“In a lot of cases, consumers don’t understand that when they slide a button one way or the other that they’re agreeing to upload all their data,” said Dennis Fisher, security evangelist for Kaspersky Lab, an anti-virus and Internet security software firm. “It’s all getting very, very convoluted and complex.”
Having a company run your thermostat remotely and track something like your electricity usage may seem like a neat feature that doesn’t reveal a lot of sensitive information about you. But criminals could, for example, use those trends to figure out when you’re home and when you’re on vacation. Consumers — and often, companies — rarely think about how personal even simple data can be.
Apple said in a statement Tuesday that none of the cases related to the hacking of celebrities over the weekend “resulted from any breach in any of Apple’s systems.”
Among security experts, the iPhone, iPad and Mac are actually considered fairly secure from viruses and hackers.
But even before the hacked celebrity photos, some were criticizing Apple for not doing more to protect its users’ information in the cloud. The firm, for example, offers users some more advanced security options to protect their iTunes purchases but doesn’t extend the same protections to iCloud.
Shortly before news of the hack broke, Apple instituted protections against “brute-forcing” attacks, in which criminals try to obtain a user’s information by flooding an account with trial and error attempts to guess the correct username and password. There’s been no evidence that that weakness led to the pictures being leaked, but prominent security experts say it’s a strong possibility.
The news has nevertheless taken a toll on Apple’s standing on Wall Street less than a week before its Sep. 9 launch event; the stock dropped more than 4 percent Wednesday.
At the event, Apple is expected to launch two new iPhones with larger screens to compete with smartphone makers such as Samsung. Along with any phones, Apple is also expected to announce a release date for its new mobile operating system, iOS 8, which features two new cloud platforms — HealthKit and HomeKit — which will serve as central hubs for data gathered by apps that collect fitness data and information from smart appliances.
Apple has taken some notable steps to protect particularly sensitive data. For example, HealthKit data will be stored only in encrypted form on Apple devices, rather than in the cloud. The company forbids developers from using either HealthKit or HomeKit data in advertisements. And it’s also strict in reviewing apps on its store, saying Wednesday that it will reject apps that could threaten user security or that even feel “creepy.”
But the company is far more reluctant than its competitors to speak with outside experts about its cloud security practices, making it difficult to objectively determine how secure its services are. That reluctance also limits its chances to head off vulnerabilities before they turn into hacks, as Google and Microsoft do, researchers said.
“Apple has to be more open to the security community,” said Alexey Troshichev, founder of the Russian security firm HackApp, who first identified the brute force weakness.
If Apple, the most valuable company in the world, prized security more highly, it could effect real change in the consumer tech world, experts said, particularly as more everyday items such as watches, washers and running shoes collect more data. “If they really got in front and led on this . . . it would be great for consumers,” Fisher said.
So what, exactly, is keeping Apple from making its services more secure?
It could be as simple as the fact that it’s hard to make security easy for the average person to understand, said Lorrie Cranor, a professor at Carnegie Mellon University who focuses on privacy and usability.
Apple prides itself on making simple products, and security is often anything but straightforward. It might take a really big problem to get any company to devote the resources to making secure services that are also easy for anyone to use. Cranor noted, for example, that it took the revelation that the National Security Agency was tapping into consumer technology firms for data to get companies such as Google and Yahoo to encrypt their information by default — something security experts have advocated for years.
“If Apple is concerned that people won’t buy their products because they won’t trust them, then they will have the incentive to fixing this problem,” she said. “I can only guess that they’ve done the calculation and decided it’s not that big a deal yet.”