CYFOR Blog

Apple has announced new security measures amid a surge in cyber-attacks while also addressing privacy issues over their AirTags. What does this mean from a digital forensics perspective?

Apple has recently announced an update of security and privacy improvements to help people protect their data from cyber threats, including one that privacy advocates have long pushed for. The company will soon allow users to choose to secure more of the data backed up to their iCloud storage account using end-to-end encryption, meaning only the user will be able to access the information, safeguarding it from hackers as well as government agencies. Companies such as Apple have become an increasingly appealing entities for hackers and law enforcement alike due to the vast amounts of personal information they hold.

In recent years there has been a spike in global cyber-attacks and data breaches. In the first quarter of 2022, there were 404 publicly reported data breaches, up 14% from the same quarter in the previous year, according to a report from the Identity Theft Resource Center (ITRC). There was a 68% total increase in data breaches between 2020 and 2021. According to the company’s latest transparency report, the number of government and law enforcement requests for data that Apple has received has also increased. Between January and July 2021, the company received more than 12,000 requests for various types of user information, up from more than 10,000 in the last six months of 2020.

The end-to-end encryption of user information, which Apple is calling “advanced data protection for iCloud”, will first be rolled out to a small subset of test users before launching widely in the US before the end of the year and globally in 2023. The new offering means information such as messages that are backed up to iCloud, notes and photos would be fully encrypted.

However, the change will not cover all data. Contacts, calendar information, and emails will not be encrypted automatically, and users will have to voluntarily opt into the feature. The encryption key, or the code used to gain access to that secure data, will be stored on the device. That means that if a user who opts into this protection loses access to their account, they will be responsible for using their key to regain that access as Apple will no longer store the encryption keys in iCloud.

Physical security system

In addition to the new iCloud data protection, Apple plans to roll out a physical security key system for people signing into their iCloud account on any new device. It acts as a hardware-based two-factor authentication system. For those who opt to use this additional layer of security, they will be required to plug a physical security key into the charging port on the phones to verify their identity when they sign into their iCloud account on a new device. However, users who choose to use this to protect their iCloud accounts will be responsible for holding on to those security keys, which comprise the main key and a backup.

Code System

Lastly, the Apple is rolling out a code system allowing people to verify that their messages are going to the intended recipient and not being compromised by a hacker. A process that is familiar to users of the encrypted messaging app Signal. In Apple’s case, two people who have enabled the system will be able to exchange their unique code and their devices will automatically detect whether someone with a different code has entered the conversation.

How will this encryption impact digital forensic investigations?

The presence of cloud data is an increasing consideration in the field of digital forensics. More commonly we are coming across data that was accessible on the handset but is stored securely in a cloud environment. Data synchronising to and from handsets from cloud storage locations are increasingly common. The encryption of cloud data is no-doubt a positive approach to protect an individual’s online privacy and security, but with that in effect this creates complex and difficult challenges for the field of digital forensics in which we always require access to the original source of the data to verify its integrity.

The increase in the prevalence of Two-Factor Authentication, biometric data verification, and security keys to protect data is a challenge to navigate in this digital age when transparency is essential. Data that is backed up and retained in the Cloud can contain less forensic artefacts, which can often bring a level of uncertainty to an investigation. The field of digital forensics is continuously adapting and developing to the new changes in technology, and no doubt there will be future developments made to uncover additional forensic artefacts as new features and technology is rolled out.

Apple AirTags tracking

Apple is also being sued by two women who state that their AirTags were used to stalk them. AirTags are small trackers designed to be placed on keys or wallets, preventing them from being lost. The women say the AirTags were used by their former partners to track them. They argue that AirTags have been linked to murders this year of women in Akron, Ohio and Indianapolis.

However earlier this year the BBC reported that several women had found unwanted AirTags tracking them. The company has previously stated that its AirTags contain several measures that prevent unwanted tracking. If an AirTag is found moving with a person the AirTag is not registered with, a message should appear on their phone alerting them to it. Apple has been aware, even before it released AirTags, that they could be used for criminal activity. On release, Apple stated that “AirTags are designed to track items, not people”.

A digital forensics perspective

The technology behind the functionality of Apple Air Tags is a bespoke version built and incorporated using Bluetooth; supported using Apple’s Find My Network. Bluetooth device connections have been a forensic artefact worth considering for some time now. Especially with the increasing use of hands-free technology for vehicles and other Bluetooth data-sharing devices. The increasing use of Apple Air Tags introduces additional artefacts that we might expect to come across during a digital forensic investigation of iOS devices to support criminal cases in which location data and date and time information are crucial.