A key feature of Apple’s operating system installed on its current range of laptop computers, as well as iPhones and iPads, potentially puts users at risk of having all data remotely wiped by a hacker.
From also-ran to industry leader, Apple has managed to build an unbeatable customer base for its products. Its leading industrial design and fundamental understanding of the way that users want to interact with technology have attracted an enormously loyal fan base.
One further aspect that Apple users like to congratulate themselves about is security, since the Mac operating systems have traditionally very rarely been targeted by virus writers and hackers. This is why the security hole in the current Mac set up is surprising. A concern for consumers, but now that Apple is branching out from its traditional stronghold in education and the creative industries, it will also be a concern for corporates.
The security problem stems from the ‘Find My’ feature that comes as standard on all new Apple products, including MacBooks, iPads and iPhones, and the single AppleID password that is deemed sufficient to protect them.
In the world of password cracking, getting hold of someone’s AppleID is not too difficult. Once you have that password, you can remotely access your victim’s Mac device and through the Find My feature wipe all the data.
In a business setting, where passwords for the entire IT estate are far more likely to be centrally set and controlled, it could open up the entire corporate network – a gift to corporate spies and professional hackers.
Andy Kemshall, from IT security firm SecurEnoy, said: “There is no doubt that the 'Find My' feature is very attractive. In fact it’s a great idea, and anyone who has ever left a laptop in a taxi or a phone in a bar will immediately recognise the merits. But superb though the service is, the fundamental flaw is that it hasn’t been implemented to business-grade standards because it doesn’t have an appropriate level of user authentication.
“If Apple is serious about increasing its footprint in the corporate world, it needs to make sure its security measures are up to scratch. That almost certainly means adopting two-factor authentication (2FA) to provide an extra layer of identify verification to the basic password.
“2FA solutions are based on the user having ‘something they know’ – in this case the AppleID, and ‘something they have’. This can be a token or a card, but since the Apple computing experience is built on mobility, some form of tokenless solution, such as that offered by SecurEnvoy, is likely to prove more attractive.”
With a tokenless solution, users would enter their AppleID in the normal way. The system would then issue a one-time passcode to the user’s registered mobile phone. That code also has to be entered for access to be granted. Once the code is entered it is automatically deleted and if the phone itself is lost or stolen, it can be immediately blocked from receiving any more passcodes.
2FA is increasingly recognised as an essential means to strengthen password-based systems. Tokenless solutions effectively turn mobile phones into temporary tokens.