When Apple introduced two new versions of its iPhone 6 and a first-of-its-kind Apple Watch Tuesday, something extraordinary and rare happened: For the first time in Apple’s storied history of product launches, the public’s attention was captured not by a cool, new feature but instead by uneasy questions about trust and security.
There’s little doubt that people love their iPhones. Apple has already sold more than 120 million phones this year, with some analysts predicting that sales could reach 235 million with the introduction of the iPhone 6. But the world is a vastly different place than it was just a year ago. Since then, hundreds of millions of consumers have been victimized by cybercriminals targeting point-of-sale systems and databases at major retail chains, like Target, Neiman Marcus and Home Depot. And Apple itself was recently the victim of hacks that targeted iCloud accounts, leaking nude photographs of high-profile celebrities.
But with Apple’s iPhone 6, Apple Watch (which opens the door to future personal health data apps) and mobile wallet technology, known as Apple Pay, the company is venturing into largely uncharted territory—introducing the world to what may be the first workable solution to combining mobility with personal finance and health data management.
And that’s where the problems may begin for the company that has largely avoided the wave of cybercrime that has at times nearly sunk its competitors on other platforms. By introducing Apple Pay, the company may have single-handedly blunted the attacks targeting retail point-of-sale systems. And by doing so, Apple may also have made itself the biggest target in the world for cybercriminals.
“I don’t know that those are mutually exclusive. I think it can be both,” said Christopher Budd, global threat communications manager at security firm Trend Micro. “In fact, because it can be the answer to all of our prayers that can and will make it a huge target.”
“With the single announcement of Pay, Apple easily became the premier target for cybercriminals,” said TK Keanini, chief technology officer at Lancope Inc. “Every aspect of their business will be targeted, upping the game play to the big leagues. Welcome to the Thunderdome.”
Apple will not only need to secure its operating systems and applications, but also its Internet services and partner ecosystem, according to Keanini. “Apple Pay is not a thing but an entire ecosystem that must be secured. Attackers will be looking for that weakness and access vector that is not obvious.”
“It’s not a question of if it will have vulnerabilities—it will have vulnerabilities,” Budd said. “The question is going to be is the defense in depth design smart enough that when vulnerabilities are found, they don’t lead to a complete breakdown in security.”
How Apple says it will work
The new iPhone 6 stores a user’s sensitive information, such as credit card data, at the hardware level on a chip the company refers to as the secure element. The chip is tamper-proof and will shutdown if somebody tries to access it by opening the iPhone.
When the user passes his or her iPhone near a mobile payment kiosk and initiates a payment through the iPhone’s fingerprint identification system, the phone does not pass the actual credit card data to the retailer. Instead, the chip conducts a tokenization process that produces a unique 16-bit number for every transaction, which is then passed to the retail system using the iPhone’s near-field communication technology, known as NFC. That entire tokenization process happens on the chip, not at the operating system level.
“The piece of data that is critical—your credit card number—is locked away really tightly on this chip,” Budd said.
Zach Lanier, senior security researcher at Duo Security Inc., said although the hardware-based secure element isn’t exactly a new concept, Apple’s architecture will make it more difficult for unauthorized applications and attackers to access the data. “And adding TouchID into the mix also ups the ante,” he said.
FedScoop interviewed 10 cybersecurity experts for this story and all but one said there are legitimate concerns about the security of moving such highly-sensitive information to the iPhone and now the Apple Watch.
“Apple argues that because your credit card data will be stored on your iPhone in a secure element and never transmitted back to Apple, it’s private and secure. But it’s all tied online and likely all tied to your iCloud through a username and password, which now has an unprecedented amount of information,” said Alisdair Faulkner, chief products officer at ThreatMetrix and a former senior consultant at Accenture in the company’s e-commerce practice.
“With this growth in mobile, more and more online payment transactions are going to happen behind a username and password to avoid manually entering credit card details. Account takeovers are going to grow exponentially,” Faulkner said. “Many consumers are using the same username [and] password combinations across all sites, and when one or several of those inevitably get breached, that information is now exposed.”
Faulkner also saw another potential downside to Apple’s mobile wallet, even if it is more secure than traditional credit cards. “Apple Pay using Passbook and shifting payments online will push fraud online, the channel that is already most vulnerable, where there is no card, person or iPhone physically present,” he said.
Jeff Williams, CTO at Contrast Security Inc., agreed that Apple’s new mobile wallet offers some clear security advantages over traditional plastic credit cards, but the complexity of the iPhone 6 ecosystem could spell trouble for users down the road, he said.
“This system involves a lot of new software, a lot of interconnections with new players and a lot of complexity. That’s a recipe for security vulnerabilities,” Williams said.
Greg Foss, a senior security researcher at LogRhythm Labs, said he could envision several attack scenarios targeting the new mobile wallet payment system. Although exact details have not been made available, Foss said Apple Pay could transmit and potentially store a device-specific, encrypted device account number to authorize the transaction. “So, thieves may not obtain a credit card, but they could obtain data that is just as valuable and potentially even easier to use as they won’t need to print credit cards to make purchases at specific retailers,” he said.
Foss also has his doubts about the security of Apple’s fingerprint authentication technology. “Using a fingerprint as a security mechanism has proven to be easy to bypass on prior iPhone models,” he said. “Now with the addition of Apple Pay, the iPhone will be an even more enticing device to thieves.” Follow @DanielVerton