My good friend @dillweed just brought up an excellent point about iCloud and Apple IDs. Everyone needs to be much more careful with their Apple IDs now that they’re tied to their iCloud data. So far people have been lax about protecting their Apple ID passwords, typically sharing them to trade iOS applications. The rationalization is “What’s the worst that could happen, it only allows access to my apps.” Now with iCloud anyone who has your Apple ID password can also do the following:
- Remotely lock and erase your iPhone, iPad, or computer via Find My iPhone.
- See real time iMessages and email, as well as all past iMessages and email.
- Track your location in real time via Find My iPhone.
- Log in to your computer and network via Back To My Mac. This will bypass many corporate and home firewalls.
- Access other iCloud data such as your calendar, notes, documents, and bookmarks.
- Access all data on your iPhone or iPad by restoring from your iCloud backup.
While the risk associated with giving out your password is nothing new, the issue here is that currently people don’t see their Apple ID as a high value account, there’s a large amount of sensitive data an attacker could gain access to, and one password is the only thing protecting access to the data. Sites such as Google and Facebook now allow you to use two factor authentication, where you need both your password and a code sent to your phone to access your account. They also allow you to see what other computers are logged in to your account and let you disconnect them remotely. Customers should pressure Apple into adding the same protection to their accounts sooner rather than later. In the mean time use a strong Apple ID password, don’t share it, and let your friends and customers know about the increased risk of sharing their Apple ID passwords.