Researcher at the Russia proactive software firm Elcomsoft found that iPhones silently upload call logs to iCloud.
Apple automatically uploads iPhone call logs to Apple's remote servers where the data may be stored on Apple servers for months with no option for the end user entirely disable the feature on their device, according to a Nov. 17 press release.
The feature is available on all devices running on iOS 9.x and 10.x and there is no official way to disable to feature other than to disable the iCloud Drive functionality. Elcomsoft researched that disabling the feature would greatly affect the usability of the device since Apple delivers a number of features via iCloud Drive.
An individual's communication history can reveal a lot about a user life including sexual preferences, medical issues, infidelities, illegal activities, business dealings, and more, Tripwire Cybersecurity Researcher Craig Young told SC Media.
“Unlike the encryption employed on an iPhone's local memory storage, data stored within iCloud is encrypted in such a way that it can be retrieved with the assistance of Apple or through the use of an authentication token such as what might be stored on the device owner's computer,” Young said via emailed comments. “A compromise of Apple's servers could therefore expose the data from a large number of users thereby enabling social engineering attacks as well as extortion schemes.”
He went on to say Apple has stated that a third party would need to know a person's username and password to extract this information but this is not entirely correct for a variety of reasons.
“Apple should have a granular set of options allowing users to have complete control over what data is sent off of their device,” he said. “While it is entirely likely that many consumers may prefer to have this data backed up, it is important that they are able to make an informed decision about how and where their data is stored.”
Young said users concerned that their information can be remotely accessed should strongly consider disabling the iCloud Drive feature.