Who is this Afonin bloke? IOS 10 is secure even after he himself found that the backups were easier to break into for finding passwords than in previous IOS releases. To me, that make it insecure.
Apple to crunch iOS 10 local backup password brute force hole
Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups. Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains. …
COMMENTS
-
-
Monday 26th September 2016 08:47 GMT Dave 126
>Who is this Afonin bloke? IOS 10 is secure even after he himself found that the backups were easier to break into for finding passwords than in previous IOS releases. To me, that make it [iOS 10] insecure.
The attack wasn't against iOS - it was against the user's local (iTunes) backup.
Apple smartphones are secure. iOS is also secure, and gets tougher with each subsequent generation. ...
This leaves us to logical acquisition. Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10. Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer.
- http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-passwords-much-easier-to-break/
-
-
-
-
Monday 26th September 2016 22:30 GMT Anonymous Coward
Re: Weakening
Probably they had on their list of things to do "replace outdated SHA1 algorithm" for backups and it was poorly implemented. Hopefully a bug and not someone who didn't realize a single iteration is not nearly good enough.
Moving to SHA256, if it was as overall complex as the old SHA1 implementation, it should be quite a bit slower to crack than the iOS 9 backups were....once they fix it!
-
-
Monday 26th September 2016 22:34 GMT Crazy Operations Guy
Re: Weakening
Not weakening. SHA-256 is far more resistant to collisions than every thousands of rounds of SHA-1. Each round of SHA-1 after the first only adds the tiniest amount of additional security (Hence 10,000 iterations). SHA-256, on the other hand, performs 64 iterations by default and is 96-bits longer. No matter how many iterations you are doing of SHA-1, it'll still produce hash collisions at a significantly higher rate than a single round of SHA-256.
SHA-1 has also been proven to be mathematically broken in that a collision can be generated in under 2^56 rounds. Pretty much every security organization has declared that SHA-1 is obsolete and should no longer be used. A lot of Certificate Authorities have dropped it as a valid signature algorithm since ~2011. (See https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html)
By the way, the SHA series of algorithms were created and designed by the NSA, so I don't think They would mind either way.
-
Monday 26th September 2016 23:06 GMT Adam 1
Re: Weakening
Collisions are only one part of the overall threat model. An important part, but in this case an irrelevant part because the attack described didn't rely on any collision.
Password attacks (brute force and dictionary) defences rely on making it computationally infeasible to your adversary. That doesn't mean impossible, only that the compute resources required would be better employed (from the adversaries perspective) on other goals.
The main goal of running so many iterations is simply to make each guess more costly whilst still leaving it practical for a modest machine to derive the encryption key from the correct password. The change made here means that each guess is a much lower investment in compute than before. Although sha256 is more expensive than sha1 for a single iteration, it isn't 4 orders of magnitude more expensive (which is what would be needed to maintain the same resilience to brute force or dictionary based attacks).
My guess at what was wrong? The iterations argument/property value wasn't set so it picked the default value.
-
-
-
Monday 26th September 2016 10:50 GMT Anonymous Coward
Afonin says Apple devices are highly secure
Really? I think the BBC report today suggests otherwise. "Meeting Israel's master phone crackers"
They can crack iPhone7, and REALLY old Android phones basically. Interesting the phone they used for their demo suggests Google have made massive advances in the last couple of years, and Apple have been plastering over the cracks.
-
-
Monday 26th September 2016 12:29 GMT cambsukguy
Re: Afonin says Apple devices are highly secure
I too noted the ancient phone used and then the words used, we can crack iPhone 7 and Android Nougat.
Hmm, perhaps it takes longer and is harder because obviously they would have used an S7 or i7 to demonstrate, it would have looked much cooler and garnered them far more attention.
I would still like it if they tried Win10 and or WP10, not least because showing that they too can be cracked would either cause MS to try to fix it or at least find another way to help out Law enforcement.
-
-
Monday 26th September 2016 22:18 GMT Anonymous Coward
They didn't say they could get everything from an iPhone 7
They said "We can definitely extract data from an iPhone 7 as well - the question is what data." If they could get everything off it, they'd have said that.
Or are the Apple haters here going to assume that because they didn't use a newer Android for their demonstration that means they couldn't crack it, but because they mentioned they could get "data" off an iPhone 7, that they can get everything?
Obviously these guys are going to try to present themselves in the best light possible - the article was provided free advertising for their services for all the police forces in the UK. So use an old phone that can be cracked instantly for a demonstration, and let people make their own assumptions about how much they can actually get off an iPhone 7 or latest Android.
-
-
-
-
-
Wednesday 28th September 2016 11:51 GMT Planty
Re: Using old phones
Changing variables like OS updates you mean? The Samsung Galaxy S5 (used in the demo) was cracked using Android 4.2, the latest version of Android for the S5 is Android 6.01 with March 2016 security update.
This whole story is bogus, much like most security researchers "research", they intentionally mislead with select devices and select (and pretty much universally out of date) software versions.
Why is nobody calling these "experts" out on this? If I were to do a security article on Windows ME edition, it would be laughed off, how is this any more credible?
-