back to article Apple iOS 11 security 'downgrade' decried as 'horror show'

After rapidly patching a flaw that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week. Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post on …

  1. Packet

    I don't get this article at all.

    The only thing that makes sense is the Twitter rebuttal.

    Everything else is sheer WTF-ery.

    I restored a password-encrypted iOS 11 backup from one device to another using iTunes and there was no way to reset the password without unlocking the device as usual.

    1. joed

      Re: I don't get this article at all.

      If I read it correctly, the issue is that now it's only the pin that's required to reset the iTunes backup password (usually easier to guess than the backup password set by the owner) and capture the content of the phone. I had not been aware of the fact that setting backup password yielded more than just complete phone backup to one computer - the article seems to suggest that once the phone is password protected backed up to iTunes on one PC, the next backup attempt (on any PC) would require to provide that password. My understanding had been that the password would be needed for the restore and the phone was protected from backup attempts by pin only. From what it looks, iOS11 users better setup alphanumeric pin/password. Having locked my 6S at iOS10 I could care less for this or other "improvements" introduced by Apple.

      1. TechnicalBen Silver badge

        Re: I don't get this article at all.

        It would seem from the article tgat previously a backup could be protected by perhaps a iTunes password or separate individual password per backup? Now the pin and access to the phone is all that is needed. So deleting everything on the phone, a new pin and the same account, you can access old backups locked worh a different password/ pin. While physical access and a pin are needed (all your base aready pwnd) it does suggest (afaik) that som3 other methods of locking the *backup* are being used.

        Which could suggest the security of the backup is in question.

        1. DougS Silver badge

          Re: I don't get this article at all.

          Huh?

          The password you set on an iTunes backup is set on the computer, NOT the phone. There is no way to reset that password, because the backup is encrypted with that password. If anyone knows of a magic way to reset the encryption key of an encrypted file, please apply for your Nobel prize.

          Is he saying you are no longer allowed to set a separate password for the iTunes backup, but that it will automatically use the password on your phone? (or weak passcode if you are dumb enough to just use digits) If so, I'm not really a fan of that change, but it's easy to rectify - set a different password, perform your backup, then reset it back to your original password.

          1. Packet

            Re: I don't get this article at all.

            After going through the Apple support document, what I've managed to figure out is this:

            You set a password on your iTunes backup in iTunes - this password is different from your phone passcode/passphrase - it's only for the iTunes backup.

            It does not affect the passcode/passphrase on your iPhone/iPad.

            Furthermore, this passcode is then used for all subsequent backups for that device on iTunes

            Without that password, you cannot restore that backup.

            I am guessing the issue is this encrypted backup policy might apply to any computer running iTunes that the device syncs with - not 100% sure on that though,

            But in iOS 11, they've allowed a reset of the backup password to allow creating a new backup 'volume' - still can't touch the old encrypted backup. That's gone forever.

            But now they allow creating a new backup password and doing a new backup (and a new restore, if necessary).

            That makes sense actually - why be locked out in perpetuity for an old backup set that you can delete and never use?

          2. TechnicalBen Silver badge

            Re: I don't get this article at all.

            Yes... I meant that the new method means there is no longer a separate password.

            This does not mean old backups are now accessible, just that new ones don't have the extra "layer" of protection.

            Was posting from the phone, hence the missed typos too (I did re-read, but the brain is great at filling in blanks, even when I'm trying to spot them :P ).

            1. SuccessCase

              Re: I don't get this article at all.

              The claim is a great ad for Elmsoft. They are implying all the “layers” are stripped because anyone who takes possession of a phone and has the passcode can make a new encrypted backup and can restore that on another device because they have the passcode. What confuses the message is the Elmsoft guy says “If it's just one single thing, then it's not adequate protection." When what he really means is “Actually it’s two things, a restorable an unlocked phone and our tools which are so good, if you have them you are guaranteed success accessing data on a phone that can be repeatedly restored or where a restore can be made to a specially physically Elmsoft compromised device, so from a user passcode/security perspective that’s no better than one thing.”

              He’s probably right, but they do need the passcode (not just fingerprint unlock because you need the passcode to make the backup). The argument is over if this significantly weakens security. Passcodes are entered far less frequently in public spaces these days because of fingerprint id. If you don’t have the passcode getting it wrong a small number of times will throw up a second layer of protection (the full Apple account password). If you are somewhere border guards can insist on you handing over your phone passcode, because laws say they have to be able to access your phone, they can also presumably insist on your Apple password. If it is just that you have to unlock it in front of them and a passcode is easily seen, they can film you as you enter a full passcode also. So the argument against Elmsoft’s timely “adclosure” (that’s a special kind of disclosure these security companies specialise in) is that the single point of failure is the human under pressure at a border scenario, which it is arguable hasn’t practically changed.

              Actually I would argue Elmsoft are right to a degree. With their tools (if they are as effective as they are implying which is the neat promotional trick about the way this “disclosure” is written). Then it does become easier to get all your other personal data. A spouse who *does* sometimes see you enter a passcode, or someone with access to security tapes from a building or place where you have entered the code in front of a camera - both have a greater opportunity to act against you with this change. For some that will be a problem. For me it means more careful OpSec (see I just did an Elmsoft and craftily burnished my IT Security credentials - what I meant was I will just be careful not to ever enter my passcode in front of others or in front of cameras).

          3. Adam 1 Silver badge

            Re: I don't get this article at all.

            > There is no way to reset that password, because the backup is encrypted with that password

            Highly unlikely (and pretty dumb security wise if true). The backup will be created with a randomly generated key. That key will be encrypted with your password. To change a password, it can retrieve the random key with your old password, then re-encrypt it with your new one. It only needs to overwrite a few KB to change a password.

            1. Naselus

              Re: I don't get this article at all.

              It's pretty simple really.

              You can take a new backup of an iOS11 iPhone and set a new password for the backup, as long as you have physical access to the phone and the passcode. This isn't the problem.

              The problem is that the backup contains a lot of data which you can't extract from the unlocked phone, but CAN extract from the backup file, as long as you know the password. Things like your iCloud password, for example, can't be gotten at from the device itself, but can be extracted from the backup - provided you can unencrypt it. So, being able to set up a new password on it as long as you know the passcode means you can create a data-rich backup file that you can then rip lots of information off.

              It's not great, and shows Apple's slightly cavalier attitude to security when it conflicts with ease of use (i.e., security always loses if it makes life even slightly harder for the user), but at the same time this 'problem' requires you to have physical access and the passcode, so by that point it's pretty much game over for the phone anyway. It'd be preferable if the backup either didn't go around storing login data for other services, or if it does store them, doing so in an encrypted file based on the phone's device id (so you could only unlock the file by copying it back onto the same phone it came from in the first place). But really, it's a big of a reach calling it a 'horror story'.

              There's a significant element of infosec hysteria to this one - like some of those 'security flaws' that crop up every six months where a server is vulnerable provided you already have the domain admin password, physical access to the box, and the time to crack 2048-bit encryption. You have to be in pretty deep shit already before this vulnerability becomes possible.

      2. Anonymous Coward
        Anonymous Coward

        Re: I don't get this article at all.

        @joed. “Having locked my 6S at iOS10 I could care less for this or other "improvements" introduced by Apple.”

        So you do care then?

  2. J J Carter Silver badge
    Trollface

    FUD

    Does Elcomsoft sell an encryption product by any chance?

    1. Anonymous Coward
      Anonymous Coward

      Re: FUD

      Apple protection force out again here, the story has the luxury of bring reviewed by other security researchers (this never happens in android clickbait stories)

      1. Anonymous Coward
        Anonymous Coward

        Re: this never happens in android clickbait stories

        YOU BIG MEANIES!!!!

  3. Anonymous Coward
    Anonymous Coward

    Did the NSA pay Apple to do this so that they could access all of Apple's iTunes data? They'd have piles to go through, but probably with some some high-profile targets in mind.

    1. DougS Silver badge

      How would this help the NSA access iTunes backups? If the same password is used for the iTunes backup and the phone itself, you can't access either without the password. If you have the password, you don't need the iTunes backup.

      Now granted if a weak password is used for the iTunes backup it could be brute forced, but if you think the NSA might be after you, perhaps using a strong password is in order. That's the value of biometrics come in, you use them so you don't need to type in your strong password all the time in public where it will be seen. If you only type in it in private, then you're safe - you just need to make sure you are able to hit the two button combo to lock out biometrics if the CIA's rendition squad is descending on you :)

      Anyway, you aren't required to use the same password for iTunes backups and the phone. Just change your password to something else, perform a backup, then change it back.

  4. David 132 Silver badge
    Mushroom

    Apple's security model is utterly broken

    Posting this here because it's vaguely relevant and I've been looking for an excuse to get it off my chest.

    Earlier this week I needed to download an update for my Mac. Realized I'd forgotten my iCloud password. Went to apple.com to initiate a reset... apparently, although they have my email address, my d.o.b, my phone number and much else...the only way they would allow me to reset my password was by giving them the number of a credit card, which expired 2 years ago and I hence don't have.

    Step by step I went further into the quicksand swamp that is apple's security pages.

    Long story short - I have been emailed by them to tell me that they might deign to reset my password and unlock my account on the 14th of this month. Yes, that's right, they are making me wait TWO FUCKING WEEKS to get access to my account.

    Grrr.

    1. joed

      Re: Apple's security model is utterly broken

      This would be fun exercise for me - all Apple got from me is a gifted iTunes gift card. And I have no intent of replacing it with CC number, too much at stake.

    2. Snorlax

      Re: Apple's security model is utterly broken

      "Posting this here because it's vaguely relevant and I've been looking for an excuse to get it off my chest."

      Nope, it's not even vaguely relevant.

      You couldn't prove to Apple that you are who you claimed to be?

      You then complain that Apple wouldn't give you immediate access to your account, despite you being unable to prove your identity to their satisfaction?

      Come on...

      1. David 132 Silver badge

        Re: Apple's security model is utterly broken

        @Snorlax

        No, my point was that I COULD prove to them who I was, but they still need 2 weeks to decide whether to grant me access.

        But hey, if you get off on insulting complete strangers over the internet, bully for you.

        1. Snorlax
          Thumb Down

          Re: Apple's security model is utterly broken

          "But hey, if you get off on insulting complete strangers over the internet, bully for you."

          No, I was questioning your logic. Quit being such a baby.

          I went easy on you, if anything. What I really wanted to say was that I suspected you were making the whole story up - I've never had to supply a credit card number to reset a password on an apple account. If they *really* asked you for one, it was probably because they thought you were trying to get into an account that wasn't yours and you did yourself no favours by not knowing your own credit card number.

          "We'll see in a couple of weeks" is a polite way of saying "Please f**k off".

          1. DougS Silver badge
            Mushroom

            Re: Apple's security model is utterly broken

            How does this mean their security model is broken? YOU fucked up and forgot your password, is that Apple's fault?

            Personally I think it raises the bar for someone trying to falsely reset your password if they are making you wait to have it reset. If nothing else it will teach you to not be stupid and forget your password next time! Or write it down somewhere - hell keep it in a safe if you are worried about someone stealing it but relying on your memory, when it obviously unreliable, has proven to be a bad strategy for you. Just don't blame the safe company for not being easily forthcoming if you forget the combination!

          2. Naselus

            Re: Apple's security model is utterly broken

            " I've never had to supply a credit card number to reset a password on an apple account. "

            I've been asked to supply a CC number for resetting an Apple account before, even when we've already supplied a bunch of correct identification data. But yes, I fail to see how this qualifies as 'utterly broken security'. Possibly 'absurd identification process'.

    3. Muscleguy Silver badge

      Re: Apple's security model is utterly broken

      I have no access to the iCloud, on any device. This is a hand me down laptop and to login it requires the long alphanumeric string unique to this device which I have never known or been told and the youngest who bequeathed me it professes no knowledge of either.

      I can fix it with the help of another Apple device but I have nothing new enough to do the necessary. This has denied the cloud to the old iMac now as well of course. It pesters me constantly about it with no fix.

      So this is basically a tax which requires purchase of a new iDevice of some sort. Funds for this are in short supply and I neither particularly in need or desire for one. The ancient screen cracked Touch I use to play music through speakers in the kitchen still functions perfectly well. This is Apple's problem, the ancient iMac bought second hand still works, it runs the backup HD and I play Angband on it as it has an extended keyboard. This 2010 Macbook Pro is still perfectly functional, it got a new solid state HD and I doubled the RAM to a whole 8GB.

      Also Apple keep giving full OS updates away. I'm running Sierra quite happily and mulling High Sierra.

      Would I upgrade if I won the lottery? probably but I feel no pressing NEED to beyond enabling Find My Mac via iCloud, the only use I make of it. HD's are still pretty cheap so why back personal stuff up to the insecure Cloud where they claim copyright on anything on them. Stuff that. Local back ups for me.

    4. Anonymous Coward
      Anonymous Coward

      Re: Apple's security model is utterly broken

      As if I needed another reason not to buy apple's overpriced crap.

  5. Snorlax
    WTF?

    What The AF?

    Sounds like a load of bollocks from Elcomsoft...

    From the Apple Support link posted in the article:

    "There is no way to recover your information or turn off Encrypt Backup if you lose or forget the password."

    So if my phone is backed up to an encrypted archive on my PC or Mac, the Stasi can't do anything with it. The existing backup can't be compromised without great difficulty (as long as I didn't use 'password123' or similar as a password). I dunno if Elcomsoft have a product which deals with this issue, but I assume they do...

    Scrolling down the page:

    "If you can’t remember the password for your encrypted backup

    You can’t restore an encrypted backup without its password. With iOS 11 or later, you can make a new encrypted backup of your device by resetting the password....

    ...You won't be able to use previous encrypted backups, but you can back up your current data using iTunes and setting a new backup password. "

    So, to restate the obvious, your old backups are useless now that you don't know the password.

    Apple is saying you can now connect your phone to iTunes and create a new encrypted backup using a new password of your liking - and Bob's your uncle.

    What did I miss here?

    1. Packet

      Re: What The AF?

      Exactly!

      You get it - there's nothing to see here.

      But some pillock did downvote you in their mad fruity hate

      1. Snorlax
        Thumb Up

        Re: What The AF?

        "Exactly!

        You get it - there's nothing to see here."

        It's just a sales pitch by Elcomsoft. I took a minute to read their blog post and, surprise surprise, they advertise their products 'iOS Forensic Toolkit', 'Elcomsoft Phone Breaker' and 'Elcomsoft Phone Viewer'.

        And of course it's all based on the theory that an attacker has physical access to your unlocked phone.

        If that happens you're fucked whether you're using iOS or Android.

    2. TechnicalBen Silver badge

      Re: Thanks!

      That seems to clear things up a bit better. :)

    3. Steve Graham

      Re: What The AF?

      "What did I miss here?"

      As I understood the article, the issue is that the Stasi can:

      1. take your phone

      2. demand the pass code

      3. make their own password-reset backup containing all your secrets

      4. give you back your phone and say "Have a nice trip, Sir."

      1. Snorlax

        Re: What The AF?

        As I understood the article, the issue is that the Stasi can:

        1. take your phone

        2. demand the pass code...

        I refer you to my last comment:

        "And of course it's all based on the theory that an attacker has physical access to your unlocked phone."

        So, again, how is this news? It's just a bunch of Russians trying to sell some phone hacking software.

        1. DougS Silver badge

          Re: What The AF?

          If they have your passcode and can unlock your phone they've always been able to make a backup of the phone. That's true for Apple and Android. How is this a new worry?

        2. Pompous Git Silver badge
          Trollface

          Re: What The AF?

          "So, again, how is this news? It's just a bunch of Russians trying to sell some phone hacking software."
          As distinct from the NSA who give their hacking software away...

      2. Kirstian K
        Holmes

        Re: What The AF?

        "

        Re: What The AF?

        "What did I miss here?"

        As I understood the article, the issue is that the Stasi can:

        1. take your phone

        2. demand the pass code

        3. make their own password-reset backup containing all your secrets

        4. give you back your phone and say "Have a nice trip, Sir."

        "

        I got the same as you, but I also got:

        then with that backup they took, and the encryption password you used for the sneaky backup (and that backup having the password you know in) that they can essentially restore that backup at a later date, access that AND get all your other data including any other passwords you may have (as it was all behind one wall which you have the keys for).

        so now aftwer the event I can access your emails / bank / other stuff that at the time I didnt even know I wanted.

        so unless you prudently change your passwords on everything you have that backup is a security risk for you.

        (that's what I read, but I may have totally got it all wrong)

        1. DougS Silver badge

          Re: What The AF?

          Why would restoring that backup allow them to "get all your other data including any other passwords you may have". Either those are in the backup (i.e. Facebook if you have it configured to save your password for instant gratification login) or they are not, if they are not then they can't get them.

          If you can be compelled to hand over your phone and provide the password to border police, they have access to everything that's on the phone. There's nothing Apple can do to make that worse, nor is there anything they could do to make it better (unless they allow multiple profiles on a phone, so you could give them the password for your 'innocuous' profile instead of your actual rabble-rousing self)

          Worrying about protecting your secrets when you give someone physical access to your phone AND your password is silly. They have everything, and can trivially make a copy of it if they wish.

  6. Steve Graham

    Note to subeditor

    The original quote was "horror story", not "horror show". The latter phrase gained its familiarity because it's a piece of "nadsat" slang from A Clockwork Orange.

    It's one of the Russian-derived terms in the slang. "Horror show" sounds like "khorosho", Russian for "good".

    And Apple's decision does not seem to be good.

  7. Anonymous Coward
    Anonymous Coward

    Still an hr till the match

    They cant be this clumsy be accident. I would think they work with the security services to design in flaws and take advantage till someone discovers them.

    Then throw a company with a russian sounding name under a bus to divert attention from this train of thought.

    Would have worked as well if I had Kremlin virus scanner installed.

  8. Anonymous Coward
    Anonymous Coward

    When I use Apple products I know I’m always totally secure

    Totally secure that I have impeccable taste and have, once again, chosen the very best.

    I’ve just given myself a small pat on the back. And another.

  9. Triumphantape

    Just more evidence Apple sucks

    From their SSH "bug" to their "root bug" to their evasion of taxes, slave labor, absurd political preaching, and grandstanding during the San Bernadino shooting case so that they have deniability in their collusion with the FEDS... Apple sucks.

    Did I mention "Apple sucks"? Because Apple sucks.

  10. Dotun4luv

    The new iOS 11 version is top notch when it comes to security measure. It's not a 100% though but it is far better than iOS 10.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019