iOS 11 Password Problems
People
appreciated how Apple addressed security. For decades, the company was
building multi-layered ecosystem to secure its customers and protect its
software and hardware systems from most online threats. Apple products
do have some flaws (who doesn’t?) but overall its mobile systems were the most secure among all competitors.
Things
have changed. Although iOS 11 brought us great SOS feature and the need
to type in the passcode for establishing trust with new computers, it
also introduced some questionable changes that will be described in this
article.
The
final goal of these changes was making it easier for users to operate
their devices but each new small change caused a tradeoff in overall
security.
Put
together, these tradeoffs stripped all layers of protection off once
secure ecosystem. The only security layer that is left in iOS 11 is the
passcode. In case someone gets hold of your iPhone and manages to find
out your passcode, you end up losing your Apple ID, your data files, all
passwords to third-party web accounts, access to other Apple devices
registered with that ID. It is possible to do even more bad things
thanks to the fact that Apple removed all previous protection levels and
left only the passcode in iOS 11.
The key problem:
In
sensitive environments, it is not enough to secure only the front door
of the building and leave all inner rooms without additional keys and
checks. Sad, but it is exactly what happened to iOS. If you have a
passcode, you may get everything else.
Bellow, you will see what attackers can do to user’s data if they have access to the device and passcode.
iTunes backup password
iPhone
backups that are made with the help of iTunes can be safeguarded with a
password. With each new version, Apple successfully increased backup
passwords security addressing the growing threats coming from password
breaking crooks.
All
of a sudden, in iOS 11, Apple allows resetting that extremely secure
password. Having the device and knowing the passcode, there is no need
any more to break your head creating sophisticated attacks, you can just
remove the backup password.
Before
I tell you why this is so important, let me explain how it was
implemented earlier. In iOS 8, 9, and 10 you could create a password in
iTunes to secure your backups. You had to do it just once and all future
backups on any of your numerous devices would stay protected with a
password.
It
is important that this password belonged to your Apple device and not
the computer or iTunes. You were able to connect an iPhone to a
different PC with a new copy of iTunes and male a backup. That backup
would be safeguarded by the backup password you set previously, maybe
very long time ago.
The
iOS controlled all password changes and removal attempts. It required
to provide your old password first. People who forgot their passwords
had stuck with what they had or reset the device to factory settings
thus losing all data.
That
was really a secure way to handle passwords. But users wept, the police
started to snivel, and the FBI started to complain. Apple decided to
give up.
Pillaging backup passwords in iOS 11
Although
you can still go to iTunes and get a backup password that cannot be
later changed without the original one, this all means nothing because
it is possible to completely remove the backup password from iOS.
Apple knowledge base says:
You
can’t restore an encrypted backup without its password. You won’t be
able to use previous encrypted backups, BUT you can back up your CURRENT
data using iTunes and setting a new backup password.
Now
for crooks to extract sensitive information from the device, they just
need to make a new backup. They may create a temporary password 1234 for
example for the new backup. Once it is ready, they may extract user
data like credit card info, passwords, health data etc. Turning this
information into readable format will require some forensic tools but
they are widely available on the market.
While
getting all those passwords, most probably you stumble upon the Google
account password. With that in hands, you may access a whole lot of
personal data. In case Google account has multi-factor authentication,
the very iPhone in your hand (often) includes the tied SIM card.
Imagine
hackers got control over an iPhone with the previous version of iOS. It
is a win again because updating the iOS to version 11 is not a problem.
Yes, iPhone 5 cannot run iOS 11 but good and old jailbreaking of 32-bit
devices still allows to gain full physical control.
Again,
this post implies crooks know the passcode. But if you grabbed your
boss’s iPhone you can relatively easy brute-force the passcode with the
help of numerous tools that are common these days.
Summarizing the above said, with iPhone and passcode, it is possible to get:
· Application data
· Local images and videos
· Passwords from local keychain
· Just everything located in a local backup
Is
this just massive? Wait, it is just the begging. Next goes changing
Apple ID password, disabling the iCloud lock, and locking or erasing
other user’s devices remotely.
Apple ID password
With
all other services I use, to change an account password, I need to
provide my old password. Apple sees it differently. To reset Apple ID
password (using the device) you need just to confirm the device
passcode. It works for accounts with multi-factor authentication but
again most probably your device has the necessary SIM.
Moving forward on our list, now you can also:
· Change the Apple ID password
· Deactivate iCloud lock and consequently reset iPhone using different account
· Get access to just everything stored in that iCloud account
·
See on the map the actual location of other i-devices registered with
the same account and remotely erase or lock those i-devices
· Change the phone number and begin receiving multi-factor codes to your SIM
So,
in order to reset the Apple account and iCloud password, you need to go
to Settings > Apple ID > Password & Security > Change
Password. You will now have to enter the passcode and then you will be
able to change the password for Apple ID and iCloud. It is that simple.
Next, you can change the Trusted Phone Number. Just add and confirm a new number and then remove the old one.
Getting into iCloud
Having
reset the victim’s iCloud password together with adding your own phone
number to receive 2FA codes, gives us access to everything the victim
has on his Apple account. These are call logs, contact list, iCloud
Keychain, photos taken with all other i-devices, iCloud backups, etc.
And ICloud backups may contain tons of information as Apple allows to
keep three recent backups per each device registered on one Apple ID.
Synced Data
Moreover,
iCloud allows crooks to access information synced across all i-devices
like browser passwords, bookmarks, browsing history (but not the VPN data), notes etc. In case the user also has a Mac, you can get his desktop files and documents.
iCloud KeyChain
To
sync Safari passwords, payment info, and auth tokens, Apple uses a
cloud service cold iCloud KeyChain. Once you change the iCloud password,
you can download all then KeyChain data. Now you will be able to even
see the old (original) victim’s password for his (now yours) Apple
account. Additionally, you will have access to email account passwords
and Wi-Fi passwords, and actually every password the victims typed in
his browser.
Bottom line
iOS 11 breaks the delicate convenience/security balance moving heavily into user convenience side.
If an attacker
steals
your iPhone and recovers the passcode, there will never be any extra
layer of protection to secure your data. You will be completely exposed.
As the passcode is the only protection left, be sure to use all six digits allowed.
I hope Apple will fix this security issue.