After rapidly patching a flaw that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week.
Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post on Wednesday called iOS 11 “a horror story” due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses.
What’s left, he argued, is a single point of failure: the iOS device passcode.
With an iOS device and its passcode – a barrier but not a particularly strong one – an attacker can gain access not only to the device, but to a variety of linked cloud services and any other hardware associated with the device owner’s Apple ID.
Before the release of iOS 11, Alfonin explained in a phone interview with The Register, there were several layers of protection in iOS.
“I feel they were pretty adequate for what they were,” he said. “It seems like Apple abandoned all the layers except the passcode. Now the entire protection scheme depends on that one thing.”
What changed was the iOS device backup password in iTunes. In iOS 10 and earlier, users could set a unique password to secure an encrypted backup copy of the data on an iPhone. That password travelled with the hardware and if you attempted to connect the iPhone to a different computer in order to make another backup via iTunes, you’d have to supply the same backup password.
In iOS 11, everything changed. As Apple explains in its Knowledge Base, “With iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.”
That’s a security problem because device backups made through iTunes contain far more data than would be available just through an unlocked iPhone. And that data can be had through the sort of forensic tools Elcomsoft and other companies sell.
“Once an intruder gains access to the user’s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” Alfonin explains in his post. “Everything (and I mean, everything) is now completely exposed. Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user’s original Apple ID password are quickly exposed.”
So the risk goes beyond the compromised phone and any associated Apple devices: Apple’s iCloud Keychain could include, say, Google or Microsoft passwords.
What code is running on Apple’s Secure Enclave security chip? Now we have a decryption key…
Alfonin in his post suggested “Apple gave up” in the wake of complaints from police, the FBI, and users. Asked whether he had any reason to believe the change was made to appease authorities, he said, “I don’t believe this was made for the police. I believe it was just user complaints.”
Nonetheless, the iOS change has significant implications for those who deal with authorities, at border crossings for example.
“If I cross the border, I may be forced to reveal my passcode,” he said, noting that many thousands of electronic device searches happen every year.
With that passcode, authorities could create their own device backup and store it, which would allow them to go back and extract passwords unrelated to the device itself later on. “If that happens they have access to everything, every password I have,” he said.
Alfonin said with iOS 11, Apple’s entire protection scheme has fallen apart. He likened the situation to the 2014 iCloud hack known as Celebgate.
“Those iCloud accounts were protected with just passwords,” said Alfonin. “We have a similar situation today. If it’s just one single thing, then it’s not adequate protection.”
To fix the issue, Alfonin suggests going back to the way things were. “It was a perfectly balanced system,” he said. “I don’t think anybody complained seriously. The ability to reset an iTunes Backup password is not necessary. If they revert it back to the way it was in iOS 10, that would be perfect.”
Of course, this is just Alfonin and Elcomsoft’s opinion. Others in the world of infosec were not convinced by his arguments – for example, Dino Dai Zovi, cofounder of cloud security biz Capsulate8, was having none of it:
Note that they don’t require just an unlocked device or unlocked device and authenticating with Touch ID. You need to enter the passcode on an unlocked already trusted device to reset passwords and such.
— Dino A. Dai Zovi (@dinodaizovi) December 1, 2017
Apple did not respond to a request for comment. ®
PS: Apple’s iPhone X shares face scans with apps, which has some people worried. Also, if you have installed the password-less root security patch on macOS 10.13.0, and then upgraded to 10.13.1, make sure you reinstall the patch – Apple’s Software Update mechanism should do this automatically – and reboot. The upgrade from .0 to .1 nukes the emergency fix.