Prior to iOS 11, the OS would quite often ask for your Apple ID username/password by showing a popup regardless of whether you were in another app or Springboard.
Since you don’t know what the hell’s prompted that request, it was noted that this opens a vector for phishing [1] and it conditions users to blindly put their password into anything that asks.
I wonder if this is an attempt to fix that gone wrong.
Not a great solution, but if iOS itself is asking for your password pressing the home button when the dialog is up will be a nop instead of returning you to the home screen.
Yeah, that was the suggestion I saw people make when Marco Arment mentioned [1] that the popup was bad too. As you say, it’s not great but it seems better than nixing the popup entirely.
If I remember correctly, people at the time were suggesting Apple simply had their own, private version of the popup which indicated it's authenticity via colors or a badge. I honestly feel like that might have been good enough, especially if you change the other, public popup dialogs to warn not to enter password information.
I guess the corollary to that is Dropbox faking the macOS credential popup [1] - anything you can see can be cloned. If they'd just fixed it so it didn't appear so damned often and without any apparent cause (I get that it was probably triggered by some background process trying to sync or something - those should really have triggered a "Open Settings to confirm your Apple ID" sort of message, rather than a direct request for credentials), that might have been enough.
I had to put it in a couple of times the first day I got my iPhone X (2+ weeks ago), but I do not believe I've had to enter it again since, having done several actions that would require Apple ID authentication since then.
So the TLDR; is that Apple allows a trusted device (your iPhone) and PIN/passcode to be the identification required to reset a lost iCloud password.
I honestly think this is a reasonable security model, as every other 'forgot password' workflow that I see services use is already vulnerable to my phone and passcode being in the wrong hands.
Think about the common options here. Apple could send out a rest link via email, but bad guy already has my email. They could send a verification code via SMS - oh wait, this is MY PHONE we're talking about. How about they send a push notification to... nevermind.
About 3 seconds worth of thought brings one to the conclusion that with my phone and pin/passcode, a bad actor could reset the passwords for pretty much every service I use - it's not just iCloud.
So someone explain to me in non hand-wavy terms how you'd expect this to be any different/better?
> So someone explain to me in non hand-wavy terms how you'd expect this to be any different/better?
From the article:
Any attempt to change or remove that password must pass through iOS, which would require to provide the old password first. Forgot the original password? There’s no going back, you’re stuck with what you have unless you are willing to factory reset the device and lose all data in the process.
Apparently, there was no password recovery. Now there is, and as a convenience it even skips the whole email step. This has implications for accessing the data present on the device, which is the whole point of the article.
I will clarify - I'm referring to the iCloud password reset, not the ability to create a new backup with a different password. You're rebutting my arguments about the former with quotes about the latter.
Except this attack vector requires the attacker both has your phone and knows your passcode. Meaning they don't need to access your backups any more, they already have all your data!
This article can be summed up as "Apple relaxed the security model to that if you have physical access with password authentication, you have full access to everything else".
I don't entirely agree with this - if my iPhone PIN is compromised, I do not want my 2FA iCloud account to be compromised.
Agree, the old model was fine. I've been using iPhone because IMO it's a more secure device than the alternative. Surely they could make this an option?
I think it’s might be possible to exclude your iPhone from trusted device and revert to security via phone number. And in case the phone number is your landline you still got your two factors.
This does not apply to most people but in the US at least, you can set your phone number to a Google Voice number. You don't have to forward text messages from Google Voice to a carrier so you can ensure your Apple ID two step (isn't it two step rather than two factor?) authentication is just as secure as your Google account.
> I've been using iPhone because IMO it's a more secure device than the alternative.
There are some alternatives that are absolutely more secure. Now the trade off might not what you want, but the iPhone and iOS isn't the most secure smart phone available.
> There are some alternatives that are absolutely more secure
Probably, but silent circle isn’t one of them. Silent circle is just a generic Chinese android phone without carrier bloatware. Instead, they ship a bunch of their own bloatware. They haven’t really made any fundamental improvements to security over what you can get with any other rootable android phone.
iOS has a generally much stronger hardware security model than Android, although it’s not perfect either, especially given that it’s closed source and not auditable.
I’m hopeful that Purism’s librem 5 cell phone will represent a substantive improvement in smartphone security. Runs standard Linux, isolated baseband, hardware kill switches, etc.
Bittium's ToughMobile has some special hardware and a government certification (KATAKRI) to be used as a container of classified information. Finnish Defence Forces just bought a bunch of them.
It also comes with its own Secure Suite MDM and is not tied to any unwanted third party. It's quite expensive, though, and I have no first-hand experience of it. Just talked with some Bittium guys recently. Lots of former Nokians working there.
That link is about privacy, not security, and horribly misunderstands some fundamental basics. Like that you can disable google applications just fine. Sure you have to trust the OS to actually disable like it says it will, but you also have to trust that iOS does what Apple says it does, too. But you don't have to trust anything Google on that phone.
I think the phone is silly for other reasons, but that link is nonsense and largely unrelated to the discussion at hand.
It would be fine if they offered an option to keep the old way of doing things, but the new way is better for most users. Any security that's used is far superior than using no security.
I wonder if the other shoe will drop in iOS12 - Apple getting rid of the bruteforce limiter on PINs. Or making it much more relaxed, too. If it will be willing to do that, I would start getting worried about hidden changes to TouchID and FaceID, too, that could make them easier to crack as well.
I wonder if Apple changed its mind on blocking law enforcement from decrypting iPhones. It seems they were the ones to reach out to law enforcement when the Las Vegas attack happened.
I for one think it's completely ridiculous that every time such an attack happens it's encryption that gets most of the blame, rather than say the guns that were the actual tools that killed all of those people.
So one unhealthy individual can go and get an assault weapon, hundreds of bullets, no questions asked, but it's when he starts talking on his iPhone is when we should be getting worried and monitoring his conversationss?
Plus, such attacks are probably kept private, not shared with their best friends before they happen. The whole logic process seems so backwards. It's a little late to be reading the contents of the shooter's iPhone after he's already killed 20 people, no?
From an objective perspective, user's behavioral data on an electronic device would be a far stronger indicator of a potential attack than the purchase of firearms. I'm sure you're not saying that the government should have full access to behavioral data from every device/ISP.
A cowardly mass attack devoid of value for human life can occur using nearly anything (pressure cookers, fertilizer, vehicles, chemicals under your sink, etc, etc, etc). While certain individuals certainly should not be allowed to possess firearms (those with mental or criminal behavioral events/patterns - there is already a federal background check that occurs in obtaining firearms) it is near impossible to prevent someone from obtaining something they are dead set on obtaining unless you lock them up until their death.
Let's not forget that the only time the US has been invaded (technically not yet the US, I know) was when armed private civilians rose together and defeated the preeminent military power in the world. Had those people not been armed the US would not exist. Think how many potential conflicts on US soil the armed population may have deterred since then when you compare it's history with nearly any other country in the world over the last 250 years.
I am interested in your assertion that private gun ownership has deterred foreign invasion. Can you provide a citation? I would think that the trillions spent on defense over the course of decades would have the largest deterrent effect.
And Canadians are still invading my sunny state every winter, they wear smiles and friendly greetings as their uniforms, and use loonies as ammunition.
My real counter-argument: the US has tremendous geographical advantages and a massive military. When it didn't have a massive military, it still had huge oceans around it, and both neighbors tested our borders before we had a massive military.
So I'm very skeptical about any correlation between firearms ownership and homeland defense.
While this is less secure than before, I’m not sure if I agree with there premise that events such as San Bernardino perpetuated this change. This would not have helped the FBI decrypt that iPhone if it had been running iOS 11, since they were not able to effectively guess that phones 4 digit passcode, let alone a 6 digit or alphanumeric passcode.
Their entire claim of a horror story relies on having physical access and the passcode, which would be game over on basically any device anyway.
It does point out a problem with most sms and app based 2fa systems in that all accounts that are protected as such essentially rely on your devices passcode to keep those accounts safe.
> Their entire claim of a horror story relies on having physical access and the passcode, which would be game over on basically any device anyway
The issue here is actually deeper. With the physical access to your device, they get access and ownership of your other devices, too.
Say, you lose your iPhone on a trip and an attacker recovers your passcode for that phone (say you're not a HN'er, but an average joe who uses a 0000 passcode for convenience). Now the attacker can overtake your apple ID, go into the Find My iDevice app and _lock_ your iPad and your MacBook that are still in your possession. And now you've got two more bricks on your hand, which presumably display a Bitcoin address with a ransom.
A ransomware scheme that requires stealing physical devices seems hard to scale I suspect I would be more worried about one device being hacked and someone using access to that device to attack other devices.
I'm still on iOS 10. If you get my PIN code (say you're a friend, you find it somehow, repair shop - work at one and need the PIN, etc.) then you can't do a whole lot. You still need my password or thumbprint to buy apps or change passwords.
In iOS 11 it changes, now you can for example access all passwords in the keystore. So you know my 4 digit pin for my phone, not to mention my Google password, Apple iCloud password, etc. Those should not be accessible with just the access code.
I have always used an alphanumeric password instead of a PIN. Since Touch ID my password is really long and complicated. I can’t remember it. I have a matrix of hex numbers in the phone case to be used as memento to help recreate the password in case of reboot. Actually two. So I can throw one away and escape RIPA key disclosure law. The back of the matrix explains you need two, and if one is missing then there is no way to retrieve the password.
You can still set an arbitrary-length passcode. I think they phased out 4 as too weak, so now 6 is the default, but you can go longer and it'll just show you a text box instead of 6 placeholders.
“In iOS 11 it changes, now you can for example access all passwords in the keystore”
You can do that in iOS 10 as well.
Apple made your passcode is equivalent to your root password on a Mac.
I think they were trying to make it easy for less tech savvy users to use the device. I agree that there has to some mechanism to change what kind of password you want to apply to access certain functionality on your phone
Maybe I misremember, but after an iOS upgrade you have to sign into your Apple account again (at least I got asked every time). So knowing the passcode and upgrading from iOS 10 to 11 could mean the owner’s Apple account cannot be hijacked because the owner is not signed into the Apple account.
From the article: "What if the iPhone in question runs an earlier version of iOS that does not allow removing backup passwords? I say you’re lucky because you can simply update that device to iOS 11 and then reset that password. We tried this strategy multiple times, and not once did we have an issue."
> Their entire claim of a horror story relies on having physical access and the passcode, which would be game over on basically any device anyway.
If i understand correctly, prior to 11, you needed to know the iCloud password to, say, remove Activation Lock. Now, you don't need iCloud password, just device password (and physical access of course).
It's a significant drop in security, and not just in a theoretical sense ,if only because people enter their device passcodes a lot more than they do their icloud passwords (which makes them tend to be easier to guess and easier to capture).
and yet Apple asks for your passcode and puts it on their repair database if you take it in. no idea how many of your other accounts their repair people use your phone to compromise. I'm guessing it's low but it's not impossible to believe some repair technician with your phone's passcode might use your phone to access other accounts
This one always irks me. If I know that my phone needs a repair, I’ll always back it up and do a fresh install before bringing it in. It’s a huge hassle and I get the impression that not many people even think about it.
Can you do that if the phone won't start because some defect? Is the same with a laptop, if it won't start you can erase the drive without opening it before sending it for repair.
To be fair you can always deny to give it out to the techs, it's just less convenient for you to do so. I don't think they will refuse to repair your device if you do not give up your passcode.
I've taken multiple devices in for multiple repairs, and I've never had an Apple Genius ask for a PIN, passcode, or password. Every single time they ask me to unlock the device and are careful to look away while when I need to enter my iCloud password to disable FMI/Activation Lock.
They do? I've had the screen replaced on a few, and they always have me unlock it myself. Are they capturing my input somehow? I've never verbally provided any passcode to an Apple store employee.
I think the difference is now like you would have used same PIN code to everything, password manager, emails, online accounts, where before you could unlock less things with the PIN now you unlock everything.
iOS's 2FA model confuses the hell out of me. I'm sure if I sat down and worked it all out I could figure out what all Apple is using for 2FA on my iDevices, but I haven't been arsed to do that and it shouldn't be this complicated.
With iOS's 2FA system : I've had to click buttons on other devices. Enter codes on other devices. Enter codes from other devices. Click links in emails. Type my passcode on other devices. I just ... don't have a grasp on it at all.
That's not good.
With regards to the backup issues outlined in the article, it's hard to say if the backup leak is a major issue.
Take the casual user: They won't be making iTunes backups. Most casual users are probably just doing iCloud backups. In fact, they don't do backups at all; iCloud backups are automatic so they don't think about it (it just works).
Take the security hard user: They'll have a password instead of a passcode on the device. So adversaries probably won't get access anyway. Of course, it's possible they shoulder-skim your password, whereas they probably won't be able to ever shoulder-skim your backup password. So certainly Apple's change here _does_ objectively make the system weaker.
It's hard to say if what Apple did here was the right thing. Like I said, I don't think most casual users are doing iTunes backups, so why even bother making iTunes backups more user friendly?
Regardless, it could certainly be improved. Maybe require 2FA to reset backup password?
The issue where you can reset the iCloud password is certainly troubling. It's a hard issue to balance, as Apple doesn't want to set up a system where the average user gets locked out of their account because they forgot their password. But it really shouldn't be possible to take a single iDevice and password and take over a user's iCloud account.
:shrug: it makes sense to me for icloud.com Your laptop is trusted, but the browser you're using isn't. AFAIK there's no browser API for a trusted OS to bless a web browser and web request so this is kind of a workaround. Safari has the possibility of doing this without standards support--I don't know if it does.
Pet-peeve, but I wouldn't say ridiculous. It's like how there's no Kerberos compatibility for web apps.
Could you walk through that threat model? I don't quite get it. In what scenario is an antagonist in control of my (untrusted) browser but not also in control of my (trusted) laptop? Put another way, doesn't that antagonist always see the 2fa code, and then enter it?
Your browser doesn't know the laptop is trusted. I'm not aware of any standard API that a browser would use to confirm they're running on a trusted laptop (they'd have to implement an OS specific call for an OS specific feature...which doesn't often happen). In theory Safari could support it (I don't know if it does or doesn't). Apple could push for either a standards body or just Chrome/Firefox to implement macOS APIs--but I don't see any reason those browsers would make the effort.
Maybe it’s just me but I’ve tried and failed several times to restore an iCloud backup. A backup isn’t a real backup unless the restoration is tested. Unfortunately iCloud backups would just never finish restoring for my device, whereas restoring iTunes backups just works. So I usually set up a recurring calendar item to remind myself to backup to my computer (which then get backed up again using Time Machine and CCC). It’s sad that I have to do this.
They're just very slow, and at least until iOS 10, apps that were in the "restoring" state displayed no indication of such. I was told by an Apple retail employee that in most cases WhatsApp was always the last app to finish restoring, which was exactly the app that was "stuck" for me.
I assume it is because the iPhone is decrypting the backup, but it's just that it is doing it very slowly for some reason.
i've found it absolutely will not complete(especially photos) unless a charger is connected to the device. this completely stumped me with a fully charged phone recently
they need to add a "keep going anyways" button, or a prompt to plug in like the watch has
It's not default, but you can set a recovery key that prevents someone with your phone and passcode from being able to take over your account: https://support.apple.com/en-us/HT208072
I have an "RK-" recovery key in my backup from when I set it up a couple of years ago. However today I see no reference to recovery codes whatsoever, either on my account or during attempts to recover my password. I just now stripped two-factor auth entirely, and set it up again from scratch. There is absolutely no reference to a recovery key anywhere[1].
It must depend on which devices and/or OS versions one is running. I've got a 2013 MacBook Pro on High Sierra and an iPhone 6 on iOS 11 (latest software on both). I also have a confirmed phone number. I no longer have the option for a recovery code with two-factor auth[1].
Edit: I'm wrong; PIN + device access is game over for everyone, full stop. Preserving the original for posterity:
If what you’re saying is true (resetting an EXISTING recovery key to an attacker controlled recovery key requires only device passcode), that is a major security flaw.
Fundamentally, iOS has made the trade off that most people should default to being able to recover their data if they forget their password. Technical or famous people can and should opt IN to the high security recovery key model.
In other words: if you have set a recovery key, you shouldn’t be able to reset your iCloud password or recovery key without BOTH possession of a secondary logged in Apple device AND the current iCloud password. Alternately, you can of course control the whole shebang with a recovery key, that’s what it’s for.
Are you saying you were able to reset an established recovery key without needing to enter your iCloud password OR 2FA acknowledgement on a secondary device?
Correct. I set a recovery key, force locked the phone (so passcode is required to get back into the phone itself), went to the iCloud security tab as described in the Apple KB article, and proceeded to reset the recovery key. I was only asked for my device passcode.
OK, you're right. The recovery key doesn't do what I thought it was doing. It's not hardening any requirements for 2FA, it's an additional (logical OR), option.
It looks like Apple ID "RK-"-prefixed recovery keys are no longer a thing. I have one stored in my backup, but none of the "forgot password" scenarios asks for a recovery key anymore. As a further test, I just stripped two-factor authentication from my account, and set it up from scratch. No mention of a recovery key this time around, and no section for it in the security tab[1].
Recovery keys are gone. You must either have a 2nd device, or be able to receive a text or phone call to a verified phone number. Failing these, the last resort is now an "account recovery" process that takes a few days to reset via what looks like verification by email and confirmation of personal details.
I'd rather have retained the recovery key option, but I imagine this system was removed because the majority of consumers weren't actually storing the key. Of people who at least stored the key, far too many probably only put it on their Apple device(s), which is of course useless.
Isn't that a caveat with a lot of 2fa systems though? If you get locked out and don't have the recovery keys you got when you set it up, you are basically permanently locked out.
In some cases you can end up doing hilarious things like emailing scanned passports to get it reset. It usually depends on the compromise the provider is willing to make (and the amount they are willing to spend on customer service)
I would love to have systems where I can set a password and there is not online reset available. For my retirement account, for example. If I forget my password, I have to go to an office in person to reset. Maybe a $50 fee, if this service is too much of a burden on the broker. Same with my bank. They have branches everywhere. I know many people forget their passwords all the time, so they need a easy reset for those people, but for others that want a more secure system why not an in-person reset for a fee? Bad PR? News stories about how those greedy banks now want to make money when you forget your password?
Haha, this is too funny. I have an iPhone 5s that I encrypted years ago with a password that I have unfortunately forgotten. Had to start from scratch with my iPhone 6s, because of this. I stopped updating the 5s, hoping that one day there will be an exploit that makes it possible to break in and pull the data. Who would have thought that instead I will be happily upgrading to iOS 11, because apple made it a feature.
I know this is bad, but for me it is awesome right now.
So I reset my forgotten password with this method and now cannot set a new password. Every time I get
> The password you entered to protect your iPhone backup could not be set. Please try again.
What happens then is: the password i set is actually active, becuse to back up i have to enter that password - but as soon as i unplug the iPhone and plug it back in, I can/have to set e new password.
I updated iTunes to the newest version, restarted the iPhone, reset the iPhone settings multiple times, but I cannot encrypt the backup anymore. Weird.
edit: (the solutions to this problem that google offers did not solve the problem)
I started skimming towards the end. It sounds like there's some genuine weakness introduced here. But I'm also getting the impression there's some of the "security people" mindset Linus was ranting about:
"Forgot the original password? There’s no going back, you’re stuck with what you have unless you are willing to factory reset the device and lose all data in the process.
If you ask me, this was a perfect and carefully thought through solution."
I'm not sure how you can consider it a perfect solution that users are losing their backups and hammering Apple for support about the issue. The suggestion to make another backup via iCloud is not terribly useful to those who have lost their phone.
You're mixing stuff up here. If you lost your password, your existing backups are not recoverable regardless of what the article is talking about. This includes the "lost their phone" case as well - you don't have access to the phone to reset the password and make a new backup.
So, the only scope left is if you have your device in hand, in which case having the option to back stuff up to iCloud even if you lost the local backup password is pretty legitimate if you want to migrate devices. And useful even for resetting the said password: you back up to iCloud, reset your device to reset the password and then restore an iCloud backup. The only catch is that you'd need to buy some iCloud space from Apple, but a) they're gonna be happy to charge you for it, and b) it's quite cheap as the backup size is quite smaller than the amount of storage taken on your phone (my phone backup is 15 GB when 80 GB was used on the phone), and is a one-month purchase.
The end was the most significant part. They can take over your icloud account with the phone password.
I don't care much about the phone backups on some secondary devices. I do care whether those devices can hijack my icloud account with just that phone's pin.
That seems terribly broken, to be able to change icloud without having the password or without 2FA.
I agree. The first part about the backup seems like a side show because once an attacker has logged into the device they already have access to everything that would be in a device backup (usually).
The attacker with physical access to the phone does not have direct access to the data, only to UI of applications that use that data, which is often something significantly different.
> I'm not sure how you can consider it a perfect solution that users are losing their backups and hammering Apple for support about the issue.
I am certain that one cannot consider it a perfect solution that Apple can read a user's data.
Like with Mozilla's crippling of Firefox's end-user security, any protocol which allows an unauthorised party to read data will eventually ensure an unauthorised party to read data.
Why do you assume Apple can read your iCloud data? If the decryption key for the backup is stored on device (protected by the device pin), then they can’t.
PS: Actually I was wrong, I just checked and it seem very weird that you can change the password without a confirmation from another trusted device or trusted number. Meanwhile to mitigate a little the threat you can delete your mobile phone number from trusted number so someone hijacking the SIM card cannot receive a confirmation code if he put your sim card into another phone.
——————-
I don’t really get their point it’s like if someone told us « Linux have weakened their threat assessment level, if you got the password of a sudoer user you can access evrything on the system »
The only difference being that it extend to what you putted in the cloud. But loosing the passcode on iOS was always the equivalent of giving full admin right on the machine.
That’s the whole point of TouchID/FaceID/SecureEnclave teach user to have a strong passcode while keeping a smooth UX because they don’t have to type them regularly.
So yes this is a single point of failure which come with pros and cons.
- The bad news is that if you give your passcode you can loose everything
- The good news is that the only way to crack your device is to guess in ten attempts what is the passcode from 1000000 possibilities by default (maybe less cause you can’t decently use some combination like 123456)
I’ve been bit by setting a secure iTunes backup password, and then forgetting it, and having to go through an iCloud backup followed by device wipe and restore just to get the old forgotten iTunes Backup Password off of the device. It was painful.
But in the end I was able to remove the password and keep the keychain data all in place and instill a new iTunes Backup Password which I knew.
So what’s actually changed other than not having to go through the whole iCloud Backup/Wipe/Restore in order to reset the iTunes Backup Password?
Maybe I am misremembering and it didn’t actually restore my keychain back onto the same device when I did the restore?
If an attacker has access to the device and passcode, they already can view all the data on it including the keychain. Right? So the concern here is just that Apple has made it easier for attackers with access to a device and passcode to exfiltrate in bulk instead of piece by piece via the UI.
In exchange for letting people reset their encrypted backup password without losing data.
To nitpick, there is more data in the keychain than passwords and credit cards. But I think having all your passwords and credit cards exposed is probably bad enough.
But you could, for example, install a Trusted CA Cert and mitmproxy the connection to sniff the Google password as it’s used to login. Same with stored credit cards, etc.
If you disable iCloud Keychain, sign out of an iCloud account and then log into a different iCloud account on the same iPhone — what happens to the local keychain data?
What happens when I turn off iCloud Keychain on a device?
When you turn off iCloud Keychain for a device, you're asked to keep or delete the passwords and credit card information that you saved. If you choose to keep the data, it isn't deleted or updated when you make changes on other devices.
And then...
When you turn on iCloud Keychain, any previously-saved website usernames and passwords, Wi-Fi networks, and Internet accounts are automatically included in iCloud Keychain.
If you look in the password and security menu in iCloud settings, there's an option to set a recovery key: "Using a recovery key increases the security of your account. When you create one, the only way to reset your password [emphasis mine] is by using another device [edit: emphasis mine] already signed in with your Apple ID or by entering your recovery key."
I can find no mention of this feature in the article. It would seem that it would mitigate the core problem described by preventing someone in possession of your phone and passcode (but not the recovery key) from taking over your iCloud account.
OK, I just tried setting it up. Here's the problem. You can certainly set the recovery key, but you can easily create a new one just with the phone passcode. So if your passcode is compromised, your iCloud account is basically gone.
Yikes. This seems a serious weakness. I get why they would make it easier to do backups, but not why they would make it so easy to get icloud.
I guess the only consolation is that eventually the phone will logout, so the attack would have to be done soon after getting the phone?
Update: It's much worse than that. I just got a login notification on my ipad for my apple id. So I'm not signed in. But, I went to reset the password, and it said I can do it with a passcode since I'm signed in to icloud.
So icloud signin lasts far longer than apple ID signin for the app store.
This seems like a serious vulnerability. Makes me rethink having multiple idevices, or putting anything in icloud keychain. Any one of them gives access to everything.
I am not a security expert though, so take this with a grain of salt.
As a crude, but workable safety precaution, the Apple Configurator[1] can prevent your phone from pairing with other devices, so even if someone resets the backup password, they would still not be able to recover its content. Keep in mind, that once enabled, the only way to disable it is to wipe your phone.
Somewhat related: There's currently an article on the front page of an Indianapolis TV station's web site entitled "Technology advancements lead to crack in IMPD officer evidence tampering investigation" [0].
It doesn't mention what type of phone they're talking about in this case (or go into much technical detail at all, of course) but I'm very curious just what "advancements" enable law enforcement to bypass the encryption that is, by now, enabled by default on most phones, AFAIK.
I'd be even more interested if this was an iPhone, as that's what I have. This wouldn't have been iOS 11, however, as the original event (the setting of a passcode) occurred on 2015-11-02.
Regardless, these "advancements" discussed in this article sound more like "regressions" to me.
While this is obviously less secure than iOS 10 - I can't help but think this is a minor issue. If you treated your iPhone as a standalone device (something that has been supported since iOS 5, I haven't touched iTunes in years), you are vulnerable to this exploit. In other words, if you never set your iTunes backup password, you were always vulnerable to everything in the article. I didn't even know about the iTunes backup password feature and I've always assumed passcode lost = full compromise.
I will admit though the data available to access in a backup is far deeper than I had expected, and definitely far deeper than you can get through iOS alone. I'm not a security nut, but I'm surprised I didn't know about this option (again, probably because I don't use iTunes).
"Forgot Password" flow, by definition, lets you reset the password without knowing the old password. That's how it works in every "Forgot Password" flow ever invented.
So my question is (having never gone through that flow with Apple ID), what was the "Forgot Password" flow in iOS 10? If the answer is it sends you an email, how does that work for people that use icloud.com mail (because, if they don't know their password, they can't get their mail)?
I didn't reset either, but it gave me the same prompt described in the article as an iOS-11-exclusive flow.
Perhaps the behavior of a completed reset differs; I'm not about to mess with it just for kicks. But the fact that everything up to that point is identical makes me doubt that somewhat.
I've also never gone through the Forgot Password flow, so I'm not sure. It could be that Apple insists on a non-Apple email address as a recovery option?
Which, 99.9% of the time, would also be attached to the phone.
The "always signed in" model of mobile computing means that once you have access to the device, you have the keys to the kingdom. Why are we concerned about a slightly smoother iCloud password reset flow when somebody with this level of access has enough information and capabilities to get into my bank account?
I really wish I could set the Gmail iPhone app to require reauthentication on app start. The only way to sign out is to remove the account. https://www.wikihow.com/Log-Out-of-Gmail
This is a good point. Certainly true for my main phone. I guess one difference is that now any secondary iDevice can also access icloud, even if no email accounts are connected.
I was reading the archive and I must have missed it among the broken links.
How has this not been a bigger issue before? I’d imagine, iOS 11 or not, for those of us without iTunes, anyone with my iOS pass code has always been able to access my iCloud account.
They may have had access, but they didn't have the means to change your trusted devices or perform other sensitive operations. I'm often asked to confirm my Apple ID password when making changes. If I can just make up a new one, this basically means the PIN is all I need now.
Interested in knowing idlewords response to this since their “Security Guidelines for Congressional Campaigns” recommendation is to use the most recent iPhone with the most recent updates:
Anyone who has your passcode and access to your device can takeover your iCloud account by resetting the account, lock your other devices, and access any passwords you have stored in iCloud keychain
If so, this seems like a massive security liabilty, and grounds for deleting all icloud keychain passwords.
Do you know how many people use 4 digit passcodes, or no passcodes at all?
Do you know how many people share that passcode with others, intentionally or unintentionally? Family members, spouses, etc. repair people who do screen replacements. Their buddy, who can text for them while they drive.
I’m sitting on a plane and saw the person next to me enter her passcode. It’s 258085.
That is not a secure 6 digit passcode, it’s a vertical Tetris shape. Humans are great at pattern recognition, particularly when it’s in a grid format and leaves finger smudges.
I could easily pick pocket this woman’s phone and ruin her weekend without much effort at all, just from reading this article.
I think deep inside you do understand the difference between immediate root access to a system without knowing anything at all and spying on somebody to learn their passcode. And even if I do agree it's definitely a change for the worst it doesn't deserve they same hysterical response the root no password required bug deservedly got.
the root password hack also required physical access, or some sort of proximity access on a network LAN, to be able to work. It’s really not that much different than snooping on someone sitting a few seats away from you at the bar
> While there, look for their Google Account password. If it is there in the keychain (and I don’t see why not), you’ll gain access to a whole lot of highly interesting information
This is exactly why my google account password is the only one I do not keep saved anywhere. Not in keychain, not in 1password. It's a strong password, plus 2FA (not that 2FA matters if someone has my phone).
I've never understood why health data is assumed to be something people want hidden and kept private.
If something happened to me, I'd like a stranger to be able to access it. It's not particularly embarrassing information for people to see - for some people, yes. But there should be a way to make your health data unencrypted for those that prefer it very accessible.
This argument pops up all the time, and has for years.
I recall seeing it when Eric Schmidt at Google said something like “don’t have anything worth hiding, and then you won’t care if you are hacked”. Excuse my brevity, but you argument and his are dumb arguments. These devices are incredibly powerful, and allow us to interact with one another in ways pen, paper, snail mail, and landlines never could (let alone the security risks those mediums have, which cannot be mitigated).
Devices can be incredibly secure. Manufacturers and service providers should prioritize that over mindless convenience.
I would agree with you, however, that you should not put your entire life into any insecure device. And it seems the iPhone is not an insecure device (I’m frustrated, and I have a 20+ character keyboard passphrase! Let alone 4-6 digit code)
The problem - in my opinion, probably going against wiser and smarter people - is that today's secure stuff is tomorrow's insecure stuff. So if you don't want to be locked into an eternal cycle of upgrades or worry about what level of security you should assign to the stuff you use everyday you are far better off by simply not taking the risk.
I understand that for many people this is problematic because they need these goodies for their day-to-day functioning. But so far I've managed to do without them and I don't feel particularly handicapped.
And on the flip side, every time I add a new device to my Apple ID, iCloud flips out totally, detects "suspicious" activity, and locks my account (and requires me to both verify it with one or more devices and changing my password).
So: Inconvenience where there should be convenience, convenience where there should be inconvenience.
Everybody seems to forget you need 2FA, Ios 11, and the 4,6 digit pin or alpha password in order to access the icloud password reset. Don't use 2FA with the iphone.
What is up with Apple lately? Could not believe they were not able to get the Homepod out for the holiday. The Mac root security issue getting the door is insane.
I'm interested to know if you still think the title is great after you get the article to load. Of course it caught my attention, but after reading it I was left with a, "wait this is a horror story?" feeling. I suppose to many this seems like a huge vulnerability, but if we treat everything with these extreme sentiments, then nothing will actually be treated with special attention. Conversely, if no articles are given these sorts of titles, maybe no one will click them.
Between this and the Mac root login, looks like Apple has got 'an offer they can't refuse' from Uncle Sam, and are establishing plausible deniability by intentionally introducing security failures.
But they patched the Mac root login within 48 hours of it becoming “a story”? I don’t buy the conspiracy.
More likely, Apple wants to ease user adoption.
Did you buy an iPhone X? It was awesome to setup. There was this nifty feature to use NFC/the cameras on my new phone to authenticate myself, and it was a breeze. Huge fan of this type of improvement and convenience.
You know what I’m not a fan of? My iPhone being a gateway to hijack the rest of my digital life. It’s a key to my little kingdom that didn’t exist before, and my only protection is (figuratively speaking) locking my phone to me like the Nuclear Football, and continuing to use a 20+ character passphrase with enough entropy I can’t be brute forced.
I meant that they are 'introducing' security fails so that once there'll be indications they're giving data to Uncle Sam they can claim they were hax'd.
But I'm not really serious with this 'conspiracy theory', it's just some food for thought/shitpostin'.
I wonder if this is an attempt to fix that gone wrong.
1: https://9to5mac.com/2017/10/10/psa-apple-id-phishing-attempt...