PDA

View Full Version : iOS 11 is no longer the most secure mobile ecosystem?



Cr00zng
12-03-2017, 12:04 PM
Elcomsoft (https://www.elcomsoft.com) is one of the leading providers of forensic tools, including iOS and macOS. The company does not have a favorable view of iOS version 11:

IOS 11 Horror Story: The Rise And Fall Of IOS Security (https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/)

Quote:
The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

Asides from this blog posting being an advertisement for Elcomsoft...

The blogger may have a point about weakening the security of the iOS 11 beyond the PIN number. Especially, if it's taken in to consideration that iOS 10 did have additional security beyond the PIN number.

While some of the configuration changes as described in the blog worked in my iPhone, such as adding/removing trusted phone numbers, resetting the Apple ID password did not. The latter one might be due to my iPhone settings, such as not using the "Wallet and Apple-Pay", iCloud, etc.

But for others with more "standard" configurations, the step-by-step procedures listed in the blog could prove to be valuable resource in case the apple ID PWD is forgotten. Well, provided that the PIN number is not forgotten that is...

MacInWin
12-03-2017, 01:26 PM
Well, I read most (admittedly not all) of that article and was not impressed, frankly. They seem to be trying to raise the fear that somehow someone could get your iPhone AND your passcode and do all of that damage. Yes, if they have the passcode, they can do a lot, but that's true of just about every form of security. If you really want your iPhone to be secure, set at least a six digit passcode, or even better, change your passcode from four numbers to a custom alpha-numeric code and make it really hard to guess, then set the Erase Data to wipe the phone after 10 attempts. What was curious is the blog didn't even mention the alphanumeric codes that are now possible. Maybe they didn't do enough research?

Bottom line: Any time you have a passcode and make it trivial, you are exposing yourself to being hacked. So make the passcode long and hard to guess. And keep track of the device. If it's gone missing, go to Apple right away and reset the phone remotely. It's better to have to restore the iPhone than to have to restore your reputation or bank account.

Slydude
12-03-2017, 02:09 PM
Top notch answer as usual Jake. I venture to say that the same level of problem can occur with most of the devices we use on a daily basis. With simultaneous access to the device and passcode the same problems could be caused with someone's Android device for example.

Cr00zng
12-05-2017, 09:23 AM
Well, I read most (admittedly not all) of that article and was not impressed, frankly. They seem to be trying to raise the fear that somehow someone could get your iPhone AND your passcode and do all of that damage. Yes, if they have the passcode, they can do a lot, but that's true of just about every form of security. If you really want your iPhone to be secure, set at least a six digit passcode, or even better, change your passcode from four numbers to a custom alpha-numeric code and make it really hard to guess, then set the Erase Data to wipe the phone after 10 attempts. What was curious is the blog didn't even mention the alphanumeric codes that are now possible. Maybe they didn't do enough research?

Bottom line: Any time you have a passcode and make it trivial, you are exposing yourself to being hacked. So make the passcode long and hard to guess. And keep track of the device. If it's gone missing, go to Apple right away and reset the phone remotely. It's better to have to restore the iPhone than to have to restore your reputation or bank account.
In some respect, you might have missed the point of the blog post...

The point the blog was trying to make is that iOS v10 had additional security beyond the the PIN/PWD that had been removed by iOS v11. Granted, it does not matter for people, especially the ones who don't even use PIN to lock their devices. But for people, who actually relied on the internal security of the iOS 10, it might be a game changer...

Thanks for the "custom alpha-numeric code", I did not know that it's supported. On the other hand, the "Erase Data" had been enabled and had six digit PIN, soon to be alpha-numeric...

MacInWin
12-05-2017, 10:05 AM
No, I don't think I missed the point the blog post tried to make. But I think it went over the top in it's decrying of the change from 10 to 11 and missed the fact that 11 has features that actually make it stronger (alphanumeric PIN, for one) where it does have security. Apple is constantly balancing convenience and security, and I think they do it pretty well.

Now, if I was a spy, or a hitman for a mob, then the change might worry me, but for the average user, not so much, and certainly not to the extent the blog made it sound.

But it's all personal preference and desire, I guess. Some folks want total convenience, others total security. You pays your money and you takes your choice, as they say.

mrplow
12-05-2017, 10:29 AM
This is worth a read too for balance. It postures the balance between end user security/likelihood/usability and also brings in the subject of Mobile Device Management tools for environments where on device security needs to be enhanced beyond the OS

https://www.imore.com/ios-11-real-story-rise-and-fall-ios-security-vs-accessibility

ferrarr
12-05-2017, 11:26 PM
I have been using an alpha numeric passcode for quit a while, I don’t think it is a recent addition. I started using it when I got my iPhone 6 in Feb/March 2015.

dtravis7
12-06-2017, 05:19 AM
What is so called Added security in IOS10 that 11 does not have?

MacInWin
12-06-2017, 09:07 AM
I have been using an alpha numeric passcode for quit a while, I don’t think it is a recent addition. I started using it when I got my iPhone 6 in Feb/March 2015.Yeah, It wasn't really new with 11, but the article didn't address it at all, nor did it talk about the "erase after 10 tries" feature that's been around a while, either.

MacInWin
12-06-2017, 09:13 AM
What is so called Added security in IOS10 that 11 does not have?The article in Post #1 covers it. Basically, the argument is that by allowing a user to reset their AppleID through the iPhone using only the security code on the iPhone that anyone with physical access to the device AND your passcode can take complete control over your entire AppleID account, including things like Keychain to get to all your other passwords. Before 11, you needed to remember your AppleID to be able to change it, now all you need is your iPhone and the passcode on it. So Apple reduced the overall security of iOS, according to the article. IMHO, the whole article was a bit overblown and hyper, even if true. It also ignored the factors I've talked about, the alphanumeric code ability and the "erase after 10 tries" feature that wipes out the iPhone if someone tries brute force to crack the code.

Cr00zng
12-07-2017, 01:17 AM
The article in Post #1 covers it. Basically, the argument is that by allowing a user to reset their AppleID through the iPhone using only the security code on the iPhone that anyone with physical access to the device AND your passcode can take complete control over your entire AppleID account, including things like Keychain to get to all your other passwords. Before 11, you needed to remember your AppleID to be able to change it, now all you need is your iPhone and the passcode on it. So Apple reduced the overall security of iOS, according to the article. IMHO, the whole article was a bit overblown and hyper, even if true. It also ignored the factors I've talked about, the alphanumeric code ability and the "erase after 10 tries" feature that wipes out the iPhone if someone tries brute force to crack the code.
The article referenced in the first post is certainly overblown, no question about that. Arguably, iOS 11 did reduce overall security of the system, rather the Apple eco-system, by removing additional authentication requirements. For most people this does not make much of a difference, as mrplow's link showed earlier.

On the other hand, this will make a difference for law enforcement. Once they gain access to the PIN/PWD, they will have access to the whole Apple eco-system, including all the passwords in the Keychain. And there are number of ways law enforcement can gain access to the PIN/PWD. They can ask you nicely (or not so nicely), get a court order, or just crack it off-line like they've done previously.

Did Apple made the changes in iOS 11 to reduce support calls, accommodate law enforcement, or a little bit of both? At this point, we don't know and will not become known for quite awhile. And for all practical purposes, how do we know that with iOS 11, cracking the PIN/PWD did not become easier? As Billy Joel once said:

https://www.youtube.com/watch?v=6yYchgX1fMw

mrplow
12-07-2017, 04:28 AM
I agree to a point. But I don't think there's any evidence of capitulation to law enforcement here.

They can ask you nicely (or not so nicely), get a court order, or just crack it off-line like they've done previously. - this hasn't changed as a result of iOS11.

I think what needs to be considered is that if someone has your phone and the passcode/password to access it they have access to your email, likely you're primary 2 factor authentication device and much much more. That the passcode can now reset the Apple ID exposes very little else that couldn't be achieved already.

The bottom line is that IT security is not black and white. It's every shade of grey and every colour of the spectrum. There's a strong balance to be struck between usability and rock-hard security. Would I prefer an option to remove the use of passcode to reset my Apple ID? Yes. However, anecdotally, I'd wager that more people have lost data through device failure/loss and not being able to access an encrypted backup etc because they forgot the password or locked themselves out of there Apple ID, than have lost data through direct device and passcode compromise. I've nothing to back that up other than experience of supporting a large family/friend 'ecosystem'.

Apple have supported MDM solutions for ~8 versions of iOS. Consumers and business alike can, if they choose, implement one of these to tailor the security on the device. But most consumers don't need or want this. How many of us know people that, despite all advice and warning, use the same or very similar passwords across multiple platforms? Most people want the usability and want the security to fade into the background.

What consumers and professionals alike don't need is more clickbait headlines supported but incomplete information and a sales pitch. It doesn't do any end-user any favours.

Cr00zng
12-07-2017, 09:09 AM
I agree to a point. But I don't think there's any evidence of capitulation to law enforcement here.
- this hasn't changed as a result of iOS11.
No, this has not, but the result did change for law enforcement and to a certain extent for Apple. With iOS 11, there is no need for court order to get access to the Apple eco-system, once the PIN/PWD known…


I think what needs to be considered is that if someone has your phone and the passcode/password to access it they have access to your email, likely you're primary 2 factor authentication device and much much more. That the passcode can now reset the Apple ID exposes very little else that couldn't be achieved already.
In most cases, yes… Going through the steps on my iPhone for adding an additional trusted phone number for 2FA and removing mine had been easy with the PIN. Since I practically have access to the added trusted number 24/7, I did not add mine back. Not as if it matters much, since I do not really use Apple’s eco-system. Cloud storage is not an option for me, regardless who provides it. On the rare occasion I download a free app, like Ghostery browser, I need to enter the password for my Apple ID.

On the other hand, emails have no protection after the iDevice is unlocked. So, going through all of this is useless in some respect. There are ways to hide emails, but they are too cumbersome to do. Maybe if I have one email account I might consider it, but not with five business email accounts…


Most people want the usability and want the security to fade into the background.
And that’s what we see with all system and evidently with Apple as well The difference is that with Apple, there are still ways for making the device more secure than any others...

mrplow
12-07-2017, 09:22 AM
These things can go back and forth forever :)

But the crux of the point is iOS11 vs previous versions:

With iOS 11, there is no need for court order to get access to the Apple eco-system, once the PIN/PWD known…

My point being that in reality once the PIN/Password is known there is little value in going beyond that. In most cases you have full access into photos, messages, email, location data, app data - i.e. all the 'good' stuff law enforcement would want. This state hasn't changed with iOS11.

My point being is that having the apple ID password or the ability to reset it doesn't give you much in the way of additional data that you can't access directly an unlocked phone.

Cr00zng
12-07-2017, 09:35 AM
These things can go back and forth forever :)
Not, if I stop, before I agree to most of your points...O:);D