iOS security is no more

[dejanh]

Okay, a bit of an over-dramatic title, but close to it. According to ElcomSoft, iOS security overhaul in iOS 11 all but killed off the entire point of 2FA and made your device password a single point of failure, a clear vector of attack, not only to our Apple ecosystem, but to everything else that is connected to it.

Since this isn't getting that much attention on the front page, I wanted to toss it out here and see what everyone thinks.

https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

My thoughts on this from the comment's to Rene's article...

Just read the whole ElcomSoft article. I was not even aware that such radical changes were made to the security layer in iOS 11. I do not believe that these were invited by user need so much as an answer to mounting pressure by law enforcement to provide a single point of access that would avoid the headaches they experienced up to date. In other words, it is the equivalent of providing a back door that isn’t obviously open but still relatively easy to crack.

For my part, after reading the blog, I am thoroughly unimpressed by the changes. Part of the reason why I choose iOS over Android is because of its security. So much of our life is on our smart devices these days and this means that losing such a device or having it in the hands of somebody malicious can be devastating. iOS has the protections in place that at least offered one the ability to recover from such a loss in a reasonable way. The new changes make it very likely for the malicious party to be able to gain full access not only to your device but to *everything* Apple that you own. Depending on how extensive is your use of Apple and it’s comvemiece features, the *everything* might also involve all other services not related to Apple, like your Google account, Facebook, Instagram, cloud storage, work accounts, everything - literally. Not only gain access, but control too. This is a horribly scary prospect.

I feel like [the iMore] piece downplays the magnitude of these changes.

For me, it appears that I will now have to start adopting some of the same strategies I use on Android to protect my data against potential intrusion. No more iCloud Keychain for one.

Funny that this seemingly convenient change would cause me more inconvenience.

If you want to comment to the iMore article you can find it here https://www.imore.com/ios-11-real-story-rise-and-fall-ios-security-vs-accessibility

 

[Quis89]

It is my understanding that for this to really be a problem one would 1) need physical access to your device and 2) know your passcode.

Those two things are extremely unlikely in my case. If you're worried, simply strengthen your password. The protection of your data ultimately starts with you. Not Apple. I'm not really worried about this personally. There are still several safe guards to protect our devices. iCloud lock and remote wipe being one.

 

[dejanh]

It is my understanding that for this to really be a problem one would 1) need physical access to your device and 2) know your passcode.

Those two things are extremely unlikely in my case. If you're worried, simply strengthen your password. The protection of your data ultimately starts with you. Not Apple. I'm not really worried about this personally. There are still several safe guards to protect our devices. iCloud lock and remote wipe being one.

The bolded part is key though. You have no additional safeguards. If you read the ElcomSoft analysis carefully (to be honest, not even that carefully as it is pretty blatantly spelled out), having access to your device allows the attacker to completely take over your iCloud account, and, depending on your usage pattern of your device, past or present, potentially to take over adjacent iCloud accounts, as well as all other third party accounts. The change that Apple made literally makes your device and passcode/password the one key for your entire Apple ecosystem, and in many persons's cases the key for all of their other services as well.

I will quote and emphasize this from ElcomSoft...

"[Once] they have your iPhone and your passcode, you are no longer in control of their device and their Apple account"

If the emphasis is confusing, it is intentional. The moment they have your device and your passcode, or your password, you do not, do not own your Apple ecosystem anything. They person with your device access owns all of it.

 

[Ledsteplin]

It is my understanding that for this to really be a problem one would 1) need physical access to your device and 2) know your passcode.

Those two things are extremely unlikely in my case. If you're worried, simply strengthen your password. The protection of your data ultimately starts with you. Not Apple. I'm not really worried about this personally. There are still several safe guards to protect our devices. iCloud lock and remote wipe being one.

+ 1 ↑

 

[dejanh]

+ 1 ↑

Are you aware that you lose all secondary protections the moment an attacker gains access to your device? The whole chain is compromised, and if you use Keychain, all other services are compromised too.

Let's look at one real-life practical case where this may become a serious issue - spousal disputes. I think everyone can agree that when faced with certain challenges in life people have a tendency to act irrationally. Somebody like your significant other will easily know many of your passwords, and likely will know the password to your device anyway. Even without stealing your device, your spouse could easily decide to execute an attack against you by compromising your access to your device, all your adjacent devices, and all services. Crazy things are very real in these types of disputes and there isn't even a malicious actor involved. It's just crazy emotions.

 

[Quis89]

The bolded part is key though. You have no additional safeguards. If you read the ElcomSoft analysis carefully (to be honest, not even that carefully as it is pretty blatantly spelled out), having access to your device allows the attacker to completely take over your iCloud account, and, depending on your usage pattern of your device, past or present, potentially to take over adjacent iCloud accounts, as well as all other third party accounts. The change that Apple made literally makes your device and passcode/password the one key for your entire Apple ecosystem, and in many persons's cases the key for all of their other services as well.

I will quote and emphasize this from ElcomSoft...

"[Once] they have your iPhone and your passcode, you are no longer in control of their device and their Apple account"

If the emphasis is confusing, it is intentional. The moment they have your device and your passcode, or your password, you do not, do not own your Apple ecosystem anything. They person with your device access owns all of it.

Well just speaking personally....the likelihood of someone having my phone AND knowing my password is highly unlikely. If this is a big issue...simply strengthen your password. If someone had your phone AND knew your password, they really already had everything they needed. Typically our Apple ID's are linked to email accounts that we have on our phones already. All one needed to do was go to the website, say they forgot their info, have Apple send a verification email and voila...they had the keys to the kingdom. Worst case, the Apple website sent a verification code to the iCloud devices...which they have in their possession. For the majority of people...not much is changing here. If anything...we as consumers need to be more mindful of our own security and not depend on companies to protect our info. A strong password is always best practice if you're worried.

 

[Quis89]

Are you aware that you lose all secondary protections the moment an attacker gains access to your device? The whole chain is compromised, and if you use Keychain, all other services are compromised too.

Let's look at one real-life practical case where this may become a serious issue - spousal disputes. I think everyone can agree that when faced with certain challenges in life people have a tendency to act irrationally. Somebody like your significant other will easily know many of your passwords, and likely will know the password to your device anyway. Even without stealing your device, your spouse could easily decide to execute an attack against you by compromising your access to your device, all your adjacent devices, and all services. Crazy things are very real in these types of disputes and there isn't even a malicious actor involved. It's just crazy emotions.

I don't think your example illustrated an issue that didn't already exist. If my spouse knows my passwords, she already could have done damage to my account. I've seen this first hand. The solution is simple here...strengthen your passwords. Security and convenience are always at odds. Apple went towards convenience. Which means that us individuals who are more versed in security can offer best practices to mitigate potential issues. That starts with a strong password. Preventing the opportunities for people to A) steal your device and B) guess your password will go a long way.

 

[Ledsteplin]

Are you aware that you lose all secondary protections the moment an attacker gains access to your device? The whole chain is compromised, and if you use Keychain, all other services are compromised too.

Let's look at one real-life practical case where this may become a serious issue - spousal disputes. I think everyone can agree that when faced with certain challenges in life people have a tendency to act irrationally. Somebody like your significant other will easily know many of your passwords, and likely will know the password to your device anyway. Even without stealing your device, your spouse could easily decide to execute an attack against you by compromising your access to your device, all your adjacent devices, and all services. Crazy things are very real in these types of disputes and there isn't even a malicious actor involved. It's just crazy emotions.

I'm on iOS 10.1.1. But the same could happen IF someone had my passcode. And that's not gonna happen. As has already been stated, use a strong passcode and take care of your phone.

 

[dejanh]

For me I really need to re-think my security model. I don't have any particularly sensitive information as such but somebody locking me out of my digital world - these are memories - it's very important. In addition to that, I need to ensure that my device isn't used to compromise my work. It's almost becoming obvious that some conveniences are going to have to go. I do agree with the notion that we as consumers have to take greater responsibility for the security of our own information, but this is only true to a degree. If proper controls are not being provided by the vendors and they still expect us to continue to use their devices to run our lives we are in an interesting pickle, security minded or not.

As for the device being wide open when somebody has your passcode/password and the physical device before iOS 11...that's not quite true. Before iOS 11, your device passcode/password and your iCloud passwords were strictly separate, generally speaking. This means that somebody who executed an attack on your device does not automatically have the ability to take over your iCloud account and by proxy, other devices, and other services. With the new mode, there is in-fact no 2FA at all once you're in the device, hence single point of failure. I presume that there were and probably are many instances where individuals would have connected their recovery information to their compromised device, but this is the only case where I see a similar attack being possible on iOS 10 and earlier. iOS 11 kind of takes the "dumb convenience" approach and makes the former fact reality for everyone, period.

 

[Just_Me_D]

Okay, a bit of an over-dramatic title, but close to it. According to ElcomSoft, iOS security overhaul in iOS 11 all but killed off the entire point of 2FA and made your device password a single point of failure, a clear vector of attack, not only to our Apple ecosystem, but to everything else that is connected to it.

Since this isn't getting that much attention on the front page, I wanted to toss it out here and see what everyone thinks.

https://blog.elcomsoft.com/2017/11/ios-11-horror-story-the-rise-and-fall-of-ios-security/

My thoughts on this from the comment's to Rene's article...

Just read the whole ElcomSoft article. I was not even aware that such radical changes were made to the security layer in iOS 11. I do not believe that these were invited by user need so much as an answer to mounting pressure by law enforcement to provide a single point of access that would avoid the headaches they experienced up to date. In other words, it is the equivalent of providing a back door that isn’t obviously open but still relatively easy to crack.

For my part, after reading the blog, I am thoroughly unimpressed by the changes. Part of the reason why I choose iOS over Android is because of its security. So much of our life is on our smart devices these days and this means that losing such a device or having it in the hands of somebody malicious can be devastating. iOS has the protections in place that at least offered one the ability to recover from such a loss in a reasonable way. The new changes make it very likely for the malicious party to be able to gain full access not only to your device but to *everything* Apple that you own. Depending on how extensive is your use of Apple and it’s comvemiece features, the *everything* might also involve all other services not related to Apple, like your Google account, Facebook, Instagram, cloud storage, work accounts, everything - literally. Not only gain access, but control too. This is a horribly scary prospect.

I feel like [the iMore] piece downplays the magnitude of these changes.

For me, it appears that I will now have to start adopting some of the same strategies I use on Android to protect my data against potential intrusion. No more iCloud Keychain for one.

Funny that this seemingly convenient change would cause me more inconvenience.

If you want to comment to the iMore article you can find it here https://www.imore.com/ios-11-real-story-rise-and-fall-ios-security-vs-accessibility

Over-dramatic title? Yes

Trying too hard to convince others that someone could gain access to their devices and wreak havoc on all of their accounts while ignoring the low probability of that happening? Definitely

Good article though.

 

[Tartarus]

I’m not too concerned about this.
Nobody I know of has the ability to know my passcode nor physical access to my device.

 

[reeneebob]

Meh.

No really, I’m completely meh about this.

 

[dejanh]

I must say that I’m a bit surprised at the very blaze reaction to these changes. Human psychology is an interesting thing. Nothing is urgent or important until it is. I am not saying be paranoid, but I wouldn’t be so confident so as to say that “this can’t happen to me”. Extraordinary things do happen to very ordinary people. I’ve had friends whose entire bank accounts were compromised. I know of people who took years to battle identity theft. Many have fallen for ransomware schemes. We’re not immune to these things. Also, phone theft may not be as rampant in the USA or Canada, but same doesn’t apply for many other places in the world. Many people have very poor choices for passcodes and passwords. I can easily think off a few people I directly engaged daily whose passwords I know, either bevause they are humorously simple, or because these individuals don’t take care to protect their passwords.

All it takes is a thief with a clever eye, maybe a bad choice by you for the sake of convenience, and a bump and you are utterly compromised. To me that is a very scary prospect that shouldn’t be taken lightly.

 

[metllicamilitia]

I must say that I’m a bit surprised at the very blaze reaction to these changes. Human psychology is an interesting thing. Nothing is urgent or important until it is. I am not saying be paranoid, but I wouldn’t be so confident so as to say that “this can’t happen to me”. Extraordinary things do happen to very ordinary people. I’ve had friends whose entire bank accounts were compromised. I know of people who took years to battle identity theft. Many have fallen for ransomware schemes. We’re not immune to these things. Also, phone theft may not be as rampant in the USA or Canada, but same doesn’t apply for many other places in the world. Many people have very poor choices for passcodes and passwords. I can easily think off a few people I directly engaged daily whose passwords I know, either bevause they are humorously simple, or because these individuals don’t take care to protect their passwords.

All it takes is a thief with a clever eye, maybe a bad choice by you for the sake of convenience, and a bump and you are utterly compromised. To me that is a very scary prospect that shouldn’t be taken lightly.

I agree with others that this has always been an issue. Then you have people like me who also password protect my apps with two-factor authentication. With my Apple Watch I’ll know if my phone gets away from me. I almost always also have my iPad or MacBook near me and can lock my phone out if necessary. And many of us already know there are always going to be security woes, you will never eliminate them. The only question is what new form it takes. If all I have to do now is keep my phone away from other people, that’s fine. I do that anyway.

 

[Tartarus]

I must say that I’m a bit surprised at the very blaze reaction to these changes. Human psychology is an interesting thing. Nothing is urgent or important until it is. I am not saying be paranoid, but I wouldn’t be so confident so as to say that “this can’t happen to me”. Extraordinary things do happen to very ordinary people. I’ve had friends whose entire bank accounts were compromised. I know of people who took years to battle identity theft. Many have fallen for ransomware schemes. We’re not immune to these things. Also, phone theft may not be as rampant in the USA or Canada, but same doesn’t apply for many other places in the world. Many people have very poor choices for passcodes and passwords. I can easily think off a few people I directly engaged daily whose passwords I know, either bevause they are humorously simple, or because these individuals don’t take care to protect their passwords.

All it takes is a thief with a clever eye, maybe a bad choice by you for the sake of convenience, and a bump and you are utterly compromised. To me that is a very scary prospect that shouldn’t be taken lightly.

I on the other hand am not surprised.

Doomsday scenarios have always been part of humanity and many companies and people have profited by just announcing and yelling those scenarios from the roofs since the beginning of time.

I choose to ignore those. I refuse to live in fear.
I have protected my device and the entry to my device and that’s the end of it.
I will not be overly cautious and concerned that something may happen to it, no matter how likely that scenario may be.

 

[Just_Me_D]

I must say that I’m a bit surprised at the very blaze reaction to these changes. Human psychology is an interesting thing. Nothing is urgent or important until it is. I am not saying be paranoid, but I wouldn’t be so confident so as to say that “this can’t happen to me”. Extraordinary things do happen to very ordinary people. I’ve had friends whose entire bank accounts were compromised. I know of people who took years to battle identity theft. Many have fallen for ransomware schemes. We’re not immune to these things. Also, phone theft may not be as rampant in the USA or Canada, but same doesn’t apply for many other places in the world. Many people have very poor choices for passcodes and passwords. I can easily think off a few people I directly engaged daily whose passwords I know, either bevause they are humorously simple, or because these individuals don’t take care to protect their passwords.

All it takes is a thief with a clever eye, maybe a bad choice by you for the sake of convenience, and a bump and you are utterly compromised. To me that is a very scary prospect that shouldn’t be taken lightly.

Yes, bad things happen to people.
Yes, the existence of evil is real.
There is no ‘perfect’ defense mechanism.
Nearly perfect is NOT perfect.
We’ve all heard the saying, “if someone really wanted to.....”

We are responsible for our own security. We can take advantage of security measures that are offered or choose not to, but that choice is ours and ours alone. Finally, we can choose to be so afraid of every little thing to the point of not enjoying life or we can choose to enjoy life and hope that the safeguards we deploy are sufficient outside of extraordinary circumstances. I choose the latter....

 

[anon(10000748)]

Honestly I feel like this whole security issue is only going to be a problem for people that are already lax in security. I already have 2FA set up in my accounts, no one but me knows my password to my phone, not even the wife. I don’t ask her for hers she doesn’t ask me for mine. If someone wants to steal my phone and somehow guess my password correctly before my phone wipes itself, well so be it. I have insurance and a back up of all my stuff on iCloud!

 

[Just_Me_D]

Honestly I feel like this whole security issue is only going to be a problem for people that are already lax in security. I already have 2FA set up in my accounts, no one but me knows my password to my phone, not even the wife. I don’t ask her for hers she doesn’t ask me for mine. If someone wants to steal my phone and somehow guess my password correctly before my phone wipes itself, well so be it. I have insurance and a back up of all my stuff on iCloud!

Yep. Breaking into my phone and iCloud account won’t harm me, but breaking into my 1Password account would crush me to pieces...(Laughing)

 

[doogald]

I wouldn't mind having a non-default setting that won't allow reset all settings to erase my iTunes encryption key. It's one thing to change the default behavior so that people can wipe it if they wish; it's just too bad that there isn't a way (short of the Apple Configurator tool) for more security-conscious people to do this easily.

I don't worry about a lost or stolen phone; I worry about the (admittedly remote) chance of a mugging at gunpoint (threatening either me or my wife with harm unless I provide the passcode), or a demand for a passcode while crossing an international border (again, admittedly remote for a white American of my age). With this new system, somebody sophisticated, as the article says, has a chance to extract not just Apple ID information, but passcodes to my Google account, entrance to all of my other 2FA protected accounts, etc. Apple *could* bury an option that prevents wiping the iTunes encryption passphrase. By the time I had a chance to try to regain control of those accounts, I could be locked out for good.

 

[doogald]

I wouldn't mind having a non-default setting that won't allow reset all settings to erase my iTunes encryption key. It's one thing to change the default behavior so that people can wipe it if they wish; it's just too bad that there isn't a way (short of the Apple Configurator tool) for more security-conscious people to do this easily.

I just realized that this won’t help. If somebody has your passphrase, they can change a setting. Even if it is in Restrictions with a separate passphrase, that still seems like an easy thing to change.

So, never mind.