People appreciated how Apple addressed security. For decades, the company was building multi-layered ecosystem to secure its customers and protect its software and hardware systems from most online threats. Apple products do have some flaws (who doesn’t?) but overall its mobile systems were the most secure among all competitors.
Things have changed. Although iOS 11 brought us great SOS feature and the need to type in the passcode for establishing trust with new computers, it also introduced some questionable changes that will be described in this article.
The final goal of these changes was making it easier for users to operate their devices but each new small change caused a tradeoff in overall security.
Put together, these tradeoffs stripped all layers of protection off once secure ecosystem. The only security layer that is left in iOS 11 is the passcode. In case someone gets hold of your iPhone and manages to find out your passcode, you end up losing your Apple ID, your data files, all passwords to third-party web accounts, access to other Apple devices registered with that ID. It is possible to do even more bad things thanks to the fact that Apple removed all previous protection levels and left only the passcode in iOS 11.
The key problem:
In sensitive environments, it is not enough to secure only the front door of the building and leave all inner rooms without additional keys and checks. Sad, but it is exactly what happened to iOS. If you have a passcode, you may get everything else.
Bellow, you will see what attackers can do to user’s data if they have access to the device and passcode.
iTunes backup password
iPhone backups that are made with the help of iTunes can be safeguarded with a password. With each new version, Apple successfully increased backup passwords security addressing the growing threats coming from password breaking crooks.
All of a sudden, in iOS 11, Apple allows resetting that extremely secure password. Having the device and knowing the passcode, there is no need any more to break your head creating sophisticated attacks, you can just remove the backup password.
Before I tell you why this is so important, let me explain how it was implemented earlier. In iOS 8, 9, and 10 you could create a password in iTunes to secure your backups. You had to do it just once and all future backups on any of your numerous devices would stay protected with a password.
It is important that this password belonged to your Apple device and not the computer or iTunes. You were able to connect an iPhone to a different PC with a new copy of iTunes and male a backup. That backup would be safeguarded by the backup password you set previously, maybe very long time ago.
The iOS controlled all password changes and removal attempts. It required to provide your old password first. People who forgot their passwords had stuck with what they had or reset the device to factory settings thus losing all data.
That was really a secure way to handle passwords. But users wept, the police started to snivel, and the FBI started to complain. Apple decided to give up.
Pillaging backup passwords in iOS 11
Although you can still go to iTunes and get a backup password that cannot be later changed without the original one, this all means nothing because it is possible to completely remove the backup password from iOS.
Apple knowledge base says:
You can’t restore an encrypted backup without its password. You won’t be able to use previous encrypted backups, BUT you can back up your CURRENT data using iTunes and setting a new backup password.
Now for crooks to extract sensitive information from the device, they just need to make a new backup. They may create a temporary password 1234 for example for the new backup. Once it is ready, they may extract user data like credit card info, passwords, health data etc. Turning this information into readable format will require some forensic tools but they are widely available on the market.
While getting all those passwords, most probably you stumble upon the Google account password. With that in hands, you may access a whole lot of personal data. In case Google account has multi-factor authentication, the very iPhone in your hand (often) includes the tied SIM card.
Imagine hackers got control over an iPhone with the previous version of iOS. It is a win again because updating the iOS to version 11 is not a problem. Yes, iPhone 5 cannot run iOS 11 but good and old jailbreaking of 32-bit devices still allows to gain full physical control.
Again, this post implies crooks know the passcode. But if you grabbed your boss’s iPhone you can relatively easy brute-force the passcode with the help of numerous tools that are common these days.
Summarizing the above said, with iPhone and passcode, it is possible to get:
· Application data
· Local images and videos
· Passwords from local keychain
· Just everything located in a local backup
Is this just massive? Wait, it is just the begging. Next goes changing Apple ID password, disabling the iCloud lock, and locking or erasing other user’s devices remotely.
Apple ID password
With all other services I use, to change an account password, I need to provide my old password. Apple sees it differently. To reset Apple ID password (using the device) you need just to confirm the device passcode. It works for accounts with multi-factor authentication but again most probably your device has the necessary SIM.
Moving forward on our list, now you can also:
· Change the Apple ID password
· Deactivate iCloud lock and consequently reset iPhone using different account
· Get access to just everything stored in that iCloud account
· See on the map the actual location of other i-devices registered with the same account and remotely erase or lock those i-devices
· Change the phone number and begin receiving multi-factor codes to your SIM
So, in order to reset the Apple account and iCloud password, you need to go to Settings > Apple ID > Password & Security > Change Password. You will now have to enter the passcode and then you will be able to change the password for Apple ID and iCloud. It is that simple.
Next, you can change the Trusted Phone Number. Just add and confirm a new number and then remove the old one.
Getting into iCloud
Having reset the victim’s iCloud password together with adding your own phone number to receive 2FA codes, gives us access to everything the victim has on his Apple account. These are call logs, contact list, iCloud Keychain, photos taken with all other i-devices, iCloud backups, etc. And ICloud backups may contain tons of information as Apple allows to keep three recent backups per each device registered on one Apple ID.
Moreover, iCloud allows crooks to access information synced across all i-devices like browser passwords, bookmarks, browsing history (but not the VPN data), notes etc. In case the user also has a Mac, you can get his desktop files and documents.
To sync Safari passwords, payment info, and auth tokens, Apple uses a cloud service cold iCloud KeyChain. Once you change the iCloud password, you can download all then KeyChain data. Now you will be able to even see the old (original) victim’s password for his (now yours) Apple account. Additionally, you will have access to email account passwords and Wi-Fi passwords, and actually every password the victims typed in his browser.
iOS 11 breaks the delicate convenience/security balance moving heavily into user convenience side.
If an attacker steals your iPhone and recovers the passcode, there will never be any extra layer of protection to secure your data. You will be completely exposed.
As the passcode is the only protection left, be sure to use all six digits allowed.
I hope Apple will fix this security issue.
Gurupriyan is a Software Engineer and a technology enthusiast, he’s been working on the field for the last 6 years. Currently focusing on mobile app development and IoT.