iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix

[Larry The L]

No accident. Just intensifying the push to iCloud Backup and storage fees.

Oh please. Maybe you can help us out with the Kennedy assassination conspiracy theories.

And you're doing it wrong. And this would have never happened if Jobs were still alive. And this is the end of Apple......

 

[1041958]

Great the new Fappening will come out soon.

Yeah, because now people are going to break into celebrities houses and steal their computers so they can try and get data from a backup.

 

[Glideslope]

Oh please. Maybe you can help us out with the Kennedy assassination conspiracy theories.

And you're doing it wrong. And this would have never happened if Jobs were still alive. And this is the end of Apple......

1. I can't help on the Kennedy thing...
2. Nothing to hold, or maybe get a grip on?
3. This thread as we participate in it definitely would be different if he were with us.
4. Apple ended Oct 5, 2011, not in the future.

 

[dan110]

I honestly don't understand how the most valuable company to exist in our modern times can get "security" wrong.

 

[jiminycricket]

So long as someone is using a long, randomly generated password this is a non-issue. The article says they can now brute-force at 6m passwords / second on a CPU. Even assuming they can do 100x that on a GPU, and that they could use 10,000 servers in parallel, a 50 character password consisting of A-Za-z0-9 would take ~1,100,516,661,244,763,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to crack it (on average).

 

[manu chao]

If my iTunes backups are on a drive running FireVault, does the strength of iTunes' encryption matter?

It matters less. If somebody gets physical access to your computer, they first have to crack your FileVault password (which hopefully isn't 1234). That gives them access to all files on your computer, but any passwords stored, eg, in Keychain, 1Password or your iOS device backup are protected by another password that then also needs to be cracked (unless you use the same as for FileVault ...).

 

[Shirasaki]

Where exactly did Apple ever say that?

They have said they will hand it over if served with a valid legal order, but I have never seen anything from Apple that they would just hand it over upon request.

Or if the warrant is so easy to get, like buying a notebook from supermarket?

Nothing to worry about ... they are a courageous company ... going where no company has gone before.

Apple sometimes act like a late comer, sometimes act like a pioneer.

 

[manu chao]

No accident. Just intensifying the push to iCloud Backup and storage fees.

No accident, whatever happens in the world, all and everything is part of an evil plan. Nothing ever happens by chance or simply human error.

 

[Urban Joe]

WTF ???? This is ridiculous. Why not just send out letter pressed invitations to hackers.... in Chinese and Russian.

 

[Shirasaki]

I honestly don't understand how the most valuable company to exist in our modern times can get "security" wrong.

Holding unlimited resources does not warrant the individual can finish any task error-free. And, the bigger they are, the harder they fall. I believe some programmers in Apple is sleeping on bed covered with needles.

So long as someone is using a long, randomly generated password this is a non-issue. The article says they can now brute-force at 6m passwords / second on a CPU. Even assuming they can do 100x that on a GPU, and that they could use 10,000 servers in parallel, a 50 character password consisting of A-Za-z0-9 would take ~1,100,516,661,244,763,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to crack it (on average).

But entering 50 character password is also a very time consuming task need to be done everyday. Maybe the hacker just use keylogger or something else similar to record what you are entering rather than cracking brutally. Mine is 24 Random characters btw.

WTF ???? This is ridiculous. Why not just send out letter pressed invitations to hackers.... in Chinese and Russian.

Or just set up headquarters in Beijing, China.

 

[solipsism]

Why are you insulting me personally for stating facts?

It seems to me you are uneducated.


Very slowly again for you:

Apple wants a warrant for iCloud credentials and data for US citizens only.

Everybody else in the world falls under FISA regulation, which means NO WARRANT and no real reason for a search needed.

FOR REFERENCE


http://www.idownloadblog.com/2013/01/30/us-authorities-icloud-access/

ALSO SEE


http://www.vocativ.com/310616/apple-transparency/

1) You previously said "they hand it out to any government" and now you're saying they do require a warrant for US citizens.

2) FISA doesn't cover the whole world.

3) You quote a source that very clearly doesn't backup your statement as it says: " Most of the time—80 percent…"

4) You quote a source that states "non-citizen data stored in the US," which is the furtherest thing from all your previous claims.

 

[Rigby]

Are you sure about that? One enters the password into iTunes, so although it is possible for it to be transmitted to the iPhone to be used for encryption, the more likely scenario is that iTunes itself performs the encryption.

No. That would be highly unsecure, since it would imply that you could simply retrieve most items from the device keychain unencrypted from a paired computer without any protection. Search for "backup keybag" in the iOS Security Guide.

You're not a programmer, are you? ;-) Changing the encryption algorithm used would, at the very least, require changing the name of the function called (and this assumes that the function's parameters are identical in type and order). This isn't a situation where misplaced {}s would have an effect.

Of course it is possible. E.g. they could have a function that uses a simple hash in some cases and PBKDF2 in others depending on some parameter.

 

[RedOrchestra]

The hypocrisy is strong in this thread.

Lots of hipocrisy to go around.

When iOS 10.0.1 was released to the street several (thousands, hundred thousands, millions ... who knows for sure) OTA updaters found their iPhones / iPads were rendered useless due to Apple releasing the software with a "bug". What was Apple's response to those now helpless users ... "Go Home and do a hardwire update through iTunes" ... great, huh, this after Apple telling us all that we no longer need desktops or laptops NO SIREEE BOB ... iPads will replace those ... that was pretty funny stuff, huh, unless YOUR phone was one of the ones that was temporarily BRICKED.

 

[jiminycricket]

But entering 50 character password is also a very time consuming task need to be done everyday. Maybe the hacker just use keylogger or something else similar to record what you are entering rather than cracking brutally. Mine is 24 Random characters btw.

For your Mac login/filevault password yes, and that would be a bit much. But for an iTunes backup you only ever have to enter that when you enable encryption or do a restore, so it isn't a big deal. That does mean you need to choose a good login / password vault password, but you should do that anyway.

 

[X--X]

You quote a source that very clearly doesn't backup your statement as it says: " Most of the time—80 percent…"

The source is Apples own report. Everything cited is from Apples own report.

 

[Rigby]

Or don't do anything stupid that gets you under investigation by any government agency around the world.

Like being a government whistleblower or a political dissident in an oppressive country?

Vast majority of people aren't interesting enough to be on a radar and that bothers quite a few of them.

Yet another variation of the stupid "what do you have to hide" argument. No wonder more and more governments around the world feel they can violate our privacy and constitutional rights with impunity.

 

[pcmacgamer]

Another day another mistake under Tim Cooks Apple

 

[citysnaps]

Oh noes... The feds can hack into my John Tesh and Yanni playlists! A conspiracy between the gov and Apple!

 

[Swift]

If my iTunes backups are on a drive running FireVault, does the strength of iTunes' encryption matter?

Filevault. You decrypt the data when you sign your password. This appears to be something you can do while the Mac is online. As for the two kinds of encryption, I'm going to go to Steve Gibson's Seuriity Now.

 

[michaelsviews]

Apple has already said, they hand iCloud login credentials out to any government and or the FBI even without a warrant.

Are you sure about that? I thought it was the opposite, but I maybe wrong

 

[gaximus]

But this is NOT physical access to the iPhone. They are talking about decrypting the BACKUP data. This data is typically on e hard drive on a PC or Mac or maybe in Apple's iCloud

Nope. They said it doesn't effect iCloud backups. And it's not physical access to a phone its physical access to a PC with the backup. I would image it's much harder to get into a phone with physical access then a computer

 

[manu chao]

But entering 50 character password is also a very time consuming task need to be done everyday. Maybe the hacker just use keylogger or something else similar to record what you are entering rather than cracking brutally. Mine is 24 Random characters btw.

In the case of the iOS device backup, that password can be stored in the Keychain and thus the only password you have to type in is the Keychain password.

 

[citysnaps]

Apple has already said, they hand iCloud login credentials out to any government and or the FBI even without a warrant.

No.

In compliance with the Fourth Amendment of the United States Constitution, Apple will provide information they posses when as part of a CRIMINAL INVESTIGATION, law enforcement produces a valid search warrant; i.e. one that is based on probable cause and signed by a judge.

Any issues with that?

 

[Rigby]

Apple has already said, they hand iCloud login credentials out to any government and or the FBI even without a warrant.

Apple very likely doesn't even know your iCloud password (but only have a secure hash for authentication). Of course, they can just directly hand over data that is stored in the cloud account. But they control what they hand over, rather than giving anybody blanket access by handing over the password.

 

[Zirel]

Check the corporate world. We backup to local iTunes copies so that we can encrypt it and restore with all our apps intact. iCloud backups restore only apps that are iCloud enabled.

P.S. Come visit my planet, at least there's intelligent life here ;-)

Here's comes the ignorant post.

In the corporate world, you use MDM solutions, there's no need to backup phones, because all data is centralised.