iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix

[maxsix]

I love Apple, but this sort of thing is so frustrating from a company that is trying to make privacy be such a huge part of its brand.


It doesn't have a huge effect on me, but it lowers my level of trust that Apple knows what it's doing.

For me… it collapses the level of respect and trust in Apple.


Apple knows exactly what they're doing, but by refusing to do the right thing it reveals their extreme narcissistic attitude and disregard for customers who have made them the wealthiest juggernaut in the tech industry.


No Thanks Apple…




The blatant blind support of Apple, those on the forum here, who are essentially saying "it's no big deal" are despicable.

 

[blacktape242]

I'd hate It if the 1Password app was hacked.

 

[Tech198]

Lastpass was... and most of us ran for the hills

expect me. I didn't have my running shoes on.

When u are used to a company that praises itself of security, of course something like this would stand out... not that its bad, it's just worse than before.

 

[Rigby]

besides isn't SHA256 also the same encryption banks and other secure sites use to transmt personal info...?

No, SHA256 is not an encryption algorithm.

And we think this is less secure only from the standpoint it was more secure in iOS9.. as a means to say "This is less secure because it can brute forced more quickly"

Modern password crackers use much smarter methods than simple brute force.

 

[truthertech]

Why are you insulting me personally for stating facts?

It seems to me you are uneducated.


Very slowly again for you:

Apple wants a warrant for iCloud credentials and data for US citizens only.

Everybody else in the world falls under FISA regulation, which means NO WARRANT and no real reason for a search needed.

FOR REFERENCE


http://www.idownloadblog.com/2013/01/30/us-authorities-icloud-access/

ALSO SEE


http://www.vocativ.com/310616/apple-transparency/

You're still lying.

But this is NOT physical access to the iPhone. They are talking about decrypting the BACKUP data. This data is typically on e hard drive on a PC or Mac or maybe in Apple's iCloud

If you read the article and the rest of the ones on the web, this intrusion requires physical access to your device!

But this is NOT physical access to the iPhone. They are talking about decrypting the BACKUP data. This data is typically on e hard drive on a PC or Mac or maybe in Apple's iCloud

 

[sudo1996]

Has anyone noticed that Apple is directing AEBS users to not create hidden networks? Because iOS 10 has a hard time finding those saved network credentials. Really? Because they're hidden from all but the tweakiest hackers? It seems odd. BTW, how does everyone like iCloud just grabbing all your documents and uploading then to iCloud. The opt-out language seems purposely confusing. Yes, I unchecked those boxes. Odd stuff. My 4th gen iPod never had a problem with a hidden network on an 2011 AEBS. I really don't want to have to buy yet another appliance.

I wouldn't know, still on iOS 9.3.1.

Hidden networks don't provide any added security. They're trivial to discover, and there are widely available tools like KisMac to do it. They're actually less secure in a way since your computer has to broadcast to join them, so hackers can find out more easily which one you're on. TBH, I'm not sure what they're for besides making things slightly more annoying for users. http://security.stackexchange.com/q...ky-is-connecting-to-a-hidden-wireless-network

That being said, iOS 10 is really stupid if it can't join a hidden network. No thanks, I'll stay at 9.

 

[tfitzs]

iOS 10 uses a new password verification mechanism for iTunes backups that makes them easier to crack, according to testing performed by Elcomsoft, a company that specializes in software designed to access iPhone data.

Encrypted iTunes backups created on a Mac or PC are protected by a password that can potentially be brute forced by password cracking software. The backup method in iOS 10 "skips certain security checks," allowing Elcomsoft to try backup passwords "approximately 2500 times faster" compared to iOS 9 and earlier operating systems.

Obtaining the password for an iTunes backup provides access to all data on the phone, including that stored in Keychain, which holds all of a user's passwords and other sensitive information.In specific terms, security analyst Per Thorsheim of Peerlyst says Apple has switched from using a PBKDF2 hashing algorithm with 10,000 iterations to using a SHA256 algorithm with a single iteration, allowing for a significant speed increase when brute forcing a password.

Image via Peerlyst​

In a statement given to Forbes, Apple confirmed it is aware of the issue and is working on a fix.As Apple points out, this security oversight is limited to backups created on a Mac or PC and does not affect the security of iCloud backups. Most users likely do not need to worry about this issue as it requires access to the Mac or PC that was used to make the backup.

Apple has updates for iOS 10 and macOS Sierra in the works, and it's possible a fix will be included in the new versions of the software. iOS 10.1 and macOS Sierra 10.12.1 were seeded to developers and public beta testers earlier this week.

Article Link: iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix

This is fixed with 10.12.1 and 10.1

 

[Markoth]

See above. Your File Vault is secure, but I do recommend that your iCloud password be incredibly strong, you use a password locker (I prefer 1Password), make all your answers to recovery questions random, use 2FA where possible, and a VPN when on any public or questionable internet connection.

None of these steps will ensure protection, but not being the "weakest of the herd" means you're statistically unlikely to be attacked, save for being directly targeted, in which case you definitely want to make it as difficult as possible to be hacked.

1Password introduces a single point of failure, which, when it fails, will result in the loss of every password you have. Generally that's a bad idea. You're better off keeping your passwords locally on a password-encrypted flash drive, or something of that nature. Storing sensitive information in the cloud is equivalent to attaching a big "hack me" sign to your private data. Someone will take the bait, eventually.

 

[bennyf]

I think the accusations of Apple trying to profiteer off cloud data packages is off the mark. You can selectively backup only the data you need to iCloud and easily stay within the free tier, except for photos. And for those, there are still quite a few free backup services you can use.

The other thing to remember is that if you get targeted by a government instrumentality there are so many avenues into your personal data, that going to the trouble of decrypting an iCloud backup is probably near the bottom of the list for them. It could be saved in plaintext and it would still be easier for them to just subpeona your cell provider, your cloud email provider and any cloud storage providers to get 99% of the data they need on you. The damning data is the meta-data anyway. If you correspond with one or maybe two or more terrorists, you are a person of interest. They don't need to get the contents of the text messages or phone calls to those people to paint an accurate-enough-for-more-scrutiny picture of you.

I think people are way too caught up in protecting the *content* of their communications while the meta data is basically out there in plaintext for so much of what we do. I guess if you're solo writing a terrorist manifesto, then the the contents alone are significant.

HTTPS of any kind doesn't hide which websites you frequent... TOR does (we hope), but then just using TOR itself probably garners extra attention.

GPS data on your photos is more important and telling than the picture itself.

The other IMEI #s that are known to regularly be in the same vicinity as you is more important than the contents of any conversations with those phone owners.

etc., etc.

 

[grad]

So long as someone is using a long, randomly generated password this is a non-issue. The article says they can now brute-force at 6m passwords / second on a CPU. Even assuming they can do 100x that on a GPU, and that they could use 10,000 servers in parallel, a 50 character password consisting of A-Za-z0-9 would take ~1,100,516,661,244,763,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to crack it (on average).

Nice try. Only that it's rather hard for everyone to remember a completely random 50 character password that is NOT in the dictionary. Now, can you do the math for an 8 character password ?

 

[HarryWild]

I'm running iOS 7.0.2! It impossible to get my passwords since I have look them up on paper! LOL! In other words, I don't know what they are in the first place, so good luck in trying to steal them!

 

[jigar7]

Apple is too busy "innovating" & patching jailbreaks. Everything else has gone for a toss in recent years. Oh how I miss Steve Jobs... an actual visionary!
Cook is just f***ing around looking to milk consumers every year.

 

[ignatius345]

Interesting software that ElcomSoft has on their website



https://www.elcomsoft.com/products.html

Takeaway: do not choose the iCloud unlock option when setting up FileVault. Keep your keys local.

 

[Glideslope]

I'm not sure if you are confused about what a kernel not being encrypted means, but your reaction doesn't make sense to me. Your response my question makes even less sense than your original post.

That's fine. I'm comfortable with my view.

 

[X--X]

Takeaway: do not choose the iCloud unlock option when setting up FileVault. Keep your keys local.

Yes. iCloud has become the default behavior, but thankfully it's still possible to do it locally.

 

[indychris]

You know when I read articles like this one and on the same day I read this http://thehackernews.com/2016/09/nsa-hacking-tool-exploits.html I really hope that Apple does have our interests at heart since the US Government doesn't

While I worry about the same, I've even greater concern about China. I'm all for seeing Apple succeed in other markets, but when it starts to appear that TC is willing to cow-tow in China in order to gain bigger access to the Chinese markets, I start to get really concerned. If there's one government that we can be sure doesn't have our best interests at heart, it's that one.

 

[manu chao]

1Password introduces a single point of failure, which, when it fails, will result in the loss of every password you have. Generally that's a bad idea.

Unfortunately, the alternative is a re-use of passwords (nobody can remember the huge number of passwords we need in today's world).

You're better off keeping your passwords locally on a password-encrypted flash drive, or something of that nature.

That is still a single point of failure.

Storing sensitive information in the cloud is equivalent to attaching a big "hack me" sign to your private data. Someone will take the bait, eventually.

As long as your computer is connected to the internet, everything you store on it or connected devices is stored in the cloud as well. You can argue that compared to a 1Password vault synched via Dropbox, there is an additional firewall in place (if you have disabled remote login on your computer). But otherwise it is not fundamentally different. To get to your 1Password vault on Dropbox, somebody needs to crack you Dropbox password (or find another vulnerability into Dropbox) and then your 1Password password. To get to your passwords on a flash drive, they need to crack your OS X login password (+ the firewall if enabled) and then the password for the flash drive.
[doublepost=1474893735][/doublepost]

Apple is too busy "innovating" & patching jailbreaks.

Patching jailbreaks is plugging security holes that allow taking over your iOS device.

 

[GenesisST]

See above. Your File Vault is secure, but I do recommend that your iCloud password be incredibly strong, you use a password locker (I prefer 1Password), make all your answers to recovery questions random, use 2FA where possible, and a VPN when on any public or questionable internet connection.

I also prefer 1password, but for itunes/icloud password, I do have one I can remember, but also protected with 2FA.

I would use 1password with a big ass "un-rememberable for a non-rainman person" password for it, but you get prompts for that particular password and you need to dismiss the alert to go to any app, like 1password. Yeah, I do use touchId as well, but you still have to enter it from time to time. Not perfect, I know.

 

[manu chao]

Hidden networks don't provide any added security. They're trivial to discover, and there are widely available tools like KisMac to do it. TBH, I'm not sure what they're for besides making things slightly more annoying for users.

Two reasons: (1) My neighbour doesn't need to know what my WiFi network is called and (2) I hate scrolling through a list of WiFi networks to connect to the one I want to connect. I see the use of hidden networks as the do-not-litter equivalent.

That being said, iOS 10 is really stupid if it can't join a hidden network. No thanks, I'll stay at 9.

Is there really anybody who actually believes that iOS 10 cannot join hidden networks? That an OS that has been in the hand of probably at least tens of thousands of beta testers for months, that has been used by hundreds of million of users (remember 1+ billion active iOS devices, 33% of which had upgraded to iOS 10 already a week ago) by now, could not not connect to hidden networks but nobody has complained about it?

If we take a recommendation by Apple to not use hidden networks as a sign that iOS 10 cannot connect to them but ignore the absence of any report that this actually were the case, we might as well go back to get all our knowledge and base our decisions on reading tea leaves.

 

[1041958]

That's fine. I'm comfortable with my view.

Then explain it to those of us who write code in a manner we can understand. Be as detailed as you like and don't worry about whether you're going over our heads.

 

[arkmannj]

1Password introduces a single point of failure, which, when it fails, will result in the loss of every password you have. Generally that's a bad idea. You're better off keeping your passwords locally on a password-encrypted flash drive, or something of that nature. Storing sensitive information in the cloud is equivalent to attaching a big "hack me" sign to your private data. Someone will take the bait, eventually.

While you are not wrong, It is worth pointing out that with 1Pass and similar products, this concept n is based more on how people use the product that the capabilities of the product. We have 1Pass but don't use any of its cloud capabilities. File vault is local no syncing etc.

 

[jimbobb24]

So long as someone is using a long, randomly generated password this is a non-issue. The article says they can now brute-force at 6m passwords / second on a CPU. Even assuming they can do 100x that on a GPU, and that they could use 10,000 servers in parallel, a 50 character password consisting of A-Za-z0-9 would take ~1,100,516,661,244,763,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years to crack it (on average).

True, but most people have passwords that are closer to 8 characters.
[doublepost=1474896971][/doublepost]

That doesn't really matter. Of all security concerns it's the very last one. I'm mean it's sad to read that keychain isn't encrypted on its own within the backup but rather stored plaintext hoping the encryption of the backup container takes care of the security. This is bad practice in first place. I'm not sure if backup over wifi is still unencrypted as well. That's what I'd be more concerned of if you are using a shared WiFi. If you want to secure the data on your computer (including your backup) use either File-Vault or Windows EFS for advanced security. If you'r paranoid use a 3rd party software that you trust (e.g. the audited version of TrueCrypt).

I thought truecrypt was defunct and they had switched to...VeraCrypt. Because my phone keeps reminding me I am 487 days past when I was supposed to switch all my TrueCrypt files to Veracrypt.

 

[MrX8503]

I love Apple, but this sort of thing is so frustrating from a company that is trying to make privacy be such a huge part of its brand. Without security, privacy cannot exist. It doesn't have a huge effect on me, but it lowers my level of trust that Apple knows what it's doing.

Give Apple a chance to fix it.

As a developer, this is a pretty glaring flaw, so I can only assume (or hope, rather) it was a temporary implementation that accidentally got through to a release version. Whatever happened, it's bizarre.

You must be the perfect developer.

 

[hugo7]

>>

Personally I wasn't thinking Tim would (his replacement, whomever that may be in the future, is another matter) - but this is a big No No when your company is placing itself as the only firm who cares about their users privacy in the world (at this point). Apple needs to carefully explain what happened here (not their normal procedure) or ...

100% this. "Programming mistakes" happen but when you're a company which champions privacy and security, then your QA controls should prioritize these features and have them seriously locked down.

Apple needs to be exemplary in this area for *ALL* iOS endpoints (be it ICloud, iTunes or anything else) otherwise they should stop bragging about it.

Such a regression is pathetic.

 

[RedOrchestra]

Such a regression is pathetic.

Happens often in software development when a company loses control of the build. As the old adage goes -

"software programmers/engineers are a dime a dozen and I wouldn't pay any dime for any dozen."