Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix

MrX8503 said:
Give Apple a chance to fix it.
Click to expand...

Thank you for some reasoning.

I always shake my head when people can't be logical and expect a perfect world/company.

Any place humans are involved there will be oversights, mistakes and inconveniences for others.

We evolved because we learned and followed basic steps from our experiences.

When the first person discovered fire and put his/her hand into it they learned it hurts,
so they wouldn't put their hand into it any more and find other ways to use it .

Apple will analyze every shortcoming of iOS 10 and fix it. They have always fixed their OS
to make probably 99.9% of users happy.

Sometimes it takes time, sometimes they can do it fast. (Never fast enough MR doomsayers)

That is how we evolved to the robust OS of today.

I expect security issues with EVERY system PC or Mac all the time.

You can set your watch for the first major issue with macOS Sierra.

About the only thing I would criticize about OS security is how long it took Apple to join the bounty idea and how they still are too cheap with it.

As for this issue: Make sure nobody gets your computer or phone, set filevault and you have nothing to worry about.

Plan B: Don't put anything sensitive or important to you into the cloud.

Two men can keep a secret , if one is dead!
 
  • Like
Reactions: JamesPDX, MrX8503 and djlythium
X--X said:
There was no reason to suddenly change the encryption mechanism, except to make it easer to crack.
Click to expand...
Interesting. Conspiracy?

I doubt Apple would tell the FBI to shove off, with the one hand, while petting the NSA with the other. ...Or maybe they would, as a red herring?
 
  • Like
Reactions: JamesPDX
manu chao said:
That is still a single point of failure.
Click to expand...

Perhaps, but at least it's local and not easily accessible to anyone. Even better if you use strong encryption on the drive, encryption far stronger than what you'd find on the internet, due to speed issues. You can just go all-out with keeping your data secure, and you can't do that when it's stored in the cloud

manu chao said:
As long as your computer is connected to the internet, everything you store on it or connected devices is stored in the cloud as well. You can argue that compared to a 1Password vault synched via Dropbox, there is an additional firewall in place (if you have disabled remote login on your computer). But otherwise it is not fundamentally different. To get to your 1Password vault on Dropbox, somebody needs to crack you Dropbox password (or find another vulnerability into Dropbox) and then your 1Password password. To get to your passwords on a flash drive, they need to crack your OS X login password (+ the firewall if enabled) and then the password for the flash drive.
Click to expand...

The primary issue is availability. When it's on the cloud, millions of people have a way to gain access to your data. If there is a vulnerability, the odds are many times greater that it'll be exploited. Keeping your data locally is your best bet, if you don't want anyone to get to it.
 
Last edited:
  • Like
Reactions: RichTeer
manu chao said:
Is there really anybody who actually believes that iOS 10 cannot join hidden networks? That an OS that has been in the hand of probably at least tens of thousands of beta testers for months, that has been used by hundreds of million of users (remember 1+ billion active iOS devices, 33% of which had upgraded to iOS 10 already a week ago) by now, could not not connect to hidden networks but nobody has complained about it?

If we take a recommendation by Apple to not use hidden networks as a sign that iOS 10 cannot connect to them but ignore the absence of any report that this actually were the case, we might as well go back to get all our knowledge and base our decisions on reading tea leaves.
Click to expand...
"Hiding" the SSID is actually a violation of the 802.11 standard, so it is completely understandable for any vendor not to make any effort to support it. Here's a brief summary if you are interested in more detail:

https://blogs.technet.microsoft.com/steriley/2007/10/16/myth-vs-reality-wireless-ssids/
 
Rigby said:
"Hiding" the SSID is actually a violation of the 802.11 standard, so it is completely understandable for any vendor not to make any effort to support it. Here's a brief summary if you are interested in more detail:

https://blogs.technet.microsoft.com/steriley/2007/10/16/myth-vs-reality-wireless-ssids/
Click to expand...
It might be completely understandable if they did not support it, but that changes zero to the fact that they still support it very well. You cannot take a possible motivation and then ignore the overwhelming evidence to the contrary. Imagine a murder trial where a possible motivation would trump all evidence to the contrary.
 
manu chao said:
It might be completely understandable if they did not support it, but that changes zero to the fact that they still support it very well. You cannot take a possible motivation and then ignore the overwhelming evidence to the contrary. Imagine a murder trial where a possible motivation would trump all evidence to the contrary.
Click to expand...
I don't know what you are trying to tell me. I never said that the iPhone doesn't work with "hidden" SSIDs. I simply don't know since I don't use "hidden" SSIDs and have no interest in doing so. I was just pointing out that it's not something supported by the Wifi standards.
 
Rigby said:
I don't know what you are trying to tell me. I never said that the iPhone doesn't work with "hidden" SSIDs. I simply don't know since I don't use "hidden" SSIDs and have no interest in doing so. I was just pointing out that it's not something supported by the Wifi standards.
Click to expand...
You quoted a post that was all about how irrational it is to claim that iOS 10 might not support hidden networks. So, did you quote it to support that is it irrational to claim such a thing or that it actually isn't irrational to utter such a claim? And if you don't have a position on that question, why did you quote a post about it?
 
manu chao said:
Two reasons: (1) My neighbour doesn't need to know what my WiFi network is called and (2) I hate scrolling through a list of WiFi networks to connect to the one I want to connect. I see the use of hidden networks as the do-not-litter equivalent.

Is there really anybody who actually believes that iOS 10 cannot join hidden networks? That an OS that has been in the hand of probably at least tens of thousands of beta testers for months, that has been used by hundreds of million of users (remember 1+ billion active iOS devices, 33% of which had upgraded to iOS 10 already a week ago) by now, could not not connect to hidden networks but nobody has complained about it?

If we take a recommendation by Apple to not use hidden networks as a sign that iOS 10 cannot connect to them but ignore the absence of any report that this actually were the case, we might as well go back to get all our knowledge and base our decisions on reading tea leaves.
Click to expand...

Oh, it's a disconnection/un-remembering wifi login credentials issue. Not with desktop wifi, but specifically iOS10. I never had this issue with iOS9, and nothing else changed but the iOS. AEBS 4th gen, etc. I think it's a iOS 10 problem and unchecking the [] Create a hidden network seems to solve it. It wouldn't be so annoying, but I've got the family using a 19-character password that you have to enter using an actual keyboard -otherwise it's way too physically cumbersome and difficult to enter via a touch-screen. It's be better if every user had a different 64-character password for each device, but oh well... Maybe we can use emoji and other non-standard keyboard characters next time around.

Is anybody still using TCP Block? What happened to that guy? It was brilliant and small.
[doublepost=1474963477][/doublepost]Whoops!
 

Attachments

  • Screen Shot 2016-09-27 at 1.04.11 AM.png
    Screen Shot 2016-09-27 at 1.04.11 AM.png
    61.6 KB · Views: 77
manu chao said:
Unfortunately, the alternative is a re-use of passwords (nobody can remember the huge number of passwords we need in today's world).

That is still a single point of failure.

As long as your computer is connected to the internet, everything you store on it or connected devices is stored in the cloud as well. You can argue that compared to a 1Password vault synched via Dropbox, there is an additional firewall in place (if you have disabled remote login on your computer). But otherwise it is not fundamentally different. To get to your 1Password vault on Dropbox, somebody needs to crack you Dropbox password (or find another vulnerability into Dropbox) and then your 1Password password. To get to your passwords on a flash drive, they need to crack your OS X login password (+ the firewall if enabled) and then the password for the flash drive.
[doublepost=1474893735][/doublepost]
Patching jailbreaks is plugging security holes that allow taking over your iOS device.
Click to expand...

Yes I totally agree to that, but then they're just stealing ideas from the Jailbreak community each year and introducing just one or two of them at a time. Why not just give everything at once! Eg. flux, that was banned from the Appstore, I have it via Jailbreaking. Now they came up with their own "Night Mode". Its ridiculous! There are still no home screen widgets. No way to increase the tiling or the size of the icons.... these are basic features that many have been asking for years!
 
jigar7 said:
Yes I totally agree to that, but then they're just stealing ideas from the Jailbreak community each year and introducing just one or two of them at a time. Why not just give everything at once! Eg. flux, that was banned from the Appstore, I have it via Jailbreaking. Now they came up with their own "Night Mode". Its ridiculous! There are still no home screen widgets. No way to increase the tiling or the size of the icons.... these are basic features that many have been asking for years!
Click to expand...
You touch three different issues, whose merits can be discussed on their own though their effects interact with each other:
  1. Allowing only app store-vetted applications to be installed on iOS devices (unless you jump through a lot of hoops).
  2. Patching security holes that were used for jailbreaking.
  3. Apple adding features (or even apps) to its software stack that had been first offered by third parties.
There are huge benefits for (1): a) Reducing security and stability risks and b) as a result of this 'allowed' vast swathes of the population to download and install app without have any fear of endangering their IT security or borking up their device. You cannot underestimate the latter, it is what allowed the app economy to rise so quickly. The downside is that if Apple doesn't offer certain features, it can be much more difficult (impossible to the vast majority) to gain access to these features.

Number (2) obviously improves security but exacerbates the downsides of (1).

Number (3) makes the relevant features available to everybody for free and in the end helps Apple to have an attractive product. This comes at the cost of upending (often) small companies. This problem applies to many areas of the economy, in particular equally to other systems where there is no app store restrictions. It's an old problem but in the end it is unavoidable, except maybe via software patents in some cases or eventually via antitrust authorities. Most people consider software patents a murky area but they are the only legal way small companies share in benefits.

Many people might think there you have been an exemption for, or a more complete mimicking of, f.lux by iOS. But most people probably would in the end agree with Apple's position on those three general issues, at least if they looked at things from Apple's position. To some degree this is a situation of wanting to have your cake and eat it as well. Something has to give.
 
It seems to be. There are no longer any properties in the Manifest.db's properties table table.
(I have yet to fully reverse-engineer the backup format though.)
 
Grrr. MacRumors is happy to point out the vulnerability, but no one will confirm when it is fixed. I have been digging through Apples security updates, and MacRumors trying to find out when / if this will be fixed, and no confirmations. How long do I have to refuse the !@#!@#! Apple pop ups trying to get me to iOS10?
 
  • Like
Reactions: jb-net
manu chao said:
You touch three different issues, whose merits can be discussed on their own though their effects interact with each other:
  1. Allowing only app store-vetted applications to be installed on iOS devices (unless you jump through a lot of hoops).
  2. Patching security holes that were used for jailbreaking.
  3. Apple adding features (or even apps) to its software stack that had been first offered by third parties.
There are huge benefits for (1): a) Reducing security and stability risks and b) as a result of this 'allowed' vast swathes of the population to download and install app without have any fear of endangering their IT security or borking up their device. You cannot underestimate the latter, it is what allowed the app economy to rise so quickly. The downside is that if Apple doesn't offer certain features, it can be much more difficult (impossible to the vast majority) to gain access to these features.

Number (2) obviously improves security but exacerbates the downsides of (1).

Number (3) makes the relevant features available to everybody for free and in the end helps Apple to have an attractive product. This comes at the cost of upending (often) small companies. This problem applies to many areas of the economy, in particular equally to other systems where there is no app store restrictions. It's an old problem but in the end it is unavoidable, except maybe via software patents in some cases or eventually via antitrust authorities. Most people consider software patents a murky area but they are the only legal way small companies share in benefits.



Many people might think there you have been an exemption for, or a more complete mimicking of, f.lux by iOS. But most people probably would in the end agree with Apple's position on those three general issues, at least if they looked at things from Apple's position. To some degree this is a situation of wanting to have your cake and eat it as well. Something has to give.
Click to expand...
Remember back in the day, windows did not come with an ip stack and one had to purchase one from a third party vendor. Then microsoft woke up and included an ip stack with windows. Put all those vendors out of business. Yep, it's a common occurrence adding features to the core software that may exist in third party apps.

As far as this vulnerability maybe a fix in 10.2.
 
damezumari said:
It seems to be. There are no longer any properties in the Manifest.db's properties table table.
(I have yet to fully reverse-engineer the backup format though.)
Click to expand...

I finished my IOS 10.1 iTunes backup format reverse-engineering project. Its security properties are similar to IOS 9, that is, relatively reasonable (=PBKDF2 with plenty of iterations so not brute-forcable, AES unwrapped unique keys for each file) unlike IOS 10.0.
 
  • Like
Reactions: Solamar22 and flowsy
Many thanks to damezumari (Confirmation that iOS 10.1 fixes the softened backup password of iOS10.0 over what iOS9 had), and flowsy (Confirmation that iOS10.2 hardens the backup password 1000x over even iOS 10.1).
 
joshwenke said:
Physical access to ANY machine is a security risk, no matter how strong password encryption is.
Click to expand...

exactly. If i have your computer and can get passed that password, you already have an issue. I likely don't even need to get your iTunes backup to mess you up big time. I have your email, your web history. you probably saved your bank and bill pay passwords in safari.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back