Changes to the way that Apple protects encrypted iOS backups leave devices more vulnerable to certain types of attack, says ElcomSoft, a Russian company used by law enforcement agencies and others to access iPhones. However, it only applies if the attacker has physical access to the device and can crack the passcode.
The changes were deliberately introduced as part of iOS 11 …
Anyone wanting to access private data from an iPhone used to face two challenges, says the company in a blog post (which was experiencing loading problems at the time of writing). First, they had to access the device itself, which usually requires knowing or cracking the passcode. Second, even with the passcode, you could not access all the data on the device unless you could also crack the password used for the encrypted backup of the device.
It is the encrypted backup that contains Keychain data, allowing you to easily access any account used by the phone’s owner, as well as application data and more. Indeed, in many cases, authorities and other attackers focus their efforts on cracking the backup rather than the device itself, as it provides easier access to more data.
Prior to iOS 11, if you made an encrypted backup to iTunes, the password protecting that backup was used every time in future, even if you switched Mac.
The password would become the property of the i-device and not the PC (or the copy of iTunes) that was used to set the password. You could connect your phone to a different computer and make a local backup with a freshly installed copy of iTunes, and that backup would still be protected with the password you set a long time ago.
Any attempt to change or remove that password must pass through iOS, which would require to provide the old password first. Forgot the original password? There’s no going back, you’re stuck with what you have unless you are willing to factory reset the device and lose all data in the process.
That meant that even if an attacker had your device passcode, they still wouldn’t be able to access the private data stored in the encrypted backup.
As of iOS 11, however, Apple changed this behavior. You still can’t change an existing password, however you can reset the password on the device, and can then make a fresh encrypted backup with a new password of your choice. You can then use that new password to access the private data.
Apple documents this process, so it’s clearly a deliberate decision rather than a bug.
It seems likely that Apple is balancing convenience against security here, taking the view that anyone who has the device passcode usually has legitimate access to the device. The new behavior would be helpful to anyone who forgot their encrypted backup password, as well as families of anyone who passed away but had shared their passcode with family members.
My personal view is that the change makes sense. The risk created by it is real edge-case stuff: someone has physical access to my device and knows my passcode. The benefit is that there’s an escape plan for the many people who forget rarely-used passwords – like, in this case, an encrypted backup password that is typically only needed when upgrading devices.
But at the same time, I take ElcomSoft’s point. It does make user data somewhat less secure, and it is legitimate to draw attention to that fact so that anyone concerned about it can take counter-measures. In this case, by setting a much stronger device passcode that cannot realistically be cracked.