Fail safe vs. fail secure. Convenience vs. security. When you discuss issues like encryption and backups, these are the debates — and in some cases, massive divides — you encounter. Information security experts will insist that everything needs to be locked down so tightly that even you have trouble getting into it. Backup experts will tell you most people suffer from data loss far more often and devastatingly than they ever do data theft.
Bricks vs. windows
iOS was built to be more secure from the start. With iOS 7 and iPhone 5s, it became something akin to a crypto brick. More recently, though, Apple has taken a few deliberate steps back. In certain cases, the company has made the system fail safe instead of secure.
Personally, I don't like or agree with some of these changes. I grew up with computers and I'm a power user who understands encryption, uses unique, pseudorandom passwords, and has no trouble managing two-factor and device policies.
I do have enough perspective taking ability — and I've dealt with enough family and friends who've been locked out of their own devices, accounts, and data — to see the other side of the dilemma.
From ElcomSoft blog:
We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.
Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user's life easier (as in "more convenience"), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.
The passcode. This is all that's left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.
The issues pointed out are predicated on an attacker having both physical custody of your device(s) and knowledge of your passcode. And that's as close as you can get to a "game over" scenario anyway, at least without additional roadblocks that can be extremely disruptive to customers.
Even then, with your device and your passcode, someone could access all your iCloud keychain items, use your email account and SMS to reset passwords from other systems, and could otherwise gain access to a degree that makes everything else sensationalized in the Elmsoft article functionally bullshit.
And without existing knowledge of your passcode? Well, you're looking at an attacker with intent and resources beyond what the FBI initially claimed it had in the San Bernardino case.
With iOS 11, the passcode — which can be as simple as 6 numbers — can be used to reset iTunes backup passwords and even Apple ID passwords.
Based on Apple's usage data and support logs, my guess is that they found mainstream customers were unable to access their own backups or accounts far, far, far more frequently than anyone was ever trying to illegitimately gain access. That was part of the reason for the change from the old two-step authentication system to the new two-factor authentication and for some of the policies around how iCloud Photo Library, for example, works.
Again, as a power-user, I don't like some of this. I don't like that passcode can reset Apple ID. But I've dealt with enough people who have no idea what their Apple ID is, that I understand the need to balance loss vs. theft. I understand that, for some of my friends, losing access to the photos of their children because they couldn't remember a backup or account password would hurt them far more than some theoretical attacker gaining access to them. And it is absolutely not my place or right to judge them or anyone else based on that difference in priorities.
Especially because security conscious people like myself have other options.
What can you do about it?
If you're at all concerned about passcode as an attack vector, switch from a 6-digit passcode to a strong alphanumeric password. You can do that in Settings > Passcode > Change Passcode > Passcode Options > Custom Alphanumeric Code.
It means sacrificing some convenience — because passwords are harder and take longer to enter — to regain security, but with Touch ID and Face ID, you won't have to enter it that frequently anyway.
If someone knows your strong alphanumeric password, they'll still be able to change your security settings, but the odds of someone being able to crack a strong alphanumeric password are far, far, far lower than a 6-digit passcode. (And if that's the threat level you're facing, you likely shook your head and walked away long before reading the article linked to here.)
There are also mobile device management (MDM) solutions, including Apple's iOS Configurator and third-party, enterprise- and government-level tools that let administrators and organizations lock down iOS to a significantly higher degree than the consumer-oriented, built-in features allow. Which is why Apple started adding them back with iOS 2. (iPhone OS 2.0.)
Continuing the conversation
There are some interesting if overly sensationalized points raised by Elmsoft and this is an incredibly important discussion to have. It's also one that the security and backup communities have been arguing over since the inception of bits.
People and certainly the internet aren't often good at handling situations where multiple truths exist and the needs of different people are at odds with their own.
I do think we've swung between being too secure and too convenient over the years and that we continuously need to find both a better balance and better options for everyone. And that's why Apple's security team has been iterating so aggressively on all of this over the last few years.
I'd love to see an option to turn off passcode as a reset vector for those of us who don't want or need it, but then again, I use a password so I probably wouldn't want or need that setting anyway. And that's how these loops begin.
For now, iOS 11 is doing a good job making sure people don't lose access to their data while providing alphanumeric password and MDM options for those of us who want to make sure our data is better protected as well.
But let me know what you think.