back to article Apple slaps a passcode lock on iOS 8 devices, but cops can still inhale your iCloud

Improved security features in iOS 8 prevent Apple from unlocking phones – even when requested to by law enforcement. But search warrant-holding cops can still get almost everything through iCloud backups, according to ElcomSoft. The consumer device manufacturer's attempts at upgrading iOS encryption to "defeat lawful search …

  1. Tim Roberts 1

    surely the lesson here is...

    don't use the cloud.

    For the life of me I cannot understand people who entrust their "secrets" to people (a company) they don't know in a country the don't live in (and quite possible in a language they don't speak) ,and expect those secrets to be looked after. It's really simple - trust nobody!

    Colour me paranoid, but in this day and age a little paranoia may go a long way.

    1. Fred Flintstone Gold badge

      Re: surely the lesson here is...

      The cloud use that amuses me most is cloud based password safes. There is only one I trust in that regards, and that's because it was screened by people I know personally to do a good job of it - but even then I am NOT using it..

      Oh, btw, iTunes backups are also a risk if you don't enable encryption, and I have frankly no idea how good that crypto is - you best enable bootup passwords and full disk encryption if you really want to be sure, and that is assuming you bother to shut down the device after you've used it.

      Doing it right is still a lot of work.

      1. Anonymous Coward
        Anonymous Coward

        Re: surely the lesson here is...

        The iCloud keychain is protected and Apple can't access that. It is everything else in iCloud that is still left open - it is encrypted in transit and on iCloud servers, but Apple owns the key, not me - something I hope Apple addresses next.

        This is the one and only reason I've never adopted iCloud and continued using the less convenient option of iTunes backups, because I can encrypt that with my own password and I control it. I'm having to give up some protection by doing so, because I end up only backing up my phone every few weeks (at best) rather than having it done nightly if I was using iCloud.

        1. SuccessCase

          Re: surely the lesson here is...

          DougS. Have you seen the security white paper published here:

          http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

          It makes for an interesting read and the very fact Apple are now being so open about their security infrastructure speaks volumes. Security experts seem to agree it is really rather good, which perhaps shouldn't be surprising for a company of their resources.

          Again The Register are continuing the rather dubious trend of quoting commercial security "experts" with a vested interest in seeing the Sky as falling because they sell Sky-fall protection products. Having said that what Katalov has said is accurate, but it is what he has omitted that is interesting.

          Look again at the list given in the article:

          "The "Information Available From Apple" section reveals all sorts of information is potentially accessible from the manufacturer through this route, for example:

          device registration information,

          customer service records,

          iTunes information,

          Apple retail store transactions,

          Apple online store purchases,

          iCloud: subscriber information, mail logs, email content, photo stream, documents, contacts, calendar, bookmarks and iOS device backups and

          location information"

          In general it seems Apple want to be out of the business of overseeing your information. It is simply not where their money is made and it is a point where they now see they can differentiate themselves from Google. But for sure there remain some important caveats.

          Before the caveats, the good news:

          - iMessage converstations. Apple have made it entirely clear these are encrypted and they do not have the key.

          - Encrypted back-ups. iOS8 now encrypts backups by default, using your PIN to add entropy to the encryption key. This may not appear sufficient as most user PINs are only four digits, but the encryption key is supplemented by a local device encryption keys, copies of which (on my reading of the white paper I've linked too) it seems Apple do not keep. I could be wrong. I'm not too bad on such matters and I trust myself I have not misread the document, but I'm not enough of an expert to be prepared to state categorically and for all that my reading is correct - so check the document and make your own mind up. Or if you don't have the tech chops but still want categoric ask Mr Schneier.

          - iCloud mail. Apple do not encrypt iCloud mail, but then again, unless it is encrypted your mail is available to be read by all the servers it traverses, so there is little to be gained by encrypting it for storage, except for a protection from the NSA/Law officers being able to conveniently access it from place as distinct from have to work to catalogue it as it is delivered in the clear over "open" infrastructure.

          - Apple iOS and Mail products support the use of SMIME encryption. So this is an option. Of course, unfortunately, SMIME is little used because of the hassle verified and secure key exchange implies for users. It remains a highly effective option however and decryption keys will only be stored on the local system and messages decrypted dynamically if it is used (so the messages stored on iCloud won't be readable by Apple or law enforcement).

          - iWork office suite. The iWork office suite offers Numbers, Pages and Keynote apps. Documents created in these apps can be encrypted with a local secret (password). Since the datafiles are stored encrypted, the synchronised files will also be stored, on the iCloud servers, encrypted in a form inaccessible by Apple or officialdom.

          This will NOT apply if you share your documents with others using the iCloud sharing service (which supports collaboration). Apple will necessarily require machine access to the documents to support this. Similarly if you open encrypted documents in the web interface. Pressumably, at least while the document is open, you are granting Apple at minimum machine access to the unencrypted document.

          - Location information. Apple have made it very clear they do not store your location information except briefly when you use networked apps that require use of it. They have to be taken on trust on this one. However generally when a CEO of a public listed company faces an inconvenient truth he will most usually simply avoid discussing it. The fact Tim Cook has been prepared to state categorically Apple do not store location data is, IMO, a very good sign.

          The fact is, for Apple to be legally protected, they need to warn of all possible sources of disclosure, hence the list of bullet points for what they can access. When they say:

          "iCloud: subscriber information, mail logs, email content, photo stream, documents, contacts, calendar, bookmarks and iOS device backups and location information"

          My read is they are not pointing out the subtleties and simply stating the binary data is available. *Some of this will be encrypted and inaccessible to them. Indeed a lot of it, if you are minded to protect yourself that way*

          "device registration information,

          customer service records,

          iTunes information,

          Apple retail store transactions,

          Apple online store purchases,"

          Really this shows the list is one that is legally a covering action. They absolutely and positively *need* to have all that information as part of the service they are delivering. They are obliged to keep accounting records of all the transactions as any business is. So none of these can fairly be called a "black mark"

          It is easiest for Apple to err on the side of caution and not over promise.

          Caveats:

          - Any collaborative sharing will render documents accessible to Apple.

          - We have to take their word on encryption keys and lack of access to iMessage conversations

          - Photos. They are not going to be encrypted and contain location data.

          - Contacts, Calendar, Bookmarks - I have no reason to suppose they are stored on Apple servers in anything other than an in the clear format.

          Overall, I think this is pretty good for a mainstream, mainly consumer commercial service with cloud integration and really if you want more, you really should be looking at dedicated security solutions. The improvements I would like to see are encryption of stored email and documents by default (even though email would likely have been transacted in the clear and iWork docs can be optionally encrypted by the user) and encryption by default for photos, calendar and contacts as stored in iCloud. Good start though and one Google cannot match without damaging their revenue sources.

    2. Badvok

      Re: surely the lesson here is...

      Surely you mean: "don't use the cloud for secrets."

      Not sure why you quote mark the word secrets in your comment but I'm guessing you do actually realise that 99.999999% of the stuff people store in the cloud isn't really secret stuff that anyone other than the parties involved would be at all interested in.

  2. Anonymous Coward
    Anonymous Coward

    reminder to those who have already upgraded to iOS8.0

    that Apple is *still* signing downgrades back to iOS7.1.2, eg for the iP5, iP5C & iP5S & some pads,

    so if like me you want a battery again (until iOS8.1 solves the niggles) then you can regrade your 'mobe following this

    http://www.macworld.com/article/2683693/how-to-upgrade-to-ios-8-and-downgrade-to-ios-7-if-you-regret-it.html?page=3

    URGENT as the iOS7 signing will surely be switched off soon!

    (I noticed that I had to dig my old/last .ipsw & the last iOS7 "Find Friends/iPhone3.0.1.ipa's" & Pages2.2.2.ipa apps from trash as the new Finds 4.0 & Pages 2.4.2 are incompatible with a restored iOS7)

  3. EddieD

    Passcodes

    Whenever I build a new machine at work, I have to now use full disk encryption, either BitLocker or FileVault.

    When I do this to a Mac, it always asks me if I want to store the passcode with Apple - how long till iOS follows suit?

    And folk just say "yes", as they do to app updates.

  4. DrXym Silver badge

    It probably doesn't bother cops that much.

    * All the logs and system files will be plain text. So cops can still know when you took a picture, or made a call, or installed an app.

    * All the cloud based storage your phone connects to is stored plaintext and accessible with a warrant.

    * All the metadata on the phone network is accessible - phone logs, text messages, internet access, IP addresses etc.

    * Certain apps might leave information laying around in a readable format, either locally or on their servers.

    * PINs, biometrics and even most passwords can be cracked very easily. I doubt many people enter a strong passphrase into a phone. I doubt alternative schemes like Google's pin board thing or Microsoft's picture login are much better (both might be inferable just by dusting the screen).

    So yeah you could encrypt your private data with your finger print. And it might require a modicum of effort to get at that data. But it's not insurmountable and I expect police forces are not especially perturbed.

    1. Anonymous Coward
      Anonymous Coward

      Re: It probably doesn't bother cops that much.

      The cops have to get into your phone to get at these plain text logs though. They have to make you unlock it first, which at minimum will require a warrant. Even then, could they force you to unlock it with your fingerprint in the UK? I know they can force you to give up your password over there, but that's not the same thing.

      If they could do so, and you were really paranoid, it would be nice if Apple had a coercion erasure feature, so you could program a different finger you'd use to unlock the phone triggering an instant, silent erasure. "Sorry officer, I just had my phone replaced earlier today and haven't had time to restore it from backup yet"

      If you trigger the erasure accidentally, well, let's just say that's incentive to backup often!

  5. James O'Shea

    sigh

    I have an iPhone, a 5s. I will soon have a second one (probably a 5c). I keep my backups of my 5s (and my iPad) locally, and they're encrypted. And the volume they're on is encrypted with FileVault. Should some annoying cops send a warrant over to Apple, they can get my iTunes info; they will discover that, for example, I have every Queen album ever produced (yes, even that one...) and that the only complete U2 albums I have are 'Joshua Tree' and a certain 'gift'. I suspect that they will not care. They can find that I've bought a lot of Apple kit from the Apple Store (both online and physical), something which they could have discovered by checking my credit card info (and you _know_ that the bank's gonna give _that_ up so fast there'll be a sonic boom...) and they'll be able to get some location info as to where the phone's been (which they could have got from the telco, and _they'd_ give it up so fast that there'd be Cherenkov radiation involved). To get much of anything else they'd have to grab the phone (or iPad) itself or to access the drive I have the backups stored on. Both iOS devices are passcode protected with a 12-digit passcode; the drive is protected with an 18-digit passcode. (and no, the fingerprint thing is NOT turned on.) Yes, they can crack that if they really want to. They'll just have to put some effort into it. Which is as it should be.

    1. EddieD

      Re: sigh

      Actually even getting access to your drives have a sonic boom attached when requested by the cops - if you don't give volutarily give up your passcodes, it's off to chokey for a considerable period of time.

      1. James O'Shea

        Re: sigh

        not here, not unless the cops really want to lose a very expensive 4th (and 5th) Amendment lawsuit. (Illegal search & seizure, that's 4th. Protection from self-incrimination, that's 5th.) No, I can't stop them violating the 4th by doing illegal sweeps and decrypting everything they find. I _can_ make 'em work for it, and, unlike in Blighty, they _can't_ force me to give up the passcode except in certain very limited circumstances, such as, oh, going through customs. And even then, what they can look for and how much time they can spend looking for it is limited. The cops (especially the customs and immigration cops) _can_ seize lots and lots of stuff, but then they have to figure out how to open it themselves. I do _not_ have to co-operate.

        1. Anonymous Coward
          Anonymous Coward

          Re: sigh

          I have an iPhone 5 fully encrypted local backup, with iCloud off, iCloud Keychain not never enabled etc.

          I tried to use the encrypted backup and it is so well encrypted that it doesn't respond to my unlock password! (nor even to the 'plan B' could it possibly be this password? - nor to anything else ever used anywhere near an Apple device from my own mind-cloud) so it's not a backup! I should have used the post-it encrypted-backup password backup...

          (I do actually have a 'nuclear-fence', armed guards, unfed dogs and various microwavey radary thingies that would have protected my post-it note collection from everyone except the NSA cleaning lady)

  6. Anonymous Coward
    Anonymous Coward

    This is why I've never adopted iCloud

    I really want to use it, as it would be so much more convenient than iTunes backups which I don't do nearly as often as I should, but until I can control the key as I do with iTunes backups I haven't done so. I thought I was probably being a bit overly paranoid was considering using iCloud anyway until Snowden's revelations showed that far from being overly paranoid, I wasn't nearly paranoid enough about what my government was up to!

    I hope that given Apple's focus on privacy in iOS 8 that they're working on doing the same for iCloud and just don't have it ready to be rolled out yet. Not that it is that difficult to do, but doing it right so it is as easy and transparent for the end user who may have multiple devices syncing to iCloud could take a bit of time. I'll stick with my irregularly scheduled iTunes backups in the meantime.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is why I've never adopted iCloud

      I think I just picked up good habits re backup after years of using Palm handhelds, which had a habit of losing or corrupting data every now and again. I used one for my scheduled jobs, which changed daily, so I just backed up every time I synced the calendar since it only took another couple of minutes. Since I usually charge my iphone from my USB hub, its no drama to do a backup to itunes a couple of times a week.

      Apart from any documents that might be on the phone, I'd imagine the cops would be most interested in phone records and mails anyway, and that metadata they can presumably get from the respective providers anyway without any access to the phone itself.

  7. Slrman

    Another reason

    Did we really need another reason not to use the cloud? Not just iCloud, any cloud service. Back ups are easy and quick to do on external hard drives attached to your computer. I do it every day. My phone mostly contains items from my computer and the few things it does not I can back up to the desktop system

    If you choose to believe Apple when they say they cannot access your device, that's your error, not mine. But I don't have an Apple phone anyway nor do I keep sensitive data on my phone, either.

    Yes, I do have Macintosh computers as well as Windows systems. That doesn't mean I trust any manufacturer. OK, I am paranoid. But am I paranoid enough?

  8. Jin

    False sense of security that Touch ID brings

    I am of the opinion that Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

    Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.

    Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

    Am I wrong in thinking that this fact should be known to the public?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021