After rapidly reinforcing a flaw that acknowledged anyone with access to a High Sierra Mac to take administrative control, Apple still has extra work to do to make its software secure, namely iOS 11, it was demanded this week.
Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in an article on Wednesday called iOS 11 “a horror story” due to shifts the fruit-themed firm made to its mobile operating system that divested away a stack of layered defenses.
What’s left, he fought, is a single point of failure: the iOS device passcode.
With an iOS symbol and its passcode, a barrier but not an especially strong one an intruder can gain access not only to the device but to a type of linked cloud services and any other hardware associated with the device owner’s Apple ID.
Before the announcement of iOS 11, Alfonin explained in a phone interview with The Register, there were different layers of protection in iOS.
“I feel they were pretty enough for what they were,” he said. “It seems like Apple dropped all the layers except the passcode. Now the entire assurance scheme depends on that one thing.”
What turned was the iOS device backup password in iTunes. In iOS 10 and earlier, users could set a unique password to obtain an encrypted backup copy of the data on an iPhone. That signal traveled with the hardware and if you tried to connect the iPhone to a different machine in order to make another backup via iTunes, you’d have to supply the corresponding backup password.
In iOS 11, everything changed. As Apple reveals in its Knowledge Base, “With iOS 11 or later, you can make a new encrypted backup of your machine by resetting the password.”
That’s a security obstacle because device backups made through iTunes include far more data than would be possible just through an unlocked iPhone. And that data can be had through the sort of forensic tools Elcomsoft and other corporations sell.