Apple security depends on users, hack shows

A research project to crack iTunes backup passwords shows that despite state-of-the-art security, weak passwords are easily revealed

Apple has recently come under fire over the security of its customers' data, but the company has done a “nice job” using best practices to secure iTunes backups, according to a security researcher.

However, the effectiveness of the controls Apple has put in place to keep passwords secure ultimately depends on the password users choose, said James Lyne, global head of research at Sophos.

In the wake of criticism of Apple’s failure to promote and ease the use of two-factor authentication, he set up a project to test the resilience of password protection for iTunes backups.

For the test, Lyne asked eight iTunes users to volunteer their accounts as targets for the password cracking attempt using Elcomsoft’s Phone Password Breaker software.

The software is commercially available and is ostensibly aimed at helping Apple and BlackBerry users who have forgotten the passwords to their backups.

“Elcomsoft Phone Password Breaker can retrieve information from Apple iCloud and Windows Live services, provided that original user credentials for that account are known,” the firm claims on its website.

The forensic edition retails at £247, while the professional edition costs £124 and the home edition is £50. Lyne used the forensic edition, but said the professional version also works well with multiple instances.

The software recently came under the spotlight as the suspected attack tool used by the hackers who stole private photographs celebrities had taken on iPhones.

Hacking into iTunes backup files

The target of the attack was the iTunes backup manifest files for the eight volunteer accounts that were created on iPhone 6 devices using iOS 8.

Lyne then carried out the attack using the password-breaking software running on 500 virtual machines in Amazon’s commercial cloud computing service.

The password-breaking software was assisted by a comprehensive word list, including passwords from data breaches compiled by CrackStation, which describes itself as a security awareness project.

Despite all Apple’s best practice security efforts, which includes Advanced Encryption Standard (AES) 256-bit encryption, seven of the eight passwords were cracked within two hours.

In contrast, at the time of writing, the eighth was expected to take about 11 days to crack. “This shows the importance of password choices, even when state-of-the-art security is used,” said Lyne.

The experiment showed that the greater the number of characters in a password, the longer it will take for attackers to crack using automated tools.

“The passwords with four characters were cracked within minutes, those with six characters took hours, and those with eight characters took less than two days. The one that is expected to take 11 days is 14 characters long,” said Lyne.

“Apple is consistently good at security throughout, but in this instance it is pretty decent and really shows the impact a user’s decisions can have on security.

“Longer passwords and passphrases are much more secure, which makes it puzzling that web services providers still rarely require more than eight characters for passwords,” he said.

Two-factor authentication for stronger security

But the research also showed that encryption does not provide much security if it is not backed up by strong authentication.

“Two-factor authentication [2FA] helps block attacks using password cracking because even if a password is known that is not enough for attackers to access accounts,” said Lyne.

We have enough technology to move beyond password-based authentication

James Lyne, Sophos

“In 2FA, an additional layer of security is provided by the second factor in the form of a one-time passcode or smartcard token,” he said.

Although the technology industry is yet to agree on an alternative to passwords, Lyne claimed the use of alternative authentication methods will soon be widespread.

Already organisations that deal with sensitive information are using national security cards for accessing information, and these cards can also be used by individual trusts to provide local 2FA.

“We have enough technology to move beyond password-based authentication, it is now a matter of time before these alternatives become widely available,” said Lyne.

EU data protection could force the issue of security

He believes the proposed new EU data protection legislation will also help drive better practice around online identity by raising user awareness and getting executives to focus on the issue.

If implemented in its current form, the EU data protection laws will be the strictest in the world and could be backed up by fines of up to 5% of turnover or €100m.

The current proposals also seek to force compliance by any company handling the personal data of EU citizens, even if those companies and data processing are outside the EU.

This means big US technology firms such as Apple, Google and Microsoft will have to comply with the new rules where they are handling personal data of EU citizens.

“This means that if the suspected iCloud leak of private celebrity photos had happened two years in the future, Apple would have been called to account by European authorities,” said Lyne.

“Although Apple claims that none of its security measures were breached and that the iCloud backups were accessed using stolen credentials, they have not provided any more details,” he said.

Lyne believes that under the forthcoming EU data protection rules, EU authorities would have required Apple to conduct a thorough investigation and explain exactly how the private iPhone photos were leaked.

“At the very least, it will be much more difficult for US-based companies to dodge questions about what they are doing to keep personal data safe,” he said.

Read more on Privacy and data protection