Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

iOS 6.1 Released

Published: 2013-01-28
Last Updated: 2013-01-28 20:43:10 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Apple today released iOS 6.1 as well as an update for Apple TV (5.2). No details about the security content have been posted yet, but we expect it to show up in a day or so at the usual location [1].

There appears to be however one interesting security related change: As in other upgrades,  after upgrading to iOS 6.1, you will be asked to "activate" your device again by logging into your Apple iCloud account. This time around however, you will be asked to setup password recovery questions unless you already had them configured in the past. Apple will ask you to configure 3 questions as well as an optional password recovery e-mail address.

The questions are your usual "mix" of password security questions. They are reasonably diverse to pick some questions with non-obvious answers. Of couse, may security professionals will enter "random" answers to make it harder to guess the answer and to reset the password. In the past, Apple used information like partial credit card numbers to reset passwords, which turned out to be too easy to bypass and has been used in some highly publicized attacks [2]. Temporarily, apple had to suspend password resets.

Low cost password reset for large public systems like iCloud has been a challenge. Probably the best option is some form of out of band activation requiring a phone number (SMS or automated voice systems). Either way, it requires that the user configures these options before having to recover a password. A recovery e-mail is "ok", and Apple may prefer this over an SMS message as the SMS message will likely go to the iCloud connected iPhone.

At this point, Apple has not joined Google in offering two factor authentication. Apple actually has a great opportunity to come up with something great and unique in this space using its own hardware as a platform for innovative two factor authentication techniques.

[1] http://support.apple.com/kb/HT1222
[2] http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple iOS
3 comment(s)
Diary Archives