iOS 6.1 Released

Published: 2013-01-28
Last Updated: 2013-01-28 20:43:10 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Apple today released iOS 6.1 as well as an update for Apple TV (5.2). No details about the security content have been posted yet, but we expect it to show up in a day or so at the usual location [1].

There appears to be however one interesting security related change: As in other upgrades,  after upgrading to iOS 6.1, you will be asked to "activate" your device again by logging into your Apple iCloud account. This time around however, you will be asked to setup password recovery questions unless you already had them configured in the past. Apple will ask you to configure 3 questions as well as an optional password recovery e-mail address.

The questions are your usual "mix" of password security questions. They are reasonably diverse to pick some questions with non-obvious answers. Of couse, may security professionals will enter "random" answers to make it harder to guess the answer and to reset the password. In the past, Apple used information like partial credit card numbers to reset passwords, which turned out to be too easy to bypass and has been used in some highly publicized attacks [2]. Temporarily, apple had to suspend password resets.

Low cost password reset for large public systems like iCloud has been a challenge. Probably the best option is some form of out of band activation requiring a phone number (SMS or automated voice systems). Either way, it requires that the user configures these options before having to recover a password. A recovery e-mail is "ok", and Apple may prefer this over an SMS message as the SMS message will likely go to the iCloud connected iPhone.

At this point, Apple has not joined Google in offering two factor authentication. Apple actually has a great opportunity to come up with something great and unique in this space using its own hardware as a platform for innovative two factor authentication techniques.

[1] http://support.apple.com/kb/HT1222
[2] http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple iOS
3 comment(s)
ISC StormCast for Monday, January 28th 2013 http://isc.sans.edu/podcastdetail.html?id=3082

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives