[Cryptography] the consequences of changing the password on your AppleID

Jerry Leichter leichter at lrw.com
Sat Feb 20 23:32:50 EST 2016 

> so now we discover that if you have an unchanged password on your
> AppleID and you log on from a known network (known to the phone)
> the phone will then automatically back up to the Apple Cloud
> and that backup will contain the current content of the phone.
Well ... yes.  That's the whole point of automatic backup.

Reports are that backups from the device were "sporadic" and that the last one was made some time in October.  There was some speculation - given the long gap - that backups had actually been turned off.  My own guess - give the "sporadic" nature of the backups - is that *automatic* backups were never turned on.  Rather, they were done manually every once in a while (in which case this approach wouldn't work anyway.

Manual backups can obviously be triggered externally, though only from a "trusted" computer (one you've told the phone to trust) and, I'm pretty sure, only when the phone is unlocked - though where that's enforced is another question.

I've always thought that automated iCloud backups were triggered by the phone - for one thing, they only occur over WiFi, and only the phone knows how it's connected to the Internet.  Perhaps there's a way for Apple to trigger an iCloud backup - though it's not clear why they would want or need such a feature.

> But some clod at San Bernadino County changed the password for
> Farook's AppleID (somehow without knowing the old password)
> 12 hours after the phone was recovered by the government.
The San Bernadino guys say they did this on the advice of (or at least in consultation with) the FBI.  Someone didn't think through the implications - a classic example of "it seemed like a good idea at the time".

> So why doesn't Apple just go to its backups and restore the
> hash of the old password and the timestamp of the last password
> reset?   and then the government can force a backup which Apple
> can provide?
That's an interesting question.  It may be that the phone itself notices that the password it has was rejected as obsolete and will wipe it or at least refuse to try it again.  This would be protection against a kind of replay attack, though it seems unlikely:  The reason that Apple is in a position to be ordered to hack around the protection on the phone is that they apparently didn't consider an attack *by Apple* as something that needed to be protected against.  In the case of iCloud backups - which Apple ends up holding anyway - that would be doubly true.

There's more to this particular part of the story than meets the eye.

Another interesting question:  Backups to local disk can be encrypted with a user-chosen password; but backups to iCloud cannot.  If they could be, Apple would not be in a position to deliver backed-up information.  It's not at all clear why Apple hasn't gone this route.  Perhaps they don't want to start yet another battle.
                                                        -- Jerry

More information about the cryptography mailing list