Apple has recently bolstered the encryption in new updates to the iOS 8 operating system in such a way that nobody, not even the law enforcers or Apple itself, could break into the security boundary. It sounds as though it’s a tough job decrypting iOS 8 data. Fortunately for hackers and law enforcement agencies alike, there’s a certain weak point in the security link, and that is the user itself.
Joseph Bonneau of Princeton University claims that Apple’s new approach to encryption is only as strong as the weakest link, referring to how users choose their pass code for their own devices. And most of the time, users fail to implement a strong password, which undermines Apple’s claim to a strong encryption security.
Apple designed to new encryption model to secure sensitive information stored in hardware to block would-be attackers and non-attackers such as law enforcers from gaining access to the data. The announcement of the encryption tool in iOS devices has sent United States government officials worrying that it might increase the rate of cyber crime. Law enforcers sometimes find it apt to obtain data from mobile devices with court warrant as part of the investigation process.
But the protection, however robust, can still be rendered weak at certain circumstances when a user would use a weak password that will be easy for attackers to guess using the cryptographic processor in a mobile device. The cryptographic co-processor known as Secure Enclave contains keys that are responsible for encrypting iPhone user data. Once the Secure Enclave falls in the hands of malicious players, that’s the time when potential data breach of iOS devices could be performed through password guessing. Other attackers would also resort to brute-force attack.
But before an attacker would certainly find it hard at first to boot a device using external firmware as an initial step leading to the copying of data from an iPhone device. According to Bonneau, an attacker first needs to bypass the secure boot stage of iOS 8.
There lies the weak point, because Apple asks users to enter four digits of pass code. That is the default requirement, so most users – and a great portion of Apple users – are probably guilty of this lax security practice. There is of course an option to enter longer pass codes, but that is such an onerous task personally, especially if you do it on a touch screen.
Another thing, if you are using iPhone, never use the same password for all your devices.