iOS 6.1 Released

Published: 2013-01-28
Last Updated: 2013-01-28 20:43:10 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Apple today released iOS 6.1 as well as an update for Apple TV (5.2). No details about the security content have been posted yet, but we expect it to show up in a day or so at the usual location [1].

There appears to be however one interesting security related change: As in other upgrades,  after upgrading to iOS 6.1, you will be asked to "activate" your device again by logging into your Apple iCloud account. This time around however, you will be asked to setup password recovery questions unless you already had them configured in the past. Apple will ask you to configure 3 questions as well as an optional password recovery e-mail address.

The questions are your usual "mix" of password security questions. They are reasonably diverse to pick some questions with non-obvious answers. Of couse, may security professionals will enter "random" answers to make it harder to guess the answer and to reset the password. In the past, Apple used information like partial credit card numbers to reset passwords, which turned out to be too easy to bypass and has been used in some highly publicized attacks [2]. Temporarily, apple had to suspend password resets.

Low cost password reset for large public systems like iCloud has been a challenge. Probably the best option is some form of out of band activation requiring a phone number (SMS or automated voice systems). Either way, it requires that the user configures these options before having to recover a password. A recovery e-mail is "ok", and Apple may prefer this over an SMS message as the SMS message will likely go to the iCloud connected iPhone.

At this point, Apple has not joined Google in offering two factor authentication. Apple actually has a great opportunity to come up with something great and unique in this space using its own hardware as a platform for innovative two factor authentication techniques.

[1] http://support.apple.com/kb/HT1222
[2] http://www.wired.com/gadgetlab/2012/08/apple-icloud-password-freeze/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple iOS
3 comment(s)

Comments

As you say, no security *detail*, but the security summary page does tell you which iOS-based devices and Apple-managed apps have security-relevant fixes. It's a long list.

Sophos reckons 27 security patches, one of which is TURKTRUST revocation. YMMV.
- http://h-online.com/-1793259
29 Jan 2013 - "... Although the updates fix a large number of extremely critical security vulnerabilities, there is no need to panic – to date there has not been a single known case of such a security vulnerability being exploited to compromise an iPhone or iPad. Although the theoretical possibility has been demonstrated (by programs such as Jailbreakme), the difficulty involved in doing so has clearly deterred would-be fraudsters..."
.
Still wondering why apple doesn't provide cvss to the cve's. here we go
CVE-2013-0963 CVSS v2 Base Score:2.1
CVE-2011-3058 CVSS v2 Base Score:4.3
CVE-2013-0964 CVSS v2 Base Score:3.6
CVE-2013-0974 CVSS v2 Base Score:5.1
CVE-2012-2857 CVSS v2 Base Score:6.8
CVE-2012-3606 CVSS v2 Base Score:6.8
CVE-2012-3607 CVSS v2 Base Score:6.8
CVE-2012-3621 CVSS v2 Base Score:6.8
CVE-2012-3632 CVSS v2 Base Score:6.8
CVE-2012-3687 CVSS v2 Base Score:6.8
CVE-2012-3701 CVSS v2 Base Score:6.8
CVE-2013-0948 CVSS v2 Base Score:6.8
CVE-2013-0949 CVSS v2 Base Score:6.8
CVE-2013-0950 CVSS v2 Base Score:6.8
CVE-2013-0951 CVSS v2 Base Score:6.8
CVE-2013-0952 CVSS v2 Base Score:6.8
CVE-2013-0953 CVSS v2 Base Score:6.8
CVE-2013-0954 CVSS v2 Base Score:6.8
CVE-2013-0955 CVSS v2 Base Score:6.4
CVE-2013-0956 CVSS v2 Base Score:6.8
CVE-2012-2824 CVSS v2 Base Score:7.5
CVE-2013-0958 CVSS v2 Base Score:6.8
CVE-2013-0959 CVSS v2 Base Score:6.8
CVE-2013-0968 CVSS v2 Base Score:6.8
CVE-2013-0962 CVSS v2 Base Score:2.6
CVE-2012-2889 CVSS v2 Base Score:4.3
CVE-2012-2619 CVSS v2 Base Score:7.8

Diary Archives