I started skimming towards the end. It sounds like there's some genuine weakness introduced here. But I'm also getting the impression there's some of the "security people" mindset Linus was ranting about:
"Forgot the original password? There’s no going back, you’re stuck with what you have unless you are willing to factory reset the device and lose all data in the process.
If you ask me, this was a perfect and carefully thought through solution."
I'm not sure how you can consider it a perfect solution that users are losing their backups and hammering Apple for support about the issue. The suggestion to make another backup via iCloud is not terribly useful to those who have lost their phone.
You're mixing stuff up here. If you lost your password, your existing backups are not recoverable regardless of what the article is talking about. This includes the "lost their phone" case as well - you don't have access to the phone to reset the password and make a new backup.
So, the only scope left is if you have your device in hand, in which case having the option to back stuff up to iCloud even if you lost the local backup password is pretty legitimate if you want to migrate devices. And useful even for resetting the said password: you back up to iCloud, reset your device to reset the password and then restore an iCloud backup. The only catch is that you'd need to buy some iCloud space from Apple, but a) they're gonna be happy to charge you for it, and b) it's quite cheap as the backup size is quite smaller than the amount of storage taken on your phone (my phone backup is 15 GB when 80 GB was used on the phone), and is a one-month purchase.
The end was the most significant part. They can take over your icloud account with the phone password.
I don't care much about the phone backups on some secondary devices. I do care whether those devices can hijack my icloud account with just that phone's pin.
That seems terribly broken, to be able to change icloud without having the password or without 2FA.
I agree. The first part about the backup seems like a side show because once an attacker has logged into the device they already have access to everything that would be in a device backup (usually).
The attacker with physical access to the phone does not have direct access to the data, only to UI of applications that use that data, which is often something significantly different.
> I'm not sure how you can consider it a perfect solution that users are losing their backups and hammering Apple for support about the issue.
I am certain that one cannot consider it a perfect solution that Apple can read a user's data.
Like with Mozilla's crippling of Firefox's end-user security, any protocol which allows an unauthorised party to read data will eventually ensure an unauthorised party to read data.
Why do you assume Apple can read your iCloud data? If the decryption key for the backup is stored on device (protected by the device pin), then they can’t.
"Forgot the original password? There’s no going back, you’re stuck with what you have unless you are willing to factory reset the device and lose all data in the process. If you ask me, this was a perfect and carefully thought through solution."
I'm not sure how you can consider it a perfect solution that users are losing their backups and hammering Apple for support about the issue. The suggestion to make another backup via iCloud is not terribly useful to those who have lost their phone.