Elcomsoft, a Russian firm that has created tools to break into iPhones, discovered the vulnerability as it worked to update its phone breaker tool. It found that backups saved after a user updates to iOS 10 uses a new "password verification mechanism" that skips several security checks, according to a blog post.
The attack targets password-protected backups made by iOS 10. If an attacker managed to get one of those backup files without the associated password, Elcomsoft’s new attack would allow it to crack the encryption "approximately 2500 times faster compared to the old mechanism used in iOS 9 and older." Where the company could process 2,400 passwords per second under iOS 9, it can run 6 million passwords per second in iOS 10.
The weakness of the iTunes backups appears to be a weak link in security for the iPhone — but only for iOS 10 users. Elcomsoft noted that trying to break into the physical phone or into iCloud has gotten incredibly difficult, but accessing a backup stored on a computer allows for some access. "Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10."
According to a statement provided to Forbes, Apple is aware of the issue and is working to correct it:
"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a spokesperson said. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."
In the meantime, it might be best to wait for an updated version of iOS before you back your phone up.
Thanks to iOS 10, your Messages app is way more than a texting app. Way, way more. Now that the official release of iOS 10 is out, here’s your guide to using all the new features in Messages, from sending fullscreen effects to installing your third-party iMessage apps from your favorite services like Venmo, ESPN, and OpenTable.
4 years, 4 months ago
It’s the big one. Apple iOS 10 has landed and it represents one of the biggest upgrades to iOS in recent years. But iOS 10 also kills off support for a number of older iPhones, iPads and iPod touch and it also suffered initial installation problems after release. So should you upgrade? Let’s take a look…
4 years, 5 months ago
Apple software contains flaws that could allow hackers to steal people’s passwords by doing nothing more than sending a single nefarious message. Apple patched the vulnerabilities in its latest batch of software updates this week—still, it is incumbent upon people actually to download the updates. (Do it, yes!)
4 years, 7 months ago