iOS 10 security flaw leaves iPhone backups vulnerable

The attack specifically targeted password-protected backups made by iOS 10


Tech Desk September 26, 2016
New iOS security flaw puts users at risk PHOTO: AFP

Apple’s iOS 10 may have accidentally compromised iPhone security, potentially allowing unauthorised access to localised backups.

According to Forbes, Elcomsoft, a Russian firm that creates tools to break into iPhones, discovered the vulnerability while updating its phone breaker tool. Users who save backups after updating to iOS 10 are at risk as it uses a new "password verification mechanism" that skips several security checks.

12 iOS 10 features you want to try out right now

The security flaw impacting iTunes backups apparently affects only iOS 10 users. Elcomsoft stated that while trying to break into the physical phone or into iCloud had gotten incredibly difficult, accessing a backup stored on a computer was comparatively easier. "Forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10," the post read.

The attack specifically targeted password-protected backups made by iOS 10. If attackers manages to obtain one of those backup files without the associated password, Elcomsoft’s new attack would allow them to crack the encryption "approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older." While the company can process 2,400 passwords per second under iOS 9, it can run 6 million passwords per second in iOS 10.

Apple has been striving to remedy the problem. "We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a company spokesperson said in a statement released to Forbes

Apple completely changing the way you unlock your iPhone

"We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption," the statement read.

This article originally appeared on The Verge.

COMMENTS

Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ