iOS 10 backups are easier to crack, but Apple promises to fix security flaw

Computerworld ^ | September 26, 2016 | By Darlene Storm

[Swordmaker]

Forensic researcher claims iOS 10 local backups are easier to crack since the security protection is 2,500 times weaker than in iOS 9, but Apple promised to roll out a patch for the security flaw.

After Apple’s battle over encryption with the FBI, you’d expect Apple’s newest iOS to continue the trend of providing even better privacy and security than the previous iOS version. Sadly, that’s currently not true as iOS 10 has a “major security flaw” which leaves the data locally backed up to iTunes much more vulnerable to password cracking.

At least that is what Russian forensic software company Elcomsoft claimed on Friday. Apple allegedly weakened the method for protecting local backup files in iOS 10 by skipping some security checks. In other words, the security mechanism for protecting iOS 10 backups, which are saved locally on a computer via iTunes, are more susceptible to password-cracking tools.

“The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups,” Elcomsoft researcher Oleg Afonin announced.

Elcomsoft, which makes forensic software to gain access to password-protected, locked and encrypted information on mobile devices, was tweaking its Phone Breaker software so it would work on iOS 10. That’s when the company discovered the “alternative password verification mechanism” which Apple added to iOS 10 backups.

[Swordmaker]

Note, this applies only to backups done directly from an iOS devices to iTunes and breaking the security in iTunes on the computer, either a Mac or a PC. To execute any breach of this flaw requires physical possession of that computer to apply a and also the iOS device to apply a brute force attempt at breaking the passcode. Security on the iPhone and on iCloud backups are very secure. Apple will be pushing out an iTunes backup correction as soon as possible.

[Swordmaker]

Backups to iTunes from iOS 10 is not as secure as it was from iOS 9. Apple is promising a corrective update as soon as possible to the iTunes backup security. It seems that a programmer at Apple changed the hash algorithm in the iTunes security to an faster, simpler algorithm from the ones used in iOS 8 and iOS 9, which makes it easier and faster to calculate all the permutations of various possibilities of passkeys. . . but only on the PC or Mac on which iTunes backup exists. This does not effect the security of iOS on the device or on iCloud. It would, however allow someone to extract data from the iTunes backup by using a brute force attack if they had physical possession of the computer to attempt the attack. Apple is aware of the issue and will be pushing out the fix ASAP. — PING!

Apple iOS Security
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Swordmaker]

If they have your computer, you have a lot more to worry about that them brute forcing their way into data on your phone. . . they already have your email and other data that's available on your computer.

You should have your entire computer FileVaulted with a strong password. . . and that would keep them out completely and ALSO out of iTunes and your iPhone and iPad backups, regardless of how weak the iOS hash might be. FileVault makes it all a moot point.

[roadcat]

You should have your entire computer FileVaulted with a strong password. . .

There are pros and cons to FileVaulting your computer. If you forget your password, you can be completely locked out of getting to your data. Not even Apple can help you retrieve your data. Of course, that is the intent, to completely lock out others from getting your data. If you take this course, then be sure you back up your data and have access to the passwords! A brother-in-law of mine is always having me do his updates on his machine, and gripes when I ask him for his admin passwords. Because he forgets. Then I have to find my notes on what his passwords are!

As you say, if hackers have your computer, so be it, you have more to worry about than your phone backups.