iOS 10 is fresh off the presses and Apple is already finding itself working on a security flaw, this one for protected iTunes backups. An investigation by Elcomsoft shows that the security flaw revolves around security checks that were part of previous versions of iOS but are missing in iOS 10. This means that a hacker could potentially gain access to your iOS backup which could contain everything from pictures and video to passwords and credit card information.
When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.
Apple has acknowledged the security flaw and is currently working on a fix that could come in iOS 10.1. iOS 10.1 is currently being used by beta users but the fix is not in the beta software either so those users are also operating with the same security flaw.
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” an Apple spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
Do you backup to your Mac or PC on iTunes? Or do you use iCloud? Let us know in the comments below or on Twitter, Facebook and Google+.Source: 9to5 Mac