There's a Pretty Serious Security Flaw in iOS 10's Back-Ups

By Tom Pritchard on at

Every time a new version of iOS rolls out, there's always some of security flaw that rears its ugly head. Usually it's some sort of lockscreen exploit, but this time Apple's fudged the security of local backups.

Russian firm Elcomsoft discovered that local back-ups made after updating to iOS 10 use a new password security mechanism that skips a few important security checks. The exploit was discovered by the firm as it worked on updating its iPhone cracking tools to deal with iOS 10.

The firm's blog post claims that if attackers were able to get hold of a backup files without the password, they could crack the encryption 2,400 times faster than with iOS 9 and older versions of the OS. The company claims its attacks could generate 2,500 passwords a second for iOS 9, but with iOS 10 that number has increased to six million.

Elcomsoft noted that breaking into an iCloud account or a physical phone is now much harder than it used to be, but the flaw in the security of locally stored back-ups is an obvious weak link. Right now the flaw only seems to affect local backups made after the iOS 10 update, so if you haven't updated or you only back-up to iCloud you don't have much to worry about.

Apple gave this statement to Forbes:

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorised users. Additional security is also available with FileVault whole disk encryption."

[Elcomsoft via Forbes, The Verge]