iTunes Backup Security Flaw Could Put iOS 10 Users at “Severe” Risk

Tethered iPhone itunes

Elcomsoft, a company that makes password recovery software among other things, has found a flaw in iOS 10 that allows “cracking” software to attempt password tries 2500 times faster than on iOS 9. The flaw is in the iTunes backup password, which uses a type of security algorithm in a way that allows hackers to break the password in an easier and quicker way.

According to Elcomsoft’s blog, the impact of this security flaw is “severe” because it will allow cracking software to not only get into your iTunes backups stored on your Mac or PC, but more importantly, every other backup including your Keychain, where passwords and a whole bunch of other sensitive data typically reside.

“If you are able to break the password, you’ll be able to decrypt the entire content of the backup including the keychain,” says the blog post, which also notes that iPhones with iOS 10 are nearly impossible to break into. But it’s the “nearly” that worries us. Elcomsoft’s Oleg Afonin, who wrote the post, also says this:

“Keychain contains information such as saved passwords or authentication tokens to applications requesting secure storage for authentication credentials, Safari logins and passwords, credit card information, Wi-Fi network information, and any data that third-party app developer consider worthy of extra protection.”

So if hackers can break into your iTunes backup and get to your Keychain backup that way, they can access not only your passwords, but also your logins, credit card information and other extremely sensitive data.

The method they used is called “logical acquisition”, and involves “using a pairing record extracted from a trusted computer.”

Is Apple Inc. aware of this flaw? Yes. A spokesperson said this to Forbes, which was reproduced in a post:

“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”

Was this a mistake on Apple’s part to be lax about security even though it only involved backups? Most definitely. In fact, password security expert Per Thorsheim said this to Forbes:

“It’s not a good choose of algorithm”, Apple might win the “stupidity award of the year” for taking such “a big leap back in security.”

So if you’re on a device using iOS 10, including iPhone 7 and iPhone 7 Plus or even an older device, you should immediately change your password on your PC or Mac and make sure nobody else has access to it. Until Apple fixes the problem, this will be the only way to protect your information from hackers.

Thanks for reading our work! On Apple News please favorite the 1redDrop Channel, and do bookmark 1redDrop.com to keep tabs on the hottest, most happening tech and business news from around the world.