The recently released iOS 10 is said to be the most secure version of Apple’s mobile operating system. However, it comes with a serious flaw in the local password-protected iTunes backups that makes it incredibly easy for hackers to brute-force data backed up to iTunes. In a statement to Forbes, the Cupertino company acknowledged the issue, and said that it was working on a fix.
iOS 10 password security checks 2,500 times weaker
An Apple spokesperson said the company was aware of the issue that affects the encryption strength for iTunes backups of iOS 10 devices when backed up on a PC or Mac. The company will fix it in an upcoming security update, though Apple didn’t reveal exact date for the update. Apple recommended iOS 10 users to ensure strong passwords on their PCs or Macs.
Customers can also use the FileVault whole disk encryption for additional security. The security flaw does not affect iCloud backups. On Friday, Russian security research firm Elcomsoft said in a blog post that the flaw made iOS 10’s password security checks for backups about 2,500 times weaker than previous versions of iOS. If hackers crack password to the backup, it would not only expose the backed-up content and data but also allow the hacker to recover login credentials from Keychain password manager.
Law enforcement can exploit it
Keychain is where authentication tokens and passwords are stored for third-party apps, credit cards, and Safari browser. It’s worth pointing out that the flaw cannot be exploited remotely. It requires the attacker to have access to the local backups in iOS 10. Elcomsoft noted that iOS backups interest attackers because they are the only way to get at the Keychain where all the passwords and other credentials are stored.
If law enforcement wanted to access data on an iOS 10 device where the passcode is not known, they could simply force a backup to a trusted instance of iTunes on a Mac or PC. Local backups can easily be produced if the iOS device is unlocked. Elcomsoft said you can produce a local backup even when the device is locked “by using a pairing record extracted from a trusted computer.”