iOS 10 has a terrible security flaw you need to know about
According to Forbes, Russian iPhone hacking firm Elcomsoft has discovered a vulnerability in iOS 10. Elcomsoft found that, once a user has updated to iOS 10, any backups they perform on their phone makes use of a new “password verification mechanism” that skips a whole load of vital security checks.
As the firm goes on to explain in a blog post, the vulnerability allows for would-be hackers to target password-protected backups made in iOS 10. Thanks to the aforementioned exploit, Elcomsoft’s new programme could help hackers who obtain such files without the relevant password can crack the encryption “approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older”. For clarity, that works out at around six million passwords per second in iOS 10, to the 2,400 passwords per second in iOS 9.
The culprit of this weak link? iTunes backups in iOS 10. Apple may have increased security for both iCloud and the iPhone itself, but iTunes is a gaping hole for cybercriminals to jump through. As Elcomsoft explains, “forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10”.
Despite all this doom and gloom, Apple is aware of the problem and is working to fix it. In a statement provided to Forbes, Apple explains: “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups.
“We recommend users ensure their Mac or PC [is] protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
As Apple works away on a solution to its tricky encryption foible, it’s probably best that you don’t bother upgrading to iOS 10 just yet and, if you have already, don’t go performing iTunes backups just yet.