Apple has always taken the issue of security seriously, and the company has always prided themselves on the powerful security their devices offer. Typically, when Apple releases a new OS update, security measures are enhanced on the device. It appears as if in iOS 10, however, the opposite is true – according to Russian forensics company Elcomsoft, iOS 10 contains a “major security flaw in the… backup protection mechanism.”
According to Elcomsoft, who began probing iOS 10 immediately after it was released, claims that Apple’s smartphones and tablets are as secure as ever. However, an “alternative password verification mechanism” for backups in iOS 10 proved much easier for the company to hack than in previous iOS versions. The company stated in a recent blog post that “the new mechanism skips certain security checks, allowing [Elcomsoft] to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.”
iOS backups store quite a bit of sensitive information – Safari autofill data, SMS and MMS messages, photos and videos from the Camera Roll, phone numbers, and even Keychain passwords. Due to the security flaw, a tool built by Elcomsoft is capable of attempting 6 million password guesses per second – when combined with a list of the top 10 million most common passwords and a dictionary of custom guesses, Elcomsoft claims that they have an 80 to 90 percent chance of gaining full access to an iOS 10 backup.
Apple has issued a statement to Forbes, acknowledging the security flaw and adding that they are currently working on a fix. “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update.”
It should be noted that this vulnerability only affects those who have turned on local backup via iTunes on their iPhone or iPad – users who use iCloud for backups are not affected by this vulnerability. And although users who tend to use local backups are vulnerable to such an attack, the attacker would have to first gain either physical or remote access to the computer the backup is stored on to execute the attack. Apple recommends that users utilizing local backup “ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users.” Until Apple officially releases a patch (which will likely be soon now that the vulnerability has been made public), users may consider turning off local backups, or staying vigilant with security on their Mac or PC.