Russia security firm found critical vulnerability in iOS 10 allowing attackers to crack iPhone backups — The firm also claims that iOS 10 is weaker than previous updates.
Apple has recently released the latest version of its operating system iOS and it is being perceived as a weaker version in comparison to previous ones because of a potentially disturbing security flaw.
It is being reported by Russia-based forensics firm Elcomsoft that iOS 10 has a vulnerability that allows hackers to access localized backups. Elcomsoft has developed tools to access iPhones and the security flaw was discovered by the firm while updating the phone breaker tool.
It was identified that when a user updates the phone to iOS10, the backups saved in the phone become vulnerable to hacking. iOS10 uses a different method of password verification that skips various key security checks. So, if an attacker manages to get access to any of the backup files, it would become easy for the hacker to crack the encryption roughly “2500 times” faster in comparison to the older versions of iOS 9 and others.
The post read:
“Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10.”
Elcomsoft noted that Apple has not paid as much attention to the password security feature in its latest iOS version, due to which it becomes easy to crack the logins of backups stored on a PC or Mac. Elcomsoft started reviewing the security status of iOS10 as soon as it was released and the company claimed that this time, Apple’s operating system for iPhones offered weaker password protection mechanism for manual backups that were stored through iTunes. Elcomsoft believes that there was an 80 to 90 % chance of obtaining the correct password successfully with its tools, which are available for everyone not just law enforcement.
It is important to note that iOS9 was capable of processing around 2400 passwords/sec but iOS10 can process 6 million passwords/sec. The flaw in iTunes backup could be the presence of a weak link between the backups and iPhone security. But this issue is encountered by users of iOS10 only.
It is good news that Apple is already aware of the flaw and the team is currently working on fixing it. In its official statement to Forbes, Apple mentioned that:
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups.”
The company’s spokesperson further explained:
“We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.