According to Forbes, Apple’s latest iOS release seems to have accidentally weakened the iPhone’s security, potentially allowing unauthorized access to localized backups.
Elcomsoft, a Russian firm that has created tools to break into iPhones, discovered the vulnerability as it worked to update its phone breaker tool. It found that backups saved after a user updates to iOS 10 uses a new "password verification mechanism" that skips several security checks, according to a blog post.
The attack targets password-protected backups made by iOS 10. If an attacker managed to get one of those backup files without the associated password, Elcomsoft’s new attack would allow it to crack the encryption "approximately 2500 times faster compared to the old mechanism used in iOS 9 and older." Where the company could process 2,400 passwords per second under iOS 9, it can run 6 million passwords per second in iOS 10.
The weakness of the iTunes backups appears to be a weak link in security for the iPhone — but only for iOS 10 users. Elcomsoft noted that trying to break into the physical phone or into iCloud has gotten incredibly difficult, but accessing a backup stored on a computer allows for some access. "Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10."
According to a statement provided to Forbes, Apple is aware of the issue and is working to correct it:
"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a spokesperson said. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."
In the meantime, it might be best to wait for an updated version of iOS before you back your phone up.
Comments
Quite the silver lining.
But it’s time for Apple to offer a much larger free iCloud backup space with every iPhone sold.
By DJ CERLA on 09.25.16 5:39pm
I think the should match the size of the device.
By Dr Strange on 09.25.16 5:44pm
I think that’s asking way too much, for a company that lets others handle their own cloud storage.
By NukedKaltak on 09.25.16 6:22pm
This would actually be pretty cool. It gives another incentive to get a bigger model.
Buy 128gb iPhone, get 128gb iCloud for 3 years.
But even for people without a new device, it should still be around 20gb.
By OneZweiThree on 09.25.16 8:38pm
Right? I just got the 256GB.
By iAmDeathTheKid on 09.26.16 11:30am
I think that is about the only thing I’ve ever unequivocally agreed with you on. 5GB is not paltry, it’s disgraceful. Although their lowest tier upgrade plan is dirt cheap, in this day 5GB of cloud storage is a joke.
By llort on 09.25.16 6:52pm
Yes, 32GB would look much better, but the target must be to match the device internal storage with free backup. No hassle, "it just works", and it’s more secure as a bonus.
By DJ CERLA on 09.25.16 7:10pm
and forgo $1 on each customer that has 50gb. That is like throwing away $50 million
By Nyasha Mushambi on 09.26.16 7:50am
i think iCloud backups should not count towards storage space; Considering media, apps, and photos are separate (Music & videos are through iTunes purchases & Apple Music; Photos use iCloud storage space except under shared albums; Apps are restored via the App Store), i would think that even the largest of sizes of iOS devices (256GB for instance) backups would have a lightweight footprint on iCloud.
I personally use iTunes backups more for the convenience and reliability; I only have to wait on apps to restore from the store after a restoration, and I don’t have to risk restore failure on spotty internet connections.
By MisutāUrufu on 09.25.16 6:41pm
I typically do an encrypted iTunes backup when I migrate to a new phone, but for insurance and security I do iCloud backups on a regular basis. If the phone is lost, stolen, or destroyed I don’t have to rely on the last time I did a local backup.
Agreed though, iCloud backups should’t count against cloud storage space. That should just be a given to customers for the best user experience.
By groberts1980 on 09.26.16 11:19am
I think the last line suggesting not to backup your phone is very poor advice. Always have a backup, I personally depend on iTunes backups because my wife’s backup is over 100 GB’s and mine is 60-70. Plus we just got two 256gb 7’s, I’m not about to pay $20 a month for our iCloud storage, so iTunes is the way to go
By samzebian on 09.25.16 6:47pm
By merovingian on 09.25.16 7:01pm
haha. I was going to settle for two 128’s but they didn’t have them in stock. My wife actually needed the 256 kinda tho
By samzebian on 09.26.16 8:14pm
iCloud backups aren’t as big as the device that’s backed up. It’s not a 1:1 copy of your storage so don’t assume you’d need 512GB of iCloud storage. They’re different from iTunes backups.
By p_giguere1 on 09.25.16 7:06pm
true, except when you nearly fill up one device and use up a decent amount on the other you still end up with quite a bit of necessary cloud storage
By samzebian on 09.26.16 8:17pm
What’s in those backups? If it’s all photos you should use Google photos to constantly cloud all of your pictures. Same for Google Music, you can upload your entire library for free unless you have more than 50K songs.
By nvilppu on 09.25.16 7:32pm
"Should use Google". Ok there are a lot of reason people refuse to use Google.
By ddjeff on 09.25.16 9:30pm
I fail to see the point been made? a lot of people refuse to use Microsoft and Apple products too.
Personally i used products from all three companies, however don’t use any of them for cloud storage / backups.
By InsaneNutter on 09.26.16 7:49am
How do you miss the point? He is telling people what they should use. Let people use what they want.
By ddjeff on 09.26.16 8:01am
Google Photos isn’t a backup.
By robertoandred on 09.26.16 11:36am
google photos only does 2mp copies for unlimited backup, anything more than that you will run out of free storage pretty quick.
By samzebian on 09.26.16 8:16pm
So they have to get into my house, access my computer and get into my backup
Yeah ok, I’m going to continue backing up as I did. Jesus, may want to put that disclaimer before making everyone worried
Also advising people not to backup because of this? Really?
By desiinto on 09.25.16 7:55pm
I think it’s more of a concern for people who use laptops as their primary computer and carry it with them, which is a lot of working people. Otherwise, someone would have to be targeting you directly, in which case you would be screwed regardless.
By NothingUnknown on 09.25.16 8:50pm
I someone breaks into my laptop, they literally have access to all of my digital life. So having access to my iPhone backup or not doesn’t change anything, I think. That’s why I use a strong and long password and why I use FileVault.
By Gab_Gagnon on 09.26.16 1:38am
This is such an odd thing. You don’t change the encryption mechanism and its supporting code (making it 2500 times easier to brute force) by accident (accidentally deleting a brace out of the code isn’t going to do that) – then take it all the way through to production and deployment without talking about it.
Every government in the world would like this (Apple’s local backup option is not something they like, let alone one that is hard to brute force). It reminds me alot of Microsoft taking the Elephant Diffusor out of Bitlocker (Windows Disk Encryption program) starting in Windows 8. There wasn’t any reason to do it, other than it made things much easier to brute force (which the 3 letter agencies would like).
I’d like to hear from Apple how this happened (that would be unusual, but for a company holding the mantle of the last large tech company that defending customers privacy, they need to so this). Did Apple leadership decide to go over to the Administration’s side after the FBI thing several months ago? The Administration has been quiet ever since and defending Apple in Europe on the tax thing right now.
By SasparillaFizz on 09.25.16 8:54pm