Apple Promises To Fix A Severe iOS 10 Security Flaw With iPhone Backups

Apple iPhone is secure. However, an iOS 10 security flaw can compromise it. Elcomsoft, a Russian forensics research firm, has discovered a dangerous loophole in iOS 10 which can allow hackers to crack the otherwise password-protected iPhone backups 40 times faster than before. These backups contain your passwords and other authentication data related to your phone as well as the apps. Apple spokeswoman confirmed to Forbes that the iPhone maker acknowledges the issue and is working on a fix.

“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing the issue in an upcoming security update.”

The iOS 10’s security flaw might raise concern among iPhone users, considering the history of iCloud hacks which lead to theft of their photos and other private data.

Security researcher Oleg Afonin elucidated on Elcomsoft’s blog that the attack is specific to password-protected local backups (on the Mac or PC) produced by iOS 10 devices. Apple spokeswoman clarified that the loophole doesn’t affect iCloud.

“This does not affect iCloud backups.”

The security flaw affects the local backups created using the iOS 10 running iPhone 7, iPhone 7 Plus, iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, and iPhone 5s. These iPhone models are safe as Apple has integrated a special security hardware system called Secure Enclave.

Implemented since the iOS 9 on iPhones, the Secure Enclave safeguards the sensitive code that deals with hash keys for encrypting phone data and controls Apple Pay as well as Touch ID. This module is responsible for delaying every incorrect password guessing attempt. That’s why the time increases every time someone feeds an incorrect passcode on an iPhone. The module wipes out all data from the iPhone after 10 failed attempts to guess the password.

Unfortunately, there is no similar mechanism employed with the iPhone backups created using iTunes on the Mac or PC. Graham Cluley, a veteran security analyst, noted on Graham Cluley Security News that a hacker will have to target the computer to exploit the security flaw on which the iPhone backup was taken, instead of trying to gain control of the iPhone.

Usually, the Mac or PCs protect the local iTunes backups by saving the passwords as hash keys in an encrypted file.

In iOS 9, Apple added several security checks which need to be cleared to gain access to the local backup on the Mac or PC. But with the iOS 10, Apple has implemented a weaker algorithm for creating hash keys for storing the passwords. That allows hackers or law enforcers to use a sophisticated software for guessing the best match for the password stored in the hash.

Afonin explains that this new password verification method in the iOS 10 appears to be 2,500 times weaker than the one in iOS 9. To prove that, he used an Intel Core i5 processor-based system to conduct a brute-force attack of guessing 6 million passwords per second for the iOS 10 backups. The same tool could guess 2,400 passwords per second for the iOS 9 backups.

Such alarming rate of guessing passwords by software can turn out to be a nightmare for Apple. Elcomsoft’s CEO Vladimir Katalov told Motherboard that Apple’s security team reached out to his company seeking more details about the security flaw in iOS 10.

“Apple is definitely aware they have implemented [the flaw] themselves :)”

The iPhone users are recommended to set strong passwords for their Mac or PC to prevent easy unauthorized access. That should be an ideal practice but in this case, it is necessary. In addition to that, the Mac users can utilize the FileVault feature to encrypt and secure all data on your disk, as suggested on Apple Support pages. You are required to enter your login password, and the FileVault will randomly generate a recovery key which is necessary to access the encrypted file. So make sure you save both details carefully, or else you will be locked out from accessing the encrypted data.

Katalov believes that a security update for iOS 10 may not be an easy solution to this security flaw. According to him, a holistic approach is required from Apple to overcome this issue. He told Motherboard in an email, “So I guess that not just iOS update is needed, but also iTunes update as well, and probably some changes to the backup format.”

So expect Apple to address iOS 10’s security flaw by releasing updates for several software including iOS, iTunes, and its Mac operating systems.

[Featured Image by Sean Gallup/Getty Images]