Apple Promises To Fix A Severe iOS 10 Security Flaw With iPhone Backups

Samir Makwana

Apple iPhone is secure. However, an iOS 10 security flaw can compromise it. Elcomsoft, a Russian forensics research firm, has discovered a dangerous loophole in iOS 10 which can allow hackers to crack the otherwise password-protected iPhone backups 40 times faster than before. These backups contain your passwords and other authentication data related to your phone as well as the apps. Apple spokeswoman confirmed to Forbes that the iPhone maker acknowledges the issue and is working on a fix.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing the issue in an upcoming security update."

— 9to5Mac  (@9to5mac) September 25, 2016

"This does not affect iCloud backups."

Implemented since the iOS 9 on iPhones, the Secure Enclave safeguards the sensitive code that deals with hash keys for encrypting phone data and controls Apple Pay as well as Touch ID. This module is responsible for delaying every incorrect password guessing attempt. That's why the time increases every time someone feeds an incorrect passcode on an iPhone. The module wipes out all data from the iPhone after 10 failed attempts to guess the password.

Usually, the Mac or PCs protect the local iTunes backups by saving the passwords as hash keys in an encrypted file.

In iOS 9, Apple added several security checks which need to be cleared to gain access to the local backup on the Mac or PC. But with the iOS 10, Apple has implemented a weaker algorithm for creating hash keys for storing the passwords. That allows hackers or law enforcers to use a sophisticated software for guessing the best match for the password stored in the hash.

Afonin explains that this new password verification method in the iOS 10 appears to be 2,500 times weaker than the one in iOS 9. To prove that, he used an Intel Core i5 processor-based system to conduct a brute-force attack of guessing 6 million passwords per second for the iOS 10 backups. The same tool could guess 2,400 passwords per second for the iOS 9 backups.

— Forbes Tech News (@ForbesTech) August 28, 2016

"Apple is definitely aware they have implemented [the flaw] themselves :)"

Katalov believes that a security update for iOS 10 may not be an easy solution to this security flaw. According to him, a holistic approach is required from Apple to overcome this issue. He told Motherboard in an email, "So I guess that not just iOS update is needed, but also iTunes update as well, and probably some changes to the backup format."

So expect Apple to address iOS 10's security flaw by releasing updates for several software including iOS, iTunes, and its Mac operating systems.

[Featured Image by Sean Gallup/Getty Images]