September 26, 2016 weblog
Apple addressing iOS 10 iTunes backup security issue in upcoming security update
(Tech Xplore)—Apple has confirmed a flaw and said it will fix it. What's it all about?
In a press statement datelined Moscow a few days ago, ElcomSoft Co. Ltd. announced an update to its Elcomsoft Phone Breaker 6.10. This is described as a " mobile acquisition tool." The tool is designed for forensic specialists. The tool is intended as support for law enforcement specialists to extract information from offline and cloud backups created by Apple, BlackBerry and Windows devices.
Forbes described ElcomSoft as a "well-known Russian forensics company."
Thomas Fox-Brewster in Forbes reported that "As soon as iOS 10 was out, the company started probing its security, and found Apple was using a weaker password protection mechanism for manual backups via iTunes than it had done previously."
According to the ElcomSoft announcement, "The new discovery in iOS 10 backups potentially allows recovery speeds thousands of times faster compared to password-protected iOS 9 backups."
Vladimir Katalov, the company CEO, said, "All versions of iOS prior to iOS 10 used to use extremely robust protection."
Katalov also said that "Chances of recovering a long, complex password were slim, and even then a high-end GPU would be needed to accelerate the recovery. As a result of our discovery, we can now break iOS 10 backup passwords much faster even without GPU acceleration."
In SlashGear, Adam Westlake explained the encrypted iOS backups created in iTunes was less secure.
"A source of the problem seems to be the use of a different algorithm, which only runs password attempt once, as opposed to running each password 10,000 times like with iOS 4 through 9."
Westlake made it clear that the issue only applied "to local iTunes backups created on a Mac or PC; backups made to iCloud remain secure."
He remarked that an "unintentional flow" nonetheless meant that "new password protected backups offer an 'alternative password verification mechanism'" allowing one to fall victim to brute force hacks more quickly than with previous iOS versions.
As important, Apple acknowledged the issue.
According to SlashGear, the company said that with an upcoming security update, a fix was on the way.
"Apple has issued a statement noting that it's aware of the problem with local iTunes backups for iOS 10 and an upcoming security update will resolve the issue," said Westlake.
Forbes quoted a company spokesperson. "We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a spokesperson said. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."
© 2016 Tech Xplore