An iOS 10 flaw exposes your backed up iPhone data to hackers

Vulnerability makes it simple for hackers to crack users' backup passwords

Apple'siPhonesand iPads running the iOS 10 operating system are exposed to a security flaw that allows credentials to be stolen from backups, according to a security firm.

Russian iPhone hacking firm Elcomsoft claimed to uncover the iOS 10 vulnerability, after the OS was released on 13 September, stating that it weakened backup security protection, thus making it simple for hackers to crack passwords used for backups of iOS devices stored on Macs and PCs.

Advertisement - Article continues below

Elcomsoft researcher Oleg Afonin, who helped find the flaw,said in a blog post that while iPhones and iPads are very secure, and any acquisition method gets increasingly difficult with every generation of the iOS operating system, there's still a way for hackers to get into users' backup data.

"Forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10," Afonin explained. "Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer."

He added: "If you are able to break the password, you'll be able to decrypt the entire content of the backup including the keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6 Plus, 6s/6s Plus and 7/7 Plus running iOS 10 that offers access to device keychain."

Advertisement - Article continues below
Advertisement - Article continues below

According to Afonin, the flaws also mean cracking efforts against iOS 10 backups are 2,500 times faster compared to similar efforts against iOS 9, and if a cyber crook is successful, the attack will grant access to device keychains.

Apple said it is currently looking to release a patch to fix to the problem, and will address the flaws in an upcoming security update, adding that it did not affect iCloud backups.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC," said Apple in a statement. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorised users. Additional security is also available with FileVault whole disk encryption."



cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

How to protect against a DDoS attack

25 Oct 2019
data breaches

Ex-Equifax CIO to serve four months for insider trading

2 Jul 2019

Most Popular

cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020