IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

An iOS 10 flaw exposes your backed up iPhone data to hackers

Vulnerability makes it simple for hackers to crack users' backup passwords

Apple'siPhonesand iPads running the iOS 10 operating system are exposed to a security flaw that allows credentials to be stolen from backups, according to a security firm.

Russian iPhone hacking firm Elcomsoft claimed to uncover the iOS 10 vulnerability, after the OS was released on 13 September, stating that it weakened backup security protection, thus making it simple for hackers to crack passwords used for backups of iOS devices stored on Macs and PCs.

Elcomsoft researcher Oleg Afonin, who helped find the flaw,said in a blog post that while iPhones and iPads are very secure, and any acquisition method gets increasingly difficult with every generation of the iOS operating system, there's still a way for hackers to get into users' backup data.

"Forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10," Afonin explained. "Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer."

He added: "If you are able to break the password, you'll be able to decrypt the entire content of the backup including the keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6 Plus, 6s/6s Plus and 7/7 Plus running iOS 10 that offers access to device keychain."

According to Afonin, the flaws also mean cracking efforts against iOS 10 backups are 2,500 times faster compared to similar efforts against iOS 9, and if a cyber crook is successful, the attack will grant access to device keychains.

Apple said it is currently looking to release a patch to fix to the problem, and will address the flaws in an upcoming security update, adding that it did not affect iCloud backups.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC," said Apple in a statement. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorised users. Additional security is also available with FileVault whole disk encryption."

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021
83% of critical infrastructure companies have experienced breaches in the last three years
cyber security

83% of critical infrastructure companies have experienced breaches in the last three years

11 Nov 2021

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022