A few years ago, Apple Inc. (NASDAQ:AAPL) learned some tough lessons about security when iCloud accounts were hacked in a big way. However, it looks like not everyone on the iOS team got the memo on the importance of security. It turns out hacking an encrypted iOS 10 iPhone backup can be accomplished 2,500 times faster than in iOS 9, after Apple opted to skip some iOS 10 security checks.
The good news? This time, it doesn’t affect iCloud backups, only those saved to a Mac or PC. The bad news? Apple stock still is off about 1% on Monday morning as yet another flaw strikes
Elcomsoft Discovers iOS 10 Security Flaw
Do you recognize the name Elcomsoft? This Russian forensics company was in the spotlight in 2014 when its software was used for the infamous hack of celebrity photos saved using Apple’s iCloud.
It’s bad enough that a major iOS 10 security flaw that could expose personal data has been discovered.
Having Elcomsoft make the announcement rubs salt in the wound.
The company discovered that AAPL incorporated an “alternative password verification mechanism“ in iOS 10, and this new routine skips a number of security checks that were in place in iOS 9. As a result, brute-force attacks can crack the password of an iOS 10 device back-up on a Mac or PC 2,500 times faster than before.
Elcomsoft says its software has an 80% to 90% chance of cracking the backup of an iPhone running iOS 10 in two days — and that’s without a GPU-optimized version. Once that’s available, the situation gets worse.
How Bad is This iOS 10 Security Flaw?
If someone was able to decrypt an iOS 10 device backup, they would gain access to all data backed up from the iPhone or iPad, including media, call logs and the Keychain. That last could be the worst part because Keychain is where Apple stores critical data like passwords and credit card info. Gain access to Keychain and you can wreak all sorts of financial and social media havoc.
What keeps this iOS 10 security snafu from becoming another potential PR disaster for AAPL is that a hacker would need to gain physical access to the Mac or PC where the iPhone backup was stored. That limits the opportunity to exploit the weakness, even though Elcomsoft classifies the issue as “severe.”
It’s still serious enough that Apple issued a rare statement to Forbes, stating a fix is in the works and recommending users ensure their computers are safe:
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
Until AAPL releases a fix, if you back your iPhone up to your Mac or PC, the iOS 10 security weakness gives you more reason than ever to make sure your computer itself is protected.
As of this writing, Brad Moon did not hold a position in any of the aforementioned securities.
