Your iPhone is now potentially less secure than it previously was, and it’s all thanks to iOS 10.
Once you have updated your iPhone to iOS 10, manual backups are much less secure than they were previously. This is because the password-protected backups employ an “alternative password verification mechanism” which can be cracked a lot faster than the previous mechanism.
Elcomsoft, a Russian forensics company whose tools help hackers break into iPhones, discovered this vulnerability when updating its Phone Breaker. And it duly published a blog post revealing Apple’s mistake.
This iOS 10 got me about to buy an android.
— Nick Porter (@NickGPorter) September 25, 2016
The company claims it could now crack into a backup file “approximately 2500 times faster compared to the old mechanism used in iOS 9 and older”. With iOS 9, Elcomsoft could process 2,400 passwords-per-second. However, with iOS 10 in its current state Elcomsoft could process 6 million passwords-per-second.
A Big Leap Back In Security
Apple is already on the case, telling Forbes it’s “looking into the issue”. The company also issued the following statement suggesting this vulnerability will be fixed sooner rather than later, saying:
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups.”
“We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
In order to take advantage of this vulnerability, a hacker would have to gain access to the Mac or PC where the backup is stored. So, there’s only a minuscule chance of this actually affecting users. Still, it’s a good job the vulnerability was discovered now and not several months down the line.
In the meantime we’ll leave you with the words of Per Thorsheim, a password security expert who knows the score. He told Forbes Apple should win the “stupidity award of the year” for such “a big leap back in security”.
Image Credit: Microsiervos via Flickr