An iOS 10 flaw exposes your backed up iPhone data to hackers

Vulnerability makes it simple for hackers to crack users' backup passwords

Apple'siPhonesand iPads running the iOS 10 operating system are exposed to a security flaw that allows credentials to be stolen from backups, according to a security firm.

Russian iPhone hacking firm Elcomsoft claimed to uncover the iOS 10 vulnerability, after the OS was released on 13 September, stating that it weakened backup security protection, thus making it simple for hackers to crack passwords used for backups of iOS devices stored on Macs and PCs.

Elcomsoft researcher Oleg Afonin, who helped find the flaw,said in a blog post that while iPhones and iPads are very secure, and any acquisition method gets increasingly difficult with every generation of the iOS operating system, there's still a way for hackers to get into users' backup data.

"Forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10," Afonin explained. "Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer."

He added: "If you are able to break the password, you'll be able to decrypt the entire content of the backup including the keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6 Plus, 6s/6s Plus and 7/7 Plus running iOS 10 that offers access to device keychain."

According to Afonin, the flaws also mean cracking efforts against iOS 10 backups are 2,500 times faster compared to similar efforts against iOS 9, and if a cyber crook is successful, the attack will grant access to device keychains.

Apple said it is currently looking to release a patch to fix to the problem, and will address the flaws in an upcoming security update, adding that it did not affect iCloud backups.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC," said Apple in a statement. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorised users. Additional security is also available with FileVault whole disk encryption."

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021

Most Popular

Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021