Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Data Security / Apple Admits iOS 10 Backup Flaw
iOS 10 Security Flaw Leaves iPhone Backups Vulnerable to Hackers
iOS 10 Security Flaw Leaves iPhone Backups Vulnerable to Hackers
By Shirley Siluk / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
The latest version of Apple's mobile operating system, iOS 10, features a "major security flaw" that makes it easier for hackers to crack passwords through local iTunes backups, according to the Moscow-based digital forensics and password recovery firm ElcomSoft.

In a blog post Friday, ElcomSoft's Oleg Afonin called the potential impact of the security weakness "severe." Apple released iOS 10 on September 13, three days before it launched the iPhone 7 and iPhone 7 Plus, both of which run the new operating system.

The flaw stems from an alternative password verification mechanism that Apple added to iOS 10 backups, according to Afonin. The new method, which sits alongside a previous backup method used in iOS 9 and earlier versions, allows hackers to guess at a device's password anywhere from 40 to 2,500 times faster than before, he said.

80%-90% Chance of Password Recovery

"When working on an iOS 10 update for Elcomsoft Phone Breaker [ElcomSoft's forensics tool for iOS and BlackBerry devices], we discovered an alternative password verification mechanism added to iOS 10 backups," Afonin said in his blog post. "We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older."

Using Phone Breaker with a variety of password dictionary resources, a hacker running those tools over a two-day period has an 80 percent to 90 percent chance of recovering a password on an iOS 10 device, Afonin added.

Apple did not respond to our request for comment on the ElcomSoft report. However, Forbes reported Friday that the company provided the following statement: "We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups."

According to Forbes, Apple recommended that iOS users employ strong passwords and ensure only authorized users can access their devices. "Additional security is also available with FileVault whole disk encryption," the statement noted.

Requires Physical Access to Device

However, the vulnerability exists only if a hacker has physical access to an iOS 10 device, SnoopWall CEO Gary Miliefsky said in article published today in The Cointelegraph, a financial technology news site.

"It's not that big of a deal if you use a really good password that's not a word or combo of words in the dictionary," Miliefsky said. "Bottom line is; someone brute forcing your phone needs to have it in hand physically anyway."

A number of users on Apple's online communities have raised questions about iOS 10 and posted complaints about security issues with the operating system.

Per Thorsheim, a Norway-based security advisor and CEO of God Praksis, wanted to know why Apple would have introduced the new password method to iOS 10, calling the change "devastating."

"Apple has taken us through many betas of iOS 10, so it is easy to say that this didn't happen by pure error," Thorsheim wrote in a blog post. "The interesting question for Apple to answer is whether this massive weakening of your security & privacy is intentional, if it is a stupid glitch, or is it clueless crypto/developers?"

Computer security analyst Graham Cluley also questioned Apple's approach. [C]onsidering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it's disappointing to see this apparent backward step," he wrote in a blog post.

Image credit: Product shots by Apple.

Tell Us What You Think


Posted: 2016-10-04 @ 4:09am PT
I wouldn't be at all surprised if this has been put in deliberately to satisfy the Feds after the trouble over cracking the terrorist couples phone in San Diego last year. Exposing us all in their efforts to "protect us".

Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.