iOS 10 Just Made Hacking Into Your iPhone And iPad Backups Dramatically Easier

Apple bills iOS 10 as being “More personal. More powerful. More playful.” It’s hard to argue with that train of thought, given the features that Apple has infused into the mobile operating system including a totally revamped iMessage app, rich notifications, third-party app integration with Siri, more useful 3D Touch actions, and other various tweaks and additions.

However, at least one area in iOS 10 has seen a bit of a regression compared to previous versions, and it could leave your iPhone and iPad data less secure than before. We know that some of the world’s best hackers come from Russia, so we’re taking this latest report from Russian firm ElcomSoft very seriously.

Researchers for the company say that Apple has made local iTunes backups for devices more vulnerable to hackers, thanks to what is described as an “alternative password verification mechanism” that has been added with iOS 10.

ios 10 banner 2

According to ElcomSoft, this new method offers a shortcut for verification, allowing it to skip some critical security checks. As a result, iOS 10 backup passwords in iTunes can be obtained “approximately 2,500 times faster” than what was possible with iOS 9.

Oleg Afonin writes in a blog posting:

This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.

eppb s3
ElcomSoft Phonebreaker Software

It’s recommended that all users assign passwords to protect their iOS backups for obvious security reasons, so this quicker method for cracking those passwords is disconcerting. Afonin continues, adding, “If you are able to break the password, you’ll be able to decrypt the entire content of the backup including the keychain.”

ElcomSoft considers this a serious security flaw in iOS 10. Now that the attack vector is out in the open, we hope that Apple works quickly to patch it up or at least remove the new verification method and revert back to the more secure system that has served previous versions of iOS.