iTunes backup vulnerability: What you need to know!

Looks like Apple added a new password verification system for encrypted iOS 10 device backups made by iTunes on Mac or Windows. It exists in parallel to the previous one, which uses a PBKDF2 algorithm, but uses SHA256 instead. That, according to researchers, makes it easier for someone with physical access to your computer, if logged in, to brute force the password and access your data.

What happened exactly?

Here's the deal, straight from Elcomsoft:

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the 'new' password verification method exists in parallel with the 'old' method, which continues to work with the same slow speeds as before.

Is Apple fixing it?

Yup! Apple told Forbes a fix in in the works:

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a spokesperson said. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."

Should I worry about this?

Be informed, don't be alarmed. It's nothing most people have to worry about.

If you are worried, use iCloud for now instead of iTunes for device backups. If you don't want to use iCloud and want to keep using iTunes, make sure you don't leave your computer around where strangers can access it, and make sure you use a strong, impossible to guess, account password for your computer.

Then update as soon as Apple makes the fix available.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.