Apple mistakenly weakens backups on iTunes with iOS 10

Apple has improved the user experience on its Apple devices through their recent iOS 10 updates, but it’s not all rosy. The tech giant mistakenly introduced a flaw in the new iOS 10 update which made it easier for the password crackers to use brute force methods to get data backed up on iTunes. Apple made a serious blunder with the iOS 10 with the password verifications for iOS 10 backups to the iTunes and Mac and the Windows PC.

Apple mistakenly weakens backups on iTunes with iOS 10The claim that Apple made a mistake with their most secure operating system was made by Elcomsoft, a Russian forensics firm. The company reported on Friday last week that the password security checks which were being used for the backups had now decreased by a factor of 2,500 and password crackers could now easily access them than the previous iOS versions.

If the password to backup data will be cracked, it will not only reveal the backup data but will also include the user credentials used for the Apple’s Keychain password manager. The Keychain password manager is where password and sensitive information are stored for services such as Safari, third party apps and credit card information.

Oleg Afonin, a security researcher at the company said that the iOS backups were being scrutinised and of interest to hackers because they represented the only way that the hackers could take information from Apple devices which now have the secure iOS 10 software.

Devices ranging from the iPhone 5s to the iPhone 7 and 7 Plus all have the capability to host the new iOS 10 software. Therefore, if law enforcement agencies wanted to get data from any of these devices for their investigations, they could easily do that by forcing a backup of the device’s contents onto a trusted computer and then making a backup.

In his article detailing the flaw, Afonin wrote that forcing devices to backup their data onto an offline computer, was one of the best chances anyone had to take the information they needed from any device running iOS 10 software.

He also noted that in most cases pairing backups were easy to make if the phone was unlocked but he also said that it would also be possible to make a backup with a locked phone just by using a pairing record from a previously trusted computer. After that, if the attacker or anyone can then brute force the password, they can simply get all the information that is in the backup including the Keychain information.

One password expert, Per Thorsheim, noted in his blog that the weakness had been caused by a flaw in the change of password hashing algorithms by Apple, from the PBKDF2 with about 10,000 iterations in the iOS 9 and to a SHA256 with only one single iteration in the iOS 10. This change is the one that makes it possible for more guesses to be made per one second without limit.

Apple acknowledged the fact there was a problem with the backup system and they were going to release a patch for it in an update. It however noted that the problem did not affect the iCloud backups.