Modern field guide to security and privacy

How Apple made it easier to hack iTunes backups with iOS 10

A Russian cybersecurity firm exploited changes in iPhone and iPad software to expose passwords used to protect encrypted data. Experts say it's a technique that law enforcement could use to break into Apple products.

Sergei Karpukhin/Reuters
Customers gathered at a store in Moscow selling Apple products during the launch of the new iPhone 7. REUTERS/Sergei Karpukhin

Apple positioned iOS 10 as a step forward in iPhone security. But soon after the operating system debuted, researchers discovered a flaw that could allow hackers to force their way into the encrypted files created when iOS 10 devices are backed up to a desktop computer via iTunes.

These backups can contain information about the apps installed on a device, the messages stored on the device, and potentially any passwords that have been saved to the iOS keychain.

Backups are typically used to restore data after a software malfunction; they can also be used to move information to a new device without having to go through a complicated setup process.

Elcomsoft, a Russian company that sells digital forensics software to law enforcement agencies and consumers alike, revealed on Sept. 23 that iOS 10 backups are easier to break into than backups made with iOS 9. The company said its software can guess 2,400 passwords per second on iOS 9 backups; it can make six million guesses per second on iOS 10 backups.

The problem was caused by a change to the file system used to store these device backups. With iOS 10, Apple stores an easy-to-crack representation of the password used to protect these backups as well as a more secure version. Elcomsoft’s tools focus on the weaker protections to make more password guesses per second and, potentially, gain access to those sensitive files.

"We usually see that new versions of password protection are only being improved, but Apple took a step back with iOS 10," said Elcomsoft chief executive Vladimir Katalov. "Hopefully, it's a simple mistake. Probably when they changed the iTunes file format they left that part of the code in for debugging purposes or whatever and just forgot to remove it from the release version."

Apple did not respond to a request for comment. The company did tell Fortune, however, that it plans to fix the problem in an upcoming security update. It's not clear when that update will be released, or whether Apple will be able to secure backups created with the current version of iOS 10. If it doesn't, people could still be vulnerable to this attack even if they update their devices.

That could be a problem if Elcomsoft’s tools are improved. Mr. Katalov said that if the company moved its algorithms to a more powerful graphics processing unit, it might be able to make 100 million password guesses per second. This would put even more people at risk of being hacked.

The good news is that Elcomsoft's tool requires physical access to the computer on which the backups are stored, which means it can't currently be used to remotely break into this sensitive data. "There is actually almost no risk to most consumers," Katalov says. "I would say that this discovery is probably most interesting not for regular users, but for law enforcement agencies."

Andrew Blaich, a security researcher at the mobile security company Lookout, agrees.

"For most people this is a low risk," he says. "It's a very interesting find by the researchers, and it's definitely going to be useful for forensic investigators, but once things are fixed you should be able to delete the existing backup and then back everything up again to have a low risk of attack."

Despite rallies in support of Apple's stance against the FBI after the agency requested help unlocking the San Bernardino, Calif., shooter's iPhone, most Americans appear to have little problem with law enforcements' use of hacking tools.

A recent Pew survey showed that most people seek to protect their privacy against "hackers or criminals" or "people from your past." Relatively few – just 5 percent and 4 percent, respectively – worried about keeping their information safe from "the government" or "law enforcement."

Yet Katalov and Mr. Blaich disagree on how consumers should respond to this development.

Katalov says that this might push people to use iCloud backups, which can have two-factor authentication enabled and would help defend against exploits like this, while Blaich says it's better to have something as sensitive as a device backup stored locally instead of up in somebody else's cloud.

"The best thing to really consider is that if you do have data that you don't want other people to know or see it's probably best not to have it backed up," Blaich says. "People are able to actively choose what they want to back up, and decide if they want to back up messages, photos, etc. I would definitely say to exercise caution if you are concerned about those types of things."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to How Apple made it easier to hack iTunes backups with iOS 10
Read this article in
QR Code to Subscription page
Start your subscription today