How Apple made it easier to hack iTunes backups with iOS 10

A Russian cybersecurity firm exploited changes in iPhone and iPad software to expose passwords used to protect encrypted data. Experts say it's a technique that law enforcement could use to break into Apple products.

Apple positioned iOS 10 as a step forward in iPhone security. But soon after the operating system debuted, researchers discovered a flaw that could allow hackers to force their way into the encrypted files created when iOS 10 devices are backed up to a desktop computer via iTunes.

These backups can contain information about the apps installed on a device, the messages stored on the device, and potentially any passwords that have been saved to the iOS keychain.

Backups are typically used to restore data after a software malfunction; they can also be used to move information to a new device without having to go through a complicated setup process.

Elcomsoft, a Russian company that sells digital forensics software to law enforcement agencies and consumers alike, revealed on Sept. 23 that iOS 10 backups are easier to break into than backups made with iOS 9. The company said its software can guess 2,400 passwords per second on iOS 9 backups; it can make six million guesses per second on iOS 10 backups.

The problem was caused by a change to the file system used to store these device backups. With iOS 10, Apple stores an easy-to-crack representation of the password used to protect these backups as well as a more secure version. Elcomsoft’s tools focus on the weaker protections to make more password guesses per second and, potentially, gain access to those sensitive files.

"We usually see that new versions of password protection are only being improved, but Apple took a step back with iOS 10," said Elcomsoft chief executive Vladimir Katalov. "Hopefully, it's a simple mistake. Probably when they changed the iTunes file format they left that part of the code in for debugging purposes or whatever and just forgot to remove it from the release version."

Apple did not respond to a request for comment. The company did tell Fortune, however, that it plans to fix the problem in an upcoming security update. It's not clear when that update will be released, or whether Apple will be able to secure backups created with the current version of iOS 10. If it doesn't, people could still be vulnerable to this attack even if they update their devices.

That could be a problem if Elcomsoft’s tools are improved. Mr. Katalov said that if the company moved its algorithms to a more powerful graphics processing unit, it might be able to make 100 million password guesses per second. This would put even more people at risk of being hacked.

The good news is that Elcomsoft's tool requires physical access to the computer on which the backups are stored, which means it can't currently be used to remotely break into this sensitive data. "There is actually almost no risk to most consumers," Katalov says. "I would say that this discovery is probably most interesting not for regular users, but for law enforcement agencies."

Andrew Blaich, a security researcher at the mobile security company Lookout, agrees.

"For most people this is a low risk," he says. "It's a very interesting find by the researchers, and it's definitely going to be useful for forensic investigators, but once things are fixed you should be able to delete the existing backup and then back everything up again to have a low risk of attack."

Despite rallies in support of Apple's stance against the FBI after the agency requested help unlocking the San Bernardino, Calif., shooter's iPhone, most Americans appear to have little problem with law enforcements' use of hacking tools.

A recent Pew survey showed that most people seek to protect their privacy against "hackers or criminals" or "people from your past." Relatively few – just 5 percent and 4 percent, respectively – worried about keeping their information safe from "the government" or "law enforcement."

Yet Katalov and Mr. Blaich disagree on how consumers should respond to this development.

Katalov says that this might push people to use iCloud backups, which can have two-factor authentication enabled and would help defend against exploits like this, while Blaich says it's better to have something as sensitive as a device backup stored locally instead of up in somebody else's cloud.

"The best thing to really consider is that if you do have data that you don't want other people to know or see it's probably best not to have it backed up," Blaich says. "People are able to actively choose what they want to back up, and decide if they want to back up messages, photos, etc. I would definitely say to exercise caution if you are concerned about those types of things."