iTunes backup vulnerability: What you need to know!

Looks like Apple added a new password verification system for encrypted iOS 10 device backups made by iTunes on Mac or Windows. It exists in parallel to the previous one, which uses a PBKDF2 algorithm, but uses SHA256 instead. That, according to researchers, makes it easier for someone with physical access to your computer, if logged in, to brute force the password and access your data.

What happened exactly?

Here's the deal, straight from Elcomsoft:

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the 'new' password verification method exists in parallel with the 'old' method, which continues to work with the same slow speeds as before.

Is Apple fixing it?

Yup! Apple told Forbes a fix in in the works:

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups," a spokesperson said. "We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."

Should I worry about this?

Be informed, don't be alarmed. It's nothing most people have to worry about.

If you are worried, use iCloud for now instead of iTunes for device backups. If you don't want to use iCloud and want to keep using iTunes, make sure you don't leave your computer around where strangers can access it, and make sure you use a strong, impossible to guess, account password for your computer.

Then update as soon as Apple makes the fix available.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • This was no accident. It just baffles me as to why they'd let something like this intentionally slide by. I've been wary of new OS updates from Apple (especially major ones) for a while now and my wariness was warranted. Thankfully my 6S Plus is still on iOS 9.3.5 (also because iOS 10 is riddled with problems on my iPhone 6) and my iTunes is still on And iCloud is supposed to be safer? Please, I thought iCloud backups are still unencrypted.
  • Apples website claims iCloud backups are encrypted yet they seem to have access when govt is involved. Sent from the iMore App
  • I figure that this is more of an iTunes-related issue than an iOS-related issue. More than likely we're going to be seeing iTunes version 12.5.2 coming soon. iTunes does the backup of the data, not iOS. iOS simply feeds iTunes the data during a backup and iTunes packages it up.
  • This is so unimportant to the average user. Think about it. Someone needs to gain access to you computer. Then find your backup file, which can happen in pre iOS 10 backups too. Then, just like someone could in pre iOS 10 backups, they could break your encryption password. Only they can do it 2500 times fast or 6 million password combinations a second, as opposed to what, 500 thousand a sec? Either way the file is still just as equally vulnerable as before. But saying that does make news or headlines. Sent from the iMore App
  • I don't think they're talking about encrypted backups. Only "password protected" as in your login password.
    The article is very unclear about this. Sent from the iMore App
  • I was reading the article on Forbes and the encrypted backup to iTunes is what was referenced. Sent from the iMore App
  • Ah. That's a shame. Thanks for the info.
  • That's the thing.. nothing to really wonder about unless u share your Mac with friends.. or businesses have use your own Mac.
  • I think I'm not going to worry about this. Someone with the skills to do it needs to have my computer, logged in. Unlikely. Sent from the iMore App
  • not really something to concern with unless i have others using my Mac, which I don't. You could argue why did Apple do this, or not take notice, and ya, u'r right, they should of done.. Being in the same kind of 'strict' security scenario , the 'keys to the kingdom' for me are on my *only* usb drives (including backups) I never keep copies of them elsewhere.. BUT by the same token if u do that u also step up your game as well.. which is why i keep all of them on me at all times as my #1 priority.. And if I stuff up, i only have myself to blame, so take full responsibility for that and learn from it next time *with brand new 60 character gibberish secure passwords obviously* Seems Apple 'slipped the disc' with this one. while it may be easier to brute force.... its still pretty strong..... I mean how quicker would it be compared to SHA256 ? Don't all secure websites on line use this ?
  • Impressive response time by Apple, but unusual for them to make such a poor decision in the first place. It's been a busy month for them so let's cut them some slack, yes? Posted via the iMore App