Looks like Apple added a new password verification system for encrypted iOS 10 device backups made by iTunes on Mac or Windows. It exists in parallel to the previous one, which uses a PBKDF2 algorithm, but uses SHA256 instead. That, according to researchers, makes it easier for someone with physical access to your computer, if logged in, to brute force the password and access your data.
What happened exactly?
Here's the deal, straight from Elcomsoft:
Is Apple fixing it?
Yup! Apple told Forbes a fix in in the works:
Should I worry about this?
Be informed, don't be alarmed. It's nothing most people have to worry about.
If you are worried, use iCloud for now instead of iTunes for device backups. If you don't want to use iCloud and want to keep using iTunes, make sure you don't leave your computer around where strangers can access it, and make sure you use a strong, impossible to guess, account password for your computer.
Then update as soon as Apple makes the fix available.
Get the best of iMore in in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
This was no accident. It just baffles me as to why they'd let something like this intentionally slide by. I've been wary of new OS updates from Apple (especially major ones) for a while now and my wariness was warranted. Thankfully my 6S Plus is still on iOS 9.3.5 (also because iOS 10 is riddled with problems on my iPhone 6) and my iTunes is still on 184.108.40.206. And iCloud is supposed to be safer? Please, I thought iCloud backups are still unencrypted.
Apples website claims iCloud backups are encrypted yet they seem to have access when govt is involved. Sent from the iMore App
I figure that this is more of an iTunes-related issue than an iOS-related issue. More than likely we're going to be seeing iTunes version 12.5.2 coming soon. iTunes does the backup of the data, not iOS. iOS simply feeds iTunes the data during a backup and iTunes packages it up.
This is so unimportant to the average user. Think about it. Someone needs to gain access to you computer. Then find your backup file, which can happen in pre iOS 10 backups too. Then, just like someone could in pre iOS 10 backups, they could break your encryption password. Only they can do it 2500 times fast or 6 million password combinations a second, as opposed to what, 500 thousand a sec? Either way the file is still just as equally vulnerable as before. But saying that does make news or headlines. Sent from the iMore App
I don't think they're talking about encrypted backups. Only "password protected" as in your login password.
The article is very unclear about this. Sent from the iMore App
I was reading the article on Forbes and the encrypted backup to iTunes is what was referenced. Sent from the iMore App
Ah. That's a shame. Thanks for the info.
That's the thing.. nothing to really wonder about unless u share your Mac with friends.. or businesses have use your own Mac.
I think I'm not going to worry about this. Someone with the skills to do it needs to have my computer, logged in. Unlikely. Sent from the iMore App
not really something to concern with unless i have others using my Mac, which I don't. You could argue why did Apple do this, or not take notice, and ya, u'r right, they should of done.. Being in the same kind of 'strict' security scenario , the 'keys to the kingdom' for me are on my *only* usb drives (including backups) I never keep copies of them elsewhere.. BUT by the same token if u do that u also step up your game as well.. which is why i keep all of them on me at all times as my #1 priority.. And if I stuff up, i only have myself to blame, so take full responsibility for that and learn from it next time *with brand new 60 character gibberish secure passwords obviously* Seems Apple 'slipped the disc' with this one. while it may be easier to brute force.... its still pretty strong..... I mean how quicker would it be compared to SHA256 ? Don't all secure websites on line use this ?
Impressive response time by Apple, but unusual for them to make such a poor decision in the first place. It's been a busy month for them so let's cut them some slack, yes? Posted via the iMore App
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.