Upgrading to iOS 10 may have made your backups a lot faster to crack

Password cracking a local iTunes backup is now 2,500 faster than with iOS 9.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Upgrading to iOS 10 may have made your backups a lot faster to crack

Normally upgrading the operating system on your iPhone doesn’t just bring you a few new funky features, you also get to benefit from some security enhancements and fixes too.

However, with iOS 10 it seems things might have taken something of a backward step – in at least the case of the security of any local iTunes backups you might be making.

That’s according to Russian firm ElcomSoft which makes software to help users gain access to password-protected data:

Sign up to our free newsletter.
Security news, advice, and tips.

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.

This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.

Upgrading to iOS 10 may have made your backups a lot faster to crack

2500 times faster? My guess is that is not the kind of speed boost you were hoping to get when you upgraded to iOS 10.

The silver lining on the cloud is that ElcomSoft’s discovery affects the local iTunes backups you might make of your iPhone or iPad. That means that any hacker wanting to exploit the weakness would have to target the computer you have made the backup onto, rather than something more chilling like trying to access the phone itself remotely.

Nonetheless, considering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it’s disappointing to see this apparent backward step.

Hat-tip: Thanks to password guru Per Thorsheim for bringing the research to my attention.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Upgrading to iOS 10 may have made your backups a lot faster to crack”

  1. Bob

    This is not good news and I'd like to know what the hell Apple are playing at.

    Obviously Full Disk Encryption on your computer will make the iTunes backup inaccessible when your system is locked.

    Also a secure backup password will make the cracking more difficult but both these measures are beside the point.

    I'd like to hear what Apple have to say about this.

    1. Bob · in reply to Bob

      iOS 10.0.2 has now been released although there's no mention of security patches in the update.

  2. graphicequaliser

    I've had nothing but trouble from the latest iOS 10. It forgot all my email settings then wiped out all new email contacts after redressing the email account settings so that they worked. After waiting 12 hours, the emails were working properly again. Apple are in decay since the loss of Jobs. The genius at the helm disappears and the product goes downhill, just like Microsoft after Gates left, and Borland Delphi after Heljsberg was poached.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.