iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix

[rbrian]

I haven't backed up my iPhone in years, possibly ever. Each time I get a new phone, I set it up from scratch, each time only installing the apps I actually use (culling dozens in the process), and avoiding the problems people have had with potentially corrupted backups causing crashes.

Until now - when installing iOS 10 didn't fix the random shutdowns that started plaguing my 6s with iOS 9.3, and the recommended fix is a backup and reinstall.

Maybe I should just wipe it and start again from scratch...

 

[Quu]

No they only changed the backup encryption algorithm. That's what the security firm says.

They have the iTunes source code? No? Then they can't say anything about what did or didn't change in the last version of iTunes. Many new things were added including interface tweaks. For all we know adding support for the Air Pods on a Mac were included in that build of iTunes and required that basic encryption or something. iTunes is a huge application.

Only Apple knows what changed definitively. Using binary decompilation is only going to give us a very zoomed out view of what was changed.

 

[Max Portakabin]

Unencrypt the kernel to make flaws visible.

Then turn the down the security on the backup.

NSA request written all over it.

 

[indychris]

I'm working hard to keep my cynicism in check so that I don't conclude that this could be related in any way to the pressure put on apple by the FBI after San Bernardino.

 

[sd70mac]

I dont understand this move by Apple concerning password encryption..

I think the goal was probably to speed up backups as they grow ever larger. The person making the change probably didn't realize the potential negative impact at the time the decision was made.

 

[Elijen]

Great the new Fappening will come out soon.

 

[Larry-K]

Hey, go ahead and steal my iTunes, all I have on there is that free U2 Album.

 

[Barry Marshall]

You know when I read articles like this one and on the same day I read this http://thehackernews.com/2016/09/nsa-hacking-tool-exploits.html I really hope that Apple does have our interests at heart since the US Government doesn't

 

[1applerules1]

They must hurry up. Yahoo was lucky enough their stocks were already worth nothing before the hacking.

Savage

 

[Rigby]

They have the iTunes source code? No? Then they can't say anything about what did or didn't change in the last version of iTunes. Many new things were added including interface tweaks.

This bug is in iOS, not in iTunes. When you make an encrypted backup, the encryption happens on the iOS device (iTunes only retrieves the encrypted data via USB and stores it on disk).

This is not a conspiracy, but simply a bug (a pretty big one though). It can be something as simple as a misplaced curly brace in an if-statement. It should have been caught in QA though.

 

[dannyyankou]

Well I use iCloud for backups so I don't have anything to worry about.

 

[Rigby]

Well I use iCloud for backups so I don't have anything to worry about.

iCloud backups are actually much less secure than an encrypted iTunes backup with a strong password. The data in an iCloud backup can be subpoenaed by government agencies, or retrieved by anyone who gets a hold of your iCloud password using forensic tools such as the ones from Elcomsoft. I strongly recommend to use 2-factor authentication to make at least the latter more difficult.

 

[elmaco]

My phone has ben buggy since I installed iOS 10. it crashes and I can't search for apps without getting som kind of reset to the home screen.

Looks like Quality Assurance at Apple did a lousy job again. At least the phone is not slower this time around.

 

[canadianreader]

"As Apple points out, this security oversight is limited to backups created on a Mac or PC and does not affect the security of iCloud backups."

With only 5GB of iCloud storage, I'd wager this is more impactful as most people backup to iTunes.

You're right also some disable some stuff to not to exceed that rediculous 5GB.

 

[RichTeer]

This is iTunes backups. Most don't use iTunes backups these days...

Citation required. (I always use iTunes backups; for a whole raft of reasons I refuse to use Internet-based backup options.)

 

[RichTeer]

This bug is in iOS, not in iTunes. When you make an encrypted backup, the encryption happens on the iOS device (iTunes only retrieves the encrypted data via USB and stores it on disk).

Are you sure about that? One enters the password into iTunes, so although it is possible for it to be transmitted to the iPhone to be used for encryption, the more likely scenario is that iTunes itself performs the encryption.

This is not a conspiracy, but simply a bug (a pretty big one though). It can be something as simple as a misplaced curly brace in an if-statement. It should have been caught in QA though.

You're not a programmer, are you? ;-) Changing the encryption algorithm used would, at the very least, require changing the name of the function called (and this assumes that the function's parameters are identical in type and order). This isn't a situation where misplaced {}s would have an effect.

 

[shareef777]

You don't live in the same planet as me.

Check the corporate world. We backup to local iTunes copies so that we can encrypt it and restore with all our apps intact. iCloud backups restore only apps that are iCloud enabled.

P.S. Come visit my planet, at least there's intelligent life here ;-)

 

[MathersMahmood]

Oh well thats not good is it.

 

[iapplelove]

What else is new? You want a digital lifestyle, you pay the price.

 

[burgman]

I love the creativity when it comes to being an apologist. Kudos to you for steering people away from the actual point of the article! You're good!

Isn't the actual point of the article that the brute force method runs faster on IOS 10 not that it's less secure than previous versions? They didn't give any examples of successful cracking times of the various versions, is it 2 minutes vs 20 etc.

 

[DolsJ]

But this is NOT physical access to the iPhone. They are talking about decrypting the BACKUP data. This data is typically on e hard drive on a PC or Mac or maybe in Apple's iCloud

It does require physical access to the Mac or PC. Which in most cases is harder to get than access to the iphone itself. This doesn't pertain to iCloud backups at all. It's for local backups to iTunes only. Default behavior is to only backup to iCloud. A user has to manually create a local backup to iTunes. For the majority of users this not an issue at all.
Still a puzzling change.

 

[burgman]

iCloud backups are actually much less secure than an encrypted iTunes backup with a strong password. The data in an iCloud backup can be subpoenaed by government agencies, or retrieved by anyone who gets a hold of your iCloud password using forensic tools such as the ones from Elcomsoft. I strongly recommend to use 2-factor authentication to make at least the latter more difficult.

Or don't do anything stupid that gets you under investigation by any government agency around the world. Vast majority of people aren't interesting enough to be on a radar and that bothers quite a few of them.

 

[Christian 5G]

Take advantage while you can

 

[Loge]

I think the goal was probably to speed up backups as they grow ever larger. The person making the change probably didn't realize the potential negative impact at the time the decision was made.

Maybe, although encrypted backups only seem to take marginally longer than unencrypted backups.

 

[1041958]

When people talk about iPhones and iTunes everyone says they hate/refuse to use iTunes because it's so horrible.

When a potential security risk is found in iTunes suddenly it's a big deal that affects a lot of people because they're all suddenly using iTunes?

The hypocrisy is strong in this thread.