PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Report: iOS 10 Backups Easy to Hack

A Russian company that sells software for guessing iPhone passwords discovered a vulnerability in iTunes backups.

Tom Brant
 & Tom Brant Managing Editor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Apple's iOS 10 has weaker encryption that could make it much easier to access a password-protected backup, according to a Russian company that sells software for breaking into iPhones.

The vulnerability lies in local backups of devices running iOS 10, Apple's latest mobile operating system. Those backups, unlike ones saved to an iCloud account, can be accessed without certain security checks, according to Oleg Afonin of Russian software company Elcomsoft.

Afonin did not share which security checks could be bypassed when accessing a local backup stored in iTunes, but suggested that their absence would enable password-guessing software to work more than 40 times faster on iOS 10 devices than on those running earlier versions.

"This new vector of attack is specific to password-protected local backups produced by iOS 10 devices," Afonin wrote in a blog post. "The attack itself is only available for iOS 10 backups. Interestingly, the 'new' password verification method exists in parallel with the 'old' method, which continues to work with the same slow speeds as before."

Apple devices have notoriously strong encryption, so strong that the FBI initially claimed it needed Apple's help to break into the iPhone of a suspected terrorist earlier this year. But guessing passwords remains one of the ways to bypass that encryption.

Recommended by Our Editors

Apple May Tweak Liquid Glass With macOS 27 to Improve Readability
Apple May Tweak Liquid Glass With macOS 27 to Improve Readability
France Kicks Windows to the Curb, Pivots to Linux OS
France Kicks Windows to the Curb, Pivots to Linux OS
Your iPhone’s Next Update Fixes a Decade-Old Problem With Family Sharing
Your iPhone’s Next Update Fixes a Decade-Old Problem With Family Sharing

"Logical acquisition (via password-protected iTunes backups) is currently the only way to extract and decrypt keychain data out of an iOS 10 device," Afonin wrote. It's possible that iOS 10's local backups don't require two-factor authentication, which would enable Elcomsoft software to guess passwords faster.

How much faster? The firm's software can guess iOS 9 passwords at 150,000 passwords per second with GPU acceleration, and 6,000,000 iOS 10 passwords per second using only the CPU.

Apple acknowledged the iOS 10 backup vulnerability and said it will offer a fix in an upcoming software update.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC," a spokesperson said in a statement. "We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."

About Our Expert

Tom Brant

Tom Brant

Managing Editor

I’m a managing editor at PCMag.com focused on PC hardware. Reading this during the day? Then you've caught me testing gear and editing reviews of Wi-Fi routers, printers, laptops, and tons of other personal tech. (Reading this at night? Then I’m probably dreaming about all those cool products.) I’ve covered the consumer tech world as an editor, reporter, and analyst since 2015.

I've covered most major consumer tech events, including CES, Computex, Google I/O, and IFA. I've also appeared on CBS News, in USA Today, and at many other outlets to offer analysis on breaking technology news.

Before I joined the tech-journalism ranks, I wrote on topics as diverse as Borneo's rainforests, Middle Eastern airlines, and Big Data's role in presidential elections. A graduate of Middlebury College, I also have a master's degree in journalism and French Studies from New York University.

The Technology I Use

While most people buy a phone or laptop and stick with it for years, I’m lucky enough to use devices based on Android, iOS, macOS, and Windows daily as part of my job. As a result, I cycle through lots of tech in addition to my IT-issue work laptop. (Yes, that's a ThinkPad.) Personally, I’ve also owned a lot of tech products both cutting-edge and cringeworthy, from the Nintendo GameCube and the original MacBook to the Palm m105 and the CueCat.

Read the latest from Tom Brant

Read full bio