Security research company last week announced it had discovered a flaw in Apple’s local password protected iTunes backups in iOS 10 that reportedly weakened password security. Apple has now acknowledged the flaw and has confirmed that it is working on a fix.
An Apple spokesperson in a statement to Forbes said, “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update.” The Cupertino-based giant again stressed that the flaw “does not affect iCloud backups.” In the meanwhile, Apple has recommended users to “ensure strong passwords on their Mac or PC.”
“We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption,” added the spokesperson. Unfortunately, the company has not revealed an exact timeline for the update.
The security research firm ElcomSoft claimed that the security flaw can let attackers develop a new attack that can bypass certain security checks when tallying passwords protecting local backups in iOS 10 devices. “The impact of this security weakness is severe,” claimed the firm. It also said that the new security check in iOS 10 was roughly “2,500 times weaker” compared to the one used in iOS 9 backups.
It’s worth mentioning that the flaw discovered cannot be exploited remotely and needed the attacker to have access of the local backups in iOS 10.