This week a security issue was found with the way iTunes secures iOS 10 device backups. Described as a “major security flaw” by Elcomsoft this issue allows an attacker to attempt and break the passcode on the backup 2500 times faster than before. For some reason Apple uses an alternative password verification method for iOS 10 devices which skips certain security checks and thus makes the encryption strength weaker and easier to break. The old and more secure mechanism is still in place and will be used automatically by any pre-iOS 10 device.
Rather than collectively freaking out, use best practices to ensure no-one can get to your data to begin with.
Encrypting your data should always be done in my opinion. Every Mac on the market today can handle FileVault encryption without impacting system speed or performance. To enable it go to System Preferences > Security & Privacy > FileVault. Turn it on and follow the steps. I recommend creating a recovery key rather than giving the control to Apple but this is a personal choice.
Lock your screen when away
If you need to step away from your Mac, even for a minute, lock your screen. This will prevent anyone from going near your data. To do this, go to System Preferences > Security & Privacy > General and enable the “Require password — after sleep or screen saver begins” option. If you often have to rush away from your desk, set this to “immediately”. The options here are seconds, minutes or hours but of course shorter is better. You don’t want to give anyone a window to quickly hit any key after the screensaver begins and get right to your data.
There is a counterpart to this which makes it very easy to activate the screen saver if you have to step away from your Mac. Go to System Preferences > Desktop & Screen Saver > Screen Saver and click the “Hot Corners…” button on the bottom right of the window. Set one of the corners to activate your screen saver.
Now, when you have to walk away from your Mac, throw your mouse cursor into the designated corner and the screen saver will start right away. Because the screen saver requires a password to unlock immediately, no-one will be able to get in.
Make good password decisions
Of course the above won’t do you much good if you password is “password”, “1234” or if it’s known by other people. Make your password unique, strong and keep it to yourself. If you’re reading this and use a weak password, this would be a good time to change it. Go to System Preferences > Users & Groups and click on your account name in the left column. A “Change Password…” button is visible on the right, use that to set a more secure password. When it comes to the password hint, don’t set one if you can. It’s one less way for someone to figure out your password. If a hint must be set, make it cryptic enough to confuse others but make sense to you.
Even if you use iTunes to backup your iOS devices without a password, the above practices should ensure no-one will ever get to that backup anyway (of course your backup drive must be encrypted as well, else an attacker can just grab your backup from there). Because of the potential weak link in unencrypted backups I do recommend encrypting your iOS device backups. If you’re not doing this already, connect your device to your Mac and open iTunes. Go to your device summary and check the “Encrypt — backup” check box, then set a strong password.
These are best practices with or without the mentioned “major security flaw” that will keep all of your local data safe, not just your iOS device backups. If this issue still freaks you out a little, worry not, Apple is aware of it and will issue a fix they told Forbes.
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” an Apple spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”