At first, I thought had discovered a major flaw in the way that iOS allows iTunes to back up the data of an iPhone, iPad, or iPod touch. The Russian security firm creates software designed to test the quality of passwords for many different software packages and systems by trying to crack them; it also markets its software for forensic use.
Elcomsoft offers software ($79 or $199, depending on features) to crack the password for an iTunes backup of an iOS device. Version 1.2 adds the capability to view the contents of an iOS device's keychain if a password is cracked. The iOS keychain, much like (or perhaps identical to) the one in Mac OS X, stores network, email, and other system passwords, as well as passwords from third-party apps that took Apple's advice to use the keychain.
Andrey Belenko of Elcomsoft. Prior to iOS 4, iOS devices with a hardware encryption key always used that key to encrypt the keychain. So far, it has been impossible to recover the hardware encryption key from a device, and the key is strong enough to resist cracking. (Hardware encryption is found in all iOS devices released from 2009 on: all iPads, the iPhone 3GS and iPhone 4, and third-generation iPod touch models.)
The hardware key continues to be used in iOS 4 backups in iTunes, with an important exception. If you enable Encrypt iPhone Backup (or whatever iOS device is plugged in), iOS 4 switches from using the hardware key to a key derived from the password you enter for your backup.
The reason, Belenko explains, is that iOS 4 then allows the transfer of the keychain to a device being restored from a backup. If your iPhone is lost, stolen, or destroyed, or if you upgrade from one iPhone to another, you can restore your last backup onto your new iPhone. Before iOS 4, the passwords weren't passed along. (Elcomsoft offers explaining this even further.)
It's a strange notion, that encrypting your backup might actually make your data less secure. But it's not really a security hole, nor does Elcomsoft see it that way.
In order to extract passwords from your iPhone keychain, a ne'er-do-well has to gain access to your computer in some fashion, physically or through a remote exploit. With that kind of access, a keystroke sniffer could be installed, and then all the keys to the kingdom would be available.
Further, if you've picked a good, strong password, the Elcomsoft breaker won't help. It's a brute-force method, and the company doesn't oversell the difficulty of recovering a password. Its FAQ has this amusing dialog:
(end of one question): ...Only relatively short and simple passwords can be recovered in a reasonable time.
Q: What do you mean by "time consuming" and "reasonable time"?
A: A lifetime? Seriously, with protection as good as that, it may take centuries to recover a long password.
And Elcomsoft goes on to note, "The iPhone backup encryption is good enough. Well, it is near perfect by our standards. That's to say, it's really secure."
Apparently, Apple was able to add flexibility without compromising security so long as you take care to create a reasonably long and strong password. Apple's one mistake? Not including the Password Assistant that's used in the Keychain Access program and a few other places in Mac OS X to assist you in creating the best password for your iOS backups.
(Thanks to TidBITS security editor Rich Mogull for his input on this article.)