Apple’s recent iOS 10 update has inadvertently weakened the security of encrypted local iTunes backups. The change is the result of the new “alternative password verification mechanism,” says a Russian forensics company.
With iOS 10, it’s possible to brute-force a backup password 40 times faster using CPU acceleration when compared with GPU-powered cracking of iOS 9, Elcomsoft explained in a blog post quoted byForbes. Applying the same Intel Core i5 CPU in both cases, iOS 10 is 2,500 times faster to break.
Elcomsoft’s Oleg Afonin says the new mechanism “skips certain security checks,” making it easier to crack. Password security expert Per Thorsheim notes the alternate mechanism uses the SHA256 algorithm, which a password attempt passes through just once. iOS 4 through iOS 9 use PBKDF2, and run passwords through it 10,000 times. While the older mechanism is actually still present in iOS 10, a bad actor attempting to hack a backup can choose the weaker option.
Apple told Forbes that it is aware of the problem, and will address it in “an upcoming security update.” iCloud backups are allegedly secure.
Until the fix is in place, Apple recommends that users protect their computers with strong passwords.
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” an Apple spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”