Date: Monday, September 26th, 2016, 05:50
Category: Hack, iOS, News, security, Software
Well, this is why they invented bug fixes and updates.
A new discovery by iOS and security forensics company Elcomsoft has revealed that encrypted iOS backups saved via iTunes are now much easier to crack in iOS 10 than in recent years. The change in security is apparently due to a new password verification method in iOS 10.
The discovery focuses on the backup method, which in iOS 10, apparently “skips certain security checks” that were present in past versions of iOS. This allows passwords to be attempted signficnatly faster than before. The new backup method works alongside the old back up method, meaning that for pre-iOS 10 backups, the old method is used.
Elcomsoft offered the following comment regarding the discovery:
When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
The attack centers around password-protected local backups produced by iOS 10 devices.
In short, this means it’s much easier for someone to potentially gain access to an iOS backup that might be otherwise restricted to them. Thanks to the iOS 10 change, Elcomsoft’s tool is able to try 6 million password guesses per second and has an 80 percent to 90 percent chance of getting the correct password.
Apple has acknowledged the security hole and says it’s working on a fix. The company, in turn, said the issue doesn’t affect iCloud backups and recommends that users protect their backups with strong passwords:
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” an Apple spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
It’s unclear when a fix will be offered, albeit it’s thought that this will be part of the iOS 10.1 update, which recently went into beta testing.
Stay tuned for additional details as they become available.