Along with the macOS Sierra, tvOS 10 and watchOS 3 Apple announced iOS 10 back at WWDC, the annual developer conference of Apple. The mobile OS was released for developers and public beta testing. After the announcement of iPhone 7 and iPhone 7 Plus, Apple also announced the iOS 10 available for all compatible devices.
It has not been a long time and report is now coming in of a security flaw in the iOS 10. Russian forensic firm Elcomsoft has found a flaw with the security mechanism of how iOS 10 stores password for backup. Elcomsoft is a known name for creating tools to break iPhone, and the current discovery was made while updating the Elcomsoft Phone Breaker for iOS 10.
The flaw allows for a hacker to brute force the password for localized backup saved on Mac or PCs. The issue allows the software to use CPU acceleration and guess passwords 40 times faster than the GPU-powered cracking done on iOS 9. Using a single Intel i5 CPU for iOS 10 backup, the software was able to guess 6 million passwords per second, 2500 times faster compared to the old mechanism used on iOS 9 and older. In a blog post the firm explains the issue, what is it all about
When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.
By exploiting the new password verification mechanism, we were able to support it in our latest update, Elcomsoft Phone Breaker 6.10. Since this is all too new, there is no GPU acceleration support for the new attack. However, even without GPU acceleration the new method works 40 times faster compared to the old method *with* GPU acceleration.
The firm, however, notes that the currently discovered security flaw is for iOS 10 backup saved on localized computers. Getting into an iPhone is still tough, for accessing iCloud backup you need to know the Apple ID and password. The firm also mentions that there is a way to force iPhone or iPad to create an offline backup, for creating a local backup is easy if the iPhone is unlocked. If the phone is locked even then by extracting the pairing record from a trusted computer local backup can be created.
Apple has issued a statement to Forbes accepting the issue and says the company is working is working to fix it. Apple spokesperson said:
We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.