Security forensics company Elcomsoft revealed last week that encrypted iOS backups created in iTunes have been made far less secure with the recent release of iOS 10. While an unintentional flaw, the new password protected backups offer an “alternative password verification mechanism” that allows them to fall victim to brute force hacks much more quickly and easily than with previous iOS versions. Fortunately Apple acknowledged the issue, and says a fix is on the way with “an upcoming security update.”
To be clear, this is an issue that only applies to local iTunes backups created on a Mac or PC; backups made to iCloud remain secure.
As Elcomsoft explains, iOS 10’s backup method “skips certain security checks,” which in turn allows passwords to be attempted “approximately 2,500 times faster” than before when using brute force. A source of the problem seems to be the use of a different algorithm, which only runs password attempt once, as opposed to running each password 10,000 times like with iOS 4 through 9.
“At this time, we have an early implementation featuring CPU-only recovery. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups. At this time, we are getting these speeds:
iOS 9 (CPU): 2,400 passwords per second (Intel i5)
iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)”
Getting access to a password protected iOS backup is a serious concern, as it’s essentially a copy of all the data from an iPhone, including contact details like phone numbers, emails, addresses, in addition to photos and even other passwords stored in Keychain.
Apple has issued a statement noting that it’s aware of the problem with local iTunes backups for iOS 10 and an upcoming security update will resolve the issue. iOS 10.1 and macOS 10.12.1 updates were recently released for developers and beta testers, so hopefully those will include the necessary fixes.