Russian security company Elcomsoft has discovered a major security flaw in iOS 10: encrypted iTunes backups made with iOS 10 allow password-cracking tools to make 6 million attempts per second, more than 40 times faster than with backups created with iOS 9.
Advertisement
Moscow-based Elcomsoft discovered the flaw, which is centered around local password-protected iTunes backups.
The discovery centers around the idea that the backup method used in iOS “skips certain security checks” that were present in past versions of iOS, thus allowing passwords to be attempted signficnatly faster than before.
Apple admitted that they are aware of the security issue of the iOS 10 update and they are working on it.
As Apple works away on a solution to its tricky encryption foible, it’s probably best that you don’t bother upgrading to iOS 10 just yet and, if you have already, don’t go performing backups just yet. Security researcher Per Thorsheim, the CEO of security firm God Praksis, said that from SHA1 with 10K iterations, Apple downgraded the algorithm to plain SHA256 with a single iteration. However, the team was able to input only 2,400 passwords per second on iOS 9. “The attack itself is only available for iOS 10 backups”, notes Elcomsoft.
Normally, local backups are protected by a user’s password. Elcomsoft says this is due to Apple implementing a weaker password verification method than the one protecting backup data in previous versions. Elcomsoft’s digital forensics specialists have been able to bypass some security checks on iOS 10. This means that a hacker could potentially gain access to your iOS backup which could contain everything from pictures and video to passwords and credit card information. Meantime, users can use strong passwords to keep their systems protected.
So expect Apple to address iOS 10’s security flaw with by releasing updates for several software including iOS, iTunes, and its Mac operating systems. “Additional security is also available with FileVault whole disk encryption”.
Advertisement
The rollout of iOS 10 hasn’t been entirely smooth, so news of a new security vulnerability won’t be met kindly by some users, but console yourself with the fact that it’s really quite unlikely to affect you before the problem has been fixed, so don’t let that be the reason you don’t update.
