iOS 10 update weakens iPhone security
A Russian forensics firm has discovered it is easy to crack manual backups via iTunes
A Russian forensics company named Elcomsoft has claimed that Apple's iOS 10 update utilises a weaker password mechanism for manual backups via iTunes.
The Russian firm began probing the security of the update, which led the company to discover that encrypted iOS backups via iTunes are much easier to crack with iOS 10 than in past years. This is supposedly due to the backup method cutting certain security checks, enabling passwords to be guessed much faster than before.
Elcomsoft's found that it could crack the encryption "approximately 2500 times faster compared to the old mechanism used in iOS 9 and older." According to the company, it could process 2,400 passwords per second under iOS 9, it can run 6 million passwords per second in iOS 10.
Elcomsoft said in a statement: "When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
"This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new' password verification method exists in parallel with the ‘old' method, which continues to work with the same slow speeds as before."
Apple has acknowledged the flaw and issued a statement to Forbes, stating:
"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups."
"We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."
Apple has not stated when the fix will be available.