iOS 10 comes with more than a redesigned iMessage and widgets. Traditionally, iOS grows more secure with every subsequent release. But this doesn’t appear to be the case with iOS 10 – rather, it’s the contrary. iOS10 also ships with a serious design defect that makes it vastly easier to crack password-protected backups.
Moscow-based Elcomsoft discovered the flaw, which is centered around local password-protected iTunes backups. On iOS 10, these now have a weak secondary security mechanism which “skips certain security checks”. This makes it possible to launch a brute-force attack (guessing passwords by characters, or running through a dictionary with a huge number of potential phrases to get to the one that sticks) up to 2,500 faster than iOS 9.
Another security researcher, Per Thorsheim, explained that Apple has downgraded the hashing algorithm for iOS 10 from SHA1 with 10K iterations to plain SHA256 with a single iteration, which potentially allows for brute-forcing the password via a common desktop computer processor.
Using an Intel Core i5 CPU, Elcomsoft managed to achieve a 6 million passwords per second cracking operation. With the weaker security in place, brute force attacks are up to 40 times faster than GPU-assisted attacks on iOS 9 backups.
It’s worth emphasizing that this exploit can’t be used remotely. The attacker needs to have access to your local backup, which contains everything from media files, to HealthKit and HomeKit data, and more.
Elmsoft are well known for their password- and DRM-defeating software. The Moscow-based firm has been around since 1990, and has defeated security measures from the likes of Adobe and Microsoft, often landing its researchers in legal hot water in the process.
This separate security mechanism is distinct to iOS 10; it doesn’t affect earlier versions. It also exists in parallel with the earlier, more secure system. Apple has not addressed the report yet.