Apple to send security update to strengthen iOS 10's weak backup encryption

Apple to send security update to strengthen iOS 10's weak backup encryption
It turns out that the local encrypted backups on iOS 10, the ones that are created in iTunes, are not as secure as they should be. According to researchers at Moscow based software developer Elcomsoft, iOS 10 uses an older password protection algorithm. The Russian software firm was working on an iOS 10 update to its password cracking PhoneBreaker software, when it discovered that Apple uses a different password verification system for iOS 10 that skips certain security checks. That allows a hacker to try out passwords 2,500 times faster compared to the old system used on iOS 9. This type of brute force attack is much more apt to work on iOS 10.

At risk here are users' passwords, and some data like the figures created by using the Health app. Apple is aware of the situation and is planning on disseminating a software update that will strengthen the security of the iOS 10 backups.

Elcomsoft's PhoneBreaker can attempt 6 million passwords per second on iOS 10 (CPU-only) compared to the 2,400 passwords per second that the encryption and security measures limited PhoneBreaker users to on iOS 9. Keep in mind that none of this affects backups created on iCloud.

The PBKDF2 password protection algorithm on iOS 10 is older, as we pointed out in the beginning of this article. The algorithm employed in iOS 9 is called SHA256. According to Elcomsoft, the same 10,000 passwords are used for 30% of accounts. That allows its PhoneBreaker to successfully use a brute force attack to crack a user's backup password and obtain data in 80% to 90% of attempts. That high percentage is based on the software running for two days against the weaker PBKDF2 algorithm.

Apple suggests that those who have iOS backup data stored on their Mac, use Apple’s FileVault disk-encryption software to add another layer of protection.

source: Elcomsoft via Fortune

New reasons to get excited every week

Get the most important news, reviews and deals in mobile tech delivered straight to your inbox

FCC OKs Cingular\'s purchase of AT&T Wireless