Apple to send security update to strengthen iOS 10's weak backup encryption
At risk here are users' passwords, and some data like the figures created by using the Health app. Apple is aware of the situation and is planning on disseminating a software update that will strengthen the security of the iOS 10 backups.
Elcomsoft's PhoneBreaker can attempt 6 million passwords per second on iOS 10 (CPU-only) compared to the 2,400 passwords per second that the encryption and security measures limited PhoneBreaker users to on iOS 9. Keep in mind that none of this affects backups created on iCloud.
The PBKDF2 password protection algorithm on iOS 10 is older, as we pointed out in the beginning of this article. The algorithm employed in iOS 9 is called SHA256. According to Elcomsoft, the same 10,000 passwords are used for 30% of accounts. That allows its PhoneBreaker to successfully use a brute force attack to crack a user's backup password and obtain data in 80% to 90% of attempts. That high percentage is based on the software running for two days against the weaker PBKDF2 algorithm.
Apple suggests that those who have iOS backup data stored on their Mac, use Apple’s FileVault disk-encryption software to add another layer of protection.
source: Elcomsoft via Fortune