iOS 10 iTunes backups less secure than iOS 9 and much easier to crack, security experts report

iOS 10 iTunes backups less secure than iOS 9 and much easier to crack, security experts report
Traditionally, iOS grows more secure with every subsequent release. But this doesn't appear to be the case with iOS 10 – rather, it's the contrary. Russian cybersecurity firm Elcomsoft reports that Apple has implemented a new password verification mechanism for iOS 10 backups, which makes brute-force password attacks (guessing passwords by characters, or running through a dictionary with a huge number of potential phrases to get to the one that sticks) some 2500 times faster. Apparently, the new mechanism skips certain security checks, which were in place in iOS 9.

Another security researcher, Per Thorsheim, explained that Apple has downgraded the hashing algorithm for iOS 10 from SHA1 with 10K iterations to plain SHA256 with a single iteration, which potentially allows for brute-forcing the password via a common desktop computer processor. Using an Intel Core i5 CPU, Elcomsoft managed to achieve a 6 million passwords per second cracking operation. With the weaker security in place, brute force attacks are up to 40 times faster than GPU-assisted attacks on iOS 9 backups.

Elcomsoft says the brute force attack is only applicable to iOS 10 backups, which are difficult, if not impossible to obtain for attackers unless they have direct access to the victim's mobile device, Apple account credentials, and personal computer.  Apple has not addressed the report yet.

source: Elcomsoft, Per Thorsheim

FEATURED VIDEO

6 Comments

1. maple_mak

Posts: 953; Member since: Dec 18, 2013

Oh gosh, another exploit happening. -_-|||

2. truthwins unregistered

Oh gosh hope the exploit doesn't explodes.

3. maple_mak

Posts: 953; Member since: Dec 18, 2013

Oh gosh, do you want your privacy being leaked?

4. maple_mak

Posts: 953; Member since: Dec 18, 2013

hillaryiscriminal confirmed.

6. Wiencon

Posts: 2278; Member since: Aug 06, 2014

Welcome to troll's PAradise

5. Wiencon

Posts: 2278; Member since: Aug 06, 2014

? I recently downloaded dr. Fone by Wondershare for iOS and it was only a matter of choosing backup (and it was iOS9 backup) to pull out all photos, messages, contacts, etc. No need for any password so: wtf? I didn't even think backups were protected in any way

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.