In a blog post detailing its findings, Elcomsoft wrote, “We discovered a major security flaw in the iOS 10 backup protection mechanism. This security flaw allowed us developing a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) backups made by iOS 10 devices.”
If you’re asking how serious of a problem this is, the software company says it’s “severe.” In fact, the company said, widely accessible tools achieved an 80 to 90 percent chance of successfully hacking a backup password — these are tools that can be purchased by just about anyone, not just law enforcement officials.
The problem, security expert Per Thorsheim wrote in a blog on Peerlyst, is that Apple is now using a weaker weaker hashing algorithm when it comes to iPhone data kept on PCs. As Forbes explained, “In iOS 9 and prior versions back to iOS 4, Apple used what’s known as a PBKDF2 algorithm and had the password run through it 10,000 times, so a hacker would have to run their plaintext guess through the algorithm 10,000 times too and repeat the process until a match was found. In the iOS 10 alternative version, a different algorithm known as SHA256 was used but with just one iteration.”
Apple, for its part, has admitted to this shortcoming. “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” a spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
