Upgrading to iOS 10 may have made your backups a lot faster to crack

Password cracking a local iTunes backup is now 2,500 faster than with iOS 9.

Upgrading to iOS 10 may have made your backups a lot faster to crack

Normally upgrading the operating system on your iPhone doesn't just bring you a few new funky features, you also get to benefit from some security enhancements and fixes too.

However, with iOS 10 it seems things might have taken something of a backward step - in at least the case of the security of any local iTunes backups you might be making.

That's according to Russian firm ElcomSoft which makes software to help users gain access to password-protected data:

When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.

This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.

Upgrading to iOS 10 may have made your backups a lot faster to crack

2500 times faster? My guess is that is not the kind of speed boost you were hoping to get when you upgraded to iOS 10.

The silver lining on the cloud is that ElcomSoft's discovery affects the local iTunes backups you might make of your iPhone or iPad. That means that any hacker wanting to exploit the weakness would have to target the computer you have made the backup onto, rather than something more chilling like trying to access the phone itself remotely.

Nonetheless, considering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it's disappointing to see this apparent backward step.

Hat-tip: Thanks to password guru Per Thorsheim for bringing the research to my attention.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , , , ,

3 Responses

  1. Bob

    September 23, 2016 at 5:52 pm #

    This is not good news and I'd like to know what the hell Apple are playing at.

    Obviously Full Disk Encryption on your computer will make the iTunes backup inaccessible when your system is locked.

    Also a secure backup password will make the cracking more difficult but both these measures are beside the point.

    I'd like to hear what Apple have to say about this.

    • Bob in reply to Bob.

      September 23, 2016 at 8:06 pm #

      iOS 10.0.2 has now been released although there's no mention of security patches in the update.

  2. graphicequaliser

    September 26, 2016 at 11:36 am #

    I've had nothing but trouble from the latest iOS 10. It forgot all my email settings then wiped out all new email contacts after redressing the email account settings so that they worked. After waiting 12 hours, the emails were working properly again. Apple are in decay since the loss of Jobs. The genius at the helm disappears and the product goes downhill, just like Microsoft after Gates left, and Borland Delphi after Heljsberg was poached.

Leave a Reply