iTunes Backup Passwords ‘Much Easier’ to Crack in iOS 10, Apple Working on Fix
iOS 10 uses a new password verification mechanism for iTunes backups that makes them easier to crack, according to testing performed by Elcomsoft, a company that specializes in software designed to access iPhone data.
Encrypted iTunes backups created on a Mac or PC are protected by a password that can potentially be brute forced by password cracking software. The backup method in iOS 10 “skips certain security checks,” allowing Elcomsoft to try backup passwords “approximately 2500 times faster” compared to iOS 9 and earlier operating systems.
Obtaining the password for an iTunes backup provides access to all data on the phone, including that stored in Keychain, which holds all of a user’s passwords and other sensitive information.
At this time, we have an early implementation featuring CPU-only recovery. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups. At this time, we are getting these speeds:
iOS 9 (CPU): 2,400 passwords per second (Intel i5)
iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)
In specific terms, security analyst Per Thorsheim of Peerlyst says Apple has switched from using a PBKDF2 hashing algorithm with 10,000 iterations to using a SHA256 algorithm with a single iteration, allowing for a significant speed increase when brute forcing a password.
Image via Peerlyst
In a statement given to Forbes, Apple confirmed it is aware of the issue and is working on a fix.
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” a spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
As Apple points out, this security oversight is limited to backups created on a Mac or PC and does not affect the security of iCloud backups. Most users likely do not need to worry about this issue as it requires access to the Mac or PC that was used to make the backup.
Apple has updates for iOS 10 and macOS Sierra in the works, and it’s possible a fix will be included in the new versions of the software. iOS 10.1 and macOS Sierra 10.12.1 were seeded to developers and public beta testers earlier this week.
Related Roundup: iOS 10
Discuss this article in our forums
MrMobile Retro Review: Looking back at the Nokia N-Gage
In 2003, Nokia declared war on Nintendo with the N-Gage, a Game Boy Advance lookalike with a Series 60 mobile phone inside. The conflict – to put it mildly – did not go in Nokia’s favor. With a cumbersome design that required the owner to remove the battery in order to change games, the N-Gage wasn’t exactly user-friendly, and with only a handful of available titles compared to the Game Boy Advance’s 1,200, the N-Gage ecosystem hardly justified the device’s $299 asking price. Worse still: the phone’s earpiece was mounted on its spine, making for a bizarre look and feel when it came to voice calls and leading to the unfortunate nickname “Taco Phone.”
Needless to say, Nokia’s N-Gage experiment did not go well. The company launched a sequel (the N-Gage QD) in 2004 and eventually repositioned N-Gage as a gaming platform that spanned its Symbian smartphone line, but it never gained the traction Nokia sought and the brand was shuttered in 2010.
Today, the original N-Gage is a monument to the days when new form factors flooded a nascent mobile market, and a still-dominant Nokia led the charge to pack ever more functionality into the humble cell phone. Join MrMobile for the Nokia N-Gage Retro Review – and if you owned one of these (or even if you just wanted one) drop a comment below with your story!
Gettin’ social with it!
- YouTube
- Le web
- Snapchat
AIVAnet 