Forensics firm says backups easier to crack in iOS 10, Apple promises fix

AppleInsider

Apple appears to have unintentionally weakened the security of local backups in iOS 10, as a result of offering an "alternative password verification mechanism," according to a Russian forensics company.

With iOS 10, it's possible to brute-force a backup password 40 times faster using CPU acceleration when compared with GPU-powered cracking of iOS 9, Elcomsoft explained in a blog post quoted by Forbes. Applying the same Intel Core i5 CPU in both cases, iOS 10 is 2,500 times faster to break.

The new mechanism "skips certain security checks," said Elcomsoft's Oleg Afonin. A password security expert cited by Forbes, Per Thorsheim, specified that the alternate mechanism uses a different algorithm -- SHA256 -- which a password attempt passes through just once. iOS 4 through iOS 9, by contrast, use PBKDF2, and run passwords through it 10,000 times.

The old mechanism is actually still present in iOS 10, but someone attempting to hack a backup can choose the weaker option.

Elcomsoft's CEO, Vladimir Katalov, suggested that the only way Apple can fix the situation is by updating both iOS and iTunes. Apple told Forbes it's aware of the problem, and planning to address it in "an upcoming security update." iCloud backups are allegedly secure.

Elcomsoft is a controversial firm, as it sells tools to anyone wanting to break into iOS devices. Its tools are believed to have been used during the "Celebgate" scandal in 2014, which resulted in many nude celebrity photos being stolen from iCloud and posted online.

Stukey

With all the attention Apple received over the past year on the issue of security and the iPhone platform, how in the heck could this get out of Apple?  One would think the first thing QA would look at is the security system of the iOS and companion software like iTunes.  I mean, really?  (Time for a seance to raise Steve.)

Soli

Stukey said:

With all the attention Apple received over the past year on the issue of security and the iPhone platform, how in the heck could this get out of Apple?  One would think the first thing QA would look at is the security system of the iOS and companion software like iTunes.  I mean, really?  (Time for a seance to raise Steve.)

It's not a really a big deal. It's an iOS backup to iTunes, so the hacker would have to 1) have physical access to their Mac or WinPC, and have access to their account. That's not to say that this shouldn't be more secure, but if you're in the account you already have access to a great deal of other personal information, most of it synced with an iDevices.

I hope everything is using full disk encryption, a complex password, unique passwords for every account, a password manager, 2FA, and a VPN whenever you're on an unsecured, public network. Your iCloud password needs to be the most secure and complex password you can possibly remember.

9secondkox2

We must be realistic. 

Apple has has lessened the anal retentive stance it had on securing and locked by down everything. 

Its sad sad but true and it started with the kernel. 

There re was no way Apple could publicly say that they were going to allow their systems to be crackable by the government, but their would also be a push-shove going on and we know who'd win that one. So Apple cited "performance improvements," etc. for no longer encrypting the kernel. Now we hear there's going to be a "fix" for inadequately secured backups. 

It it was intentional. Now they'll only have to figure Ways to keep it so that most researchers won't figure it out while still leaving an Achilles heel. 

As much as I'd like to believe otherwise, I believe this is the case. With an FBI that's willing to embarrass itself in investigations so that they can play favorites with political candidates, it's an immature environment that common sense and justice cannot win in. Therefore you have acquiescence to the bully. Sadly, that's what's happening here. 

rogifan_new

9secondkox2 said:

We must be realistic. 

Apple has has lessened the anal retentive stance it had on securing and locked by down everything. 

Its sad sad but true and it started with the kernel. 

There re was no way Apple could publicly say that they were going to allow their systems to be crackable by the government, but their would also be a push-shove going on and we know who'd win that one. So Apple cited "performance improvements," etc. for no longer encrypting the kernel. Now we hear there's going to be a "fix" for inadequately secured backups. 

It it was intentional. Now they'll only have to figure Ways to keep it so that most researchers won't figure it out while still leaving an Achilles heel. 

As much as I'd like to believe otherwise, I believe this is the case. With an FBI that's willing to embarrass itself in investigations so that they can play favorites with political candidates, it's an immature environment that common sense and justice cannot win in. Therefore you have acquiescence to the bully. Sadly, that's what's happening here. 

Soli

9secondkox2 said:

We must be realistic. 
[…]
Its sad sad but true and it started with the kernel. 

Yes, we must be realistic… but you're not. If Apple wanted the gov't to have an unencrypted kernel it could have done so without giving it to hackers. The whole point is to harden the kernel against attacks.

Rayz2016

rogifan_new said:

9secondkox2 said:

We must be realistic. 

Apple has has lessened the anal retentive stance it had on securing and locked by down everything. 

Its sad sad but true and it started with the kernel. 

There re was no way Apple could publicly say that they were going to allow their systems to be crackable by the government, but their would also be a push-shove going on and we know who'd win that one. So Apple cited "performance improvements," etc. for no longer encrypting the kernel. Now we hear there's going to be a "fix" for inadequately secured backups. 

It it was intentional. Now they'll only have to figure Ways to keep it so that most researchers won't figure it out while still leaving an Achilles heel. 

As much as I'd like to believe otherwise, I believe this is the case. With an FBI that's willing to embarrass itself in investigations so that they can play favorites with political candidates, it's an immature environment that common sense and justice cannot win in. Therefore you have acquiescence to the bully. Sadly, that's what's happening here. 

Well said. 

LegacyAppleFansByte

Stukey said:

With all the attention Apple received over the past year on the issue of security and the iPhone platform, how in the heck could this get out of Apple?  One would think the first thing QA would look at is the security system of the iOS and companion software like iTunes.  I mean, really?  (Time for a seance to raise Steve.)

Jesus Christ. Steve couldn't button his own shirt - these hackers will always be ahead of everyone in Silicon Valley because that's thier job. Apple, MS would and are wise to heed thier findings. They're closer to Moscow than Washington

prof

9secondkox2 said:

There re was no way Apple could publicly say that they were going to allow their systems to be crackable by the government, but their would also be a push-shove going on and we know who'd win that one. So Apple cited "performance improvements," etc. for no longer encrypting the kernel. 

Actually you have that backwards. Encrypting the kernel does not provide any additional security, rather the opposite: It adds complexity for the decryption code (and software complexity always translates into bugs) and it prevents security problems from being researched by the good guys but not by the bad guys who keep sell them to all kinds of creepy people... There're only two half-way sane reasons why you'd want to encrypt software:

1. You want to hide shady code
2. You want to protect your code from copycats

None of which should be the case for Apple. I really hope that the mentioned speed improvements for the drop of the decryption during boot is not the only reason for Apple to go this applaudable way, such shortsightness would be rather sad...

foggyhill

The temp solution is increase password complexity (use non alpha characters) and length. Doesn't take much to make this bug of no significance if you know about it.

Soli

foggyhill said:
The temp solution is increase password complexity (use non alpha characters) and length. Doesn't take much to make this bug of no significance if you know about it.

To be cracked it still requires someone have access to your Mac or WinPC account. I'd say just use the same code as your "PC" login, or, if you're worried it's an issue, just delete your iTunes' iDevice backups, assuming you also save to iCloud.

Personally, the only time I even use iTunes for iDevice backup these days is when I'm about to switch devices, since USB 2.0 is faster than using any of the DL options via iCloud's iDevice backup.

macOS:

~/Library/Application Support/MobileSync/Backup/

WinPC:

 \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

I'd also recommends searching any backup drives, like Time Machine, to remove any of those backups, if one is concerned.

ericthehalfbee

Gee, guess I gotta make sure nobody breaks into my house and steals my computer sometime between now and when it gets fixed (maybe 2 weeks or less).

lkrupp

Local backup requiring physical access to my machine and my admin password to even get to iTunes. Yawnnnnnnnnnnn...

cwingrav

Unless I'm missing something, 40x faster at cracking something that takes 40k years to crack is still 10k years. Use strong passwords, and in this case, don't give physical access to your machine to a cracker.

arlor

cwingrav said:

Unless I'm missing something, 40x faster at cracking something that takes 40k years to crack is still 10k years. Use strong passwords, and in this case, don't give physical access to your machine to a cracker.

40k/40 is 1k, not 10k, which is still substantial. Your physical access point stands, but keep in mind that a sophisticated attacker might be using something better than a single Core i5 after mirroring the drive or memory.