Forensics firm says backups easier to crack in iOS 10, Apple promises fix
Apple appears to have unintentionally weakened the security of local backups in iOS 10, as a result of offering an "alternative password verification mechanism," according to a Russian forensics company.
With iOS 10, it's possible to brute-force a backup password 40 times faster using CPU acceleration when compared with GPU-powered cracking of iOS 9, Elcomsoft explained in a blog post quoted by Forbes. Applying the same Intel Core i5 CPU in both cases, iOS 10 is 2,500 times faster to break.
The new mechanism "skips certain security checks," said Elcomsoft's Oleg Afonin. A password security expert cited by Forbes, Per Thorsheim, specified that the alternate mechanism uses a different algorithm -- SHA256 -- which a password attempt passes through just once. iOS 4 through iOS 9, by contrast, use PBKDF2, and run passwords through it 10,000 times.
The old mechanism is actually still present in iOS 10, but someone attempting to hack a backup can choose the weaker option.
Elcomsoft's CEO, Vladimir Katalov, suggested that the only way Apple can fix the situation is by updating both iOS and iTunes. Apple told Forbes it's aware of the problem, and planning to address it in "an upcoming security update." iCloud backups are allegedly secure.
Elcomsoft is a controversial firm, as it sells tools to anyone wanting to break into iOS devices. Its tools are believed to have been used during the "Celebgate" scandal in 2014, which resulted in many nude celebrity photos being stolen from iCloud and posted online.
With iOS 10, it's possible to brute-force a backup password 40 times faster using CPU acceleration when compared with GPU-powered cracking of iOS 9, Elcomsoft explained in a blog post quoted by Forbes. Applying the same Intel Core i5 CPU in both cases, iOS 10 is 2,500 times faster to break.
The new mechanism "skips certain security checks," said Elcomsoft's Oleg Afonin. A password security expert cited by Forbes, Per Thorsheim, specified that the alternate mechanism uses a different algorithm -- SHA256 -- which a password attempt passes through just once. iOS 4 through iOS 9, by contrast, use PBKDF2, and run passwords through it 10,000 times.
The old mechanism is actually still present in iOS 10, but someone attempting to hack a backup can choose the weaker option.
Elcomsoft's CEO, Vladimir Katalov, suggested that the only way Apple can fix the situation is by updating both iOS and iTunes. Apple told Forbes it's aware of the problem, and planning to address it in "an upcoming security update." iCloud backups are allegedly secure.
Elcomsoft is a controversial firm, as it sells tools to anyone wanting to break into iOS devices. Its tools are believed to have been used during the "Celebgate" scandal in 2014, which resulted in many nude celebrity photos being stolen from iCloud and posted online.
Comments
I hope everything is using full disk encryption, a complex password, unique passwords for every account, a password manager, 2FA, and a VPN whenever you're on an unsecured, public network. Your iCloud password needs to be the most secure and complex password you can possibly remember.
Apple has has lessened the anal retentive stance it had on securing and locked by down everything.
Its sad sad but true and it started with the kernel.
There re was no way Apple could publicly say that they were going to allow their systems to be crackable by the government, but their would also be a push-shove going on and we know who'd win that one. So Apple cited "performance improvements," etc. for no longer encrypting the kernel. Now we hear there's going to be a "fix" for inadequately secured backups.
It it was intentional. Now they'll only have to figure Ways to keep it so that most researchers won't figure it out while still leaving an Achilles heel.
As much as I'd like to believe otherwise, I believe this is the case. With an FBI that's willing to embarrass itself in investigations so that they can play favorites with political candidates, it's an immature environment that common sense and justice cannot win in. Therefore you have acquiescence to the bully. Sadly, that's what's happening here.
- You want to hide shady code
- You want to protect your code from copycats
None of which should be the case for Apple. I really hope that the mentioned speed improvements for the drop of the decryption during boot is not the only reason for Apple to go this applaudable way, such shortsightness would be rather sad...Personally, the only time I even use iTunes for iDevice backup these days is when I'm about to switch devices, since USB 2.0 is faster than using any of the DL options via iCloud's iDevice backup.
macOS:
WinPC:
I'd also recommends searching any backup drives, like Time Machine, to remove any of those backups, if one is concerned.