Encrypted iTunes Backup On iOS 10 Easier To Crack Than iOS 9, Apple Working On A Fix
Apple’s iOS 10 has been with us for a little while now, and we are still finding out new things about the software which now drives our iPhones and iPads. While most of those things are good, there are inevitably some that aren’t quite so positive, such as the new revelation that iOS 10 backups may not be as secure as those created by previous versions of the operating system.
When a user creates an encrypted iTunes backup of their iPhone or iPad, the password that is created can potentially be cracked via a brute-force attack. That is nothing new, but the number of retries that would be required in order to crack a strong password of that ilk would normally take some time. That time is unfortunately quite a bit shorter for backups created by iOS 10 than those created by iOS 9.
The news comes via Elcomsoft, a company which makes software that is designed to get into supposedly secure iTunes backups of iOS devices. According to the company, iOS 10-created backups “skip certain security checks,” making the retries required by Elcomsoft’s software able to be carried out “approximately 2500 times faster.” That’s never good news.
At this time, we have an early implementation featuring CPU-only recovery. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups. At this time, we are getting these speeds:
iOS 9 (CPU): 2,400 passwords per second (Intel i5)
iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)
Once an iTunes backup has been cracked open, free reign is granted to other data stored within the backup, such as user data, further passwords for services and other data stored via the iOS keychain. Thankfully, Apple is already working on a fix.
We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” a spokesperson said. “We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.
We’d be a lot happier if these things were fixed before final releases find their way into the hands of users, Apple!