Home
Mobiles
Mobiles News
iOS 10 Backups Can Be Cracked 2,500 Times Faster Than iOS 9, Claims Security Researcher

iOS 10 Backups Can Be Cracked 2,500 Times Faster Than iOS 9, Claims Security Researcher

By Ketan Pratap | Updated: 23 September 2016 18:13 IST

Highlights

Researcher claims security check in iOS 10 is 2,500 times weak than iOS 9
Elcomsoft says brute force attack can be carried on iOS 10 backups
New attack specific to password-protected local backups in iOS 10 devices

A security research company based in Moscow claims to have discovered a flaw in Apple's local password protected iTunes backups in iOS 10, a flaw that is said to weaken password security. According to ElcomSoft's Oleg Afonin, the security flaw lets attackers develop a new attack that can bypass certain security checks when tallying passwords protecting local backups in iOS 10 devices.

"The impact of this security weakness is severe. An early CPU-only implementation of this attack (available in Elcomsoft Phone Breaker 6.10) gives a 40-times performance boost compared to a fully optimised GPU-assisted attack on iOS 9 backups," writes Afonin.

Further detailing implementation of the attack, Elcomsoft claims that the new security check in iOS 10 is roughly "2,500 times weaker" compared to the one used in iOS 9 backups.

"Specifically they have changed from pbkdf2(sha1) with 10,000 iterations into using a plain sha256 hash with a single iteration only. This not only allows for a massive speed increase in password cracking, the change is so devastating that an early CPU-only cracking implementation is almost 40 times faster than a fully optimised GPU implementation for the old pbkdf2 version," writes Per Thorsheim, Security Adviser at God Praksis AS.

It's worth mentioning that the flaw discovered cannot be exploited remotely and needs the attacker to have access of the local backups in iOS 10.

Elcomsoft claims that brute force attack, which is a trial and error method used to decode encrypted data such as passwords, can only be carried on iOS 10 backups.

"This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups," notes Elcomsoft. The research firm however points that the "new" password verification method exists in parallel system as well with the "old" method though it doesn't affect the earlier versions.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: iOS 10, Apple

Ketan Pratap

Email Ketan

Ketan Pratap is the editor at Gadgets 360 - with over 12 years of experience covering the technology domain. With a breadth and depth of knowledge in the field, he's done extensive work across news, features, reviews, and opinion pieces. But what's truly inspiring about Ketan is how he spends his free time. He's often found gazing at snow-capped mountains from over 20,000 feet while sitting on the hood of his car, taking in the breathtaking beauty of nature. His passion for the great ...More

Idea Says Has Provisioned More Interconnection Points for Reliance Jio

iOS 10 Backups Can Be Cracked 2,500 Times Faster Than iOS 9, Claims Security Researcher

Related Stories