The latest version of Apple’s mobile operating system, iOS 10, features a “major security flaw” that makes it easier for hackers to crack passwords through local iTunes backups, according to the Moscow-based digital forensics and password recovery firm ElcomSoft.
In a blog post Friday, ElcomSoft’s Oleg Afonin called the potential impact of the security weakness “severe.” Apple released iOS 10 on September 13, three days before it launched the iPhone 7 and iPhone 7 Plus, both of which run the new operating system.
The flaw stems from an alternative password verification mechanism that Apple added to iOS 10 backups, according to Afonin. The new method, which sits alongside a previous backup method used in iOS 9 and earlier versions, allows hackers to guess at a device’s password anywhere from 40 to 2,500 times faster than before, he said.
80%-90% Chance of Password Recovery
“When working on an iOS 10 update for Elcomsoft Phone Breaker [ElcomSoft’s forensics tool for iOS and BlackBerry devices], we discovered an alternative password verification mechanism added to iOS 10 backups,” Afonin said in his blog post. “We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.”
Using Phone Breaker with a variety of password dictionary resources, a hacker running those tools over a two-day period has an 80 percent to 90 percent chance of recovering a password on an iOS 10 device, Afonin added.
Apple did not respond to our request for comment on the ElcomSoft report. However, Forbes reported Friday that the company provided the following statement: “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups.”
According to Forbes, Apple recommended that iOS users employ strong passwords and ensure only authorized users can access their devices. “Additional security is also available with FileVault whole disk encryption,” the statement noted.
Requires Physical Access to Device
However, the vulnerability exists only if a hacker has physical access to an iOS 10 device, SnoopWall CEO Gary Miliefsky said in article published today in The Cointelegraph, a financial technology news site.
“It’s not that big of a deal if you use a really good password that’s not a word or combo of words in the dictionary,” Miliefsky said. “Bottom line is; someone brute forcing your phone needs to have it in hand physically anyway.”
A number of users on Apple’s online communities have raised questions about iOS 10 and posted complaints about security issues with the operating system.
Per Thorsheim, a Norway-based security advisor and CEO of God Praksis, wanted to know why Apple would have introduced the new password method to iOS 10, calling the change “devastating.”
“Apple has taken us through many betas of iOS 10, so it is easy to say that this didn’t happen by pure error,” Thorsheim wrote in a blog post. “The interesting question for Apple to answer is whether this massive weakening of your security & privacy is intentional, if it is a stupid glitch, or is it clueless crypto/developers?”
Computer security analyst Graham Cluley also questioned Apple’s approach. [C]onsidering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it’s disappointing to see this apparent backward step,” he wrote in a blog post.
