UPDATE: Apple has issued the following statement: “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update.”
Security software firm Elcomsoft reports that a weakness in iOS 10’s backup procedure means that iOS passwords can be discovered approximately 2,500 times faster compared to previous iOS releases.
A brute force attack combined with its own “smart attacks” running over the space of two days gives an 80 to 90 percent chance of successful password extraction from an iOS 10 iTunes backup, Elcomsoft says.
The weakness lies in a new backup protection mechanism applied to iOS 10 device backups made using iTunes. The new mechanism introduced by Apple with the OS update allegedly skips certain vital security checks that ordinarily slow brute-force password attacks, in which a huge number of guesses are attempted in order to discover a password.
Notably, the weakness does not apply to backups made online via iCloud, which remain as secure as they ever were.
Although Elcomsoft has not yet refined its Phone Breaker app used in the new attack, in that it doesn’t yet leverage the power of a GPU for this particular attack vector, they are currently reporting the following speeds in brute-force password guessing attempts:
iOS 9 (CPU): 2,400 passwords per second (Intel i5)
iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)
There’s little doubt that Apple will patch the weakness in a future iOS 10 update, and additionally the requirement to have physical access to a backup file created by iTunes means the attack is unlikely to see widespread use by hackers. However, for law enforcement agencies able to impound computers and devices the new vulnerability is something of a gift.