Oops. Apple has seriously weakened iOS 10 backups against password hackers

A flaw that Apple introduced in iOS 10 has made it far easier for password crackers to brute-force data backed up to iTunes, including credentials stored in Keychain.

iOS 10 might be the most secure version of Apple’s mobile OS, but Apple reportedly made a serious blunder in its implementation of password verifications for iOS 10 backups to iTunes on Mac and Windows PCs.

The claim comes from Russian forensics firm Elcomsoft, which reported on Friday that iOS 10’s password security checks for backups are now 2,500 times weaker to password-crackers than previous versions of iOS.

If the password to the backup is cracked, it would not only expose backed-up data and content but also allow the attacker to recover credentials from Apple’s Keychain password manager, where passwords and authentication tokens are stored for Safari, credit-card data, and third-party apps.

According to Elcomsoft’s Oleg Afonin, iOS backups are of interest to attackers because they are currently the only way to get at the device Keychain for new iPhones running iOS 10, from the iPhone 5s to the iPhone 7 and 7 Plus.

In other words, if law enforcement wanted to gain access to data on one of these models where a passcode is not known, the best option available is to force a backup to a trusted instance of iTunes on the desktop.

“Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10. Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer,” Afonin wrote.

“If you are able to break the password, you’ll be able to decrypt the entire content of the backup including the Keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6 Plus, 6s/6s Plus and 7/7 Plus running iOS 10 that offers access to device Keychain.”

Password expert Per Thorsheim explained in a blog that the weakness was caused by Apple changing password-hashing algorithms from PBKDF2 with 10,000 iterations in iOS 9, to a SHA256 with a single iteration in iOS 10. This change permits many more guesses at a password to be made per second than before.

According to Afonin, the weaker algorithm has handed Elcomsoft’s password-recovery product, Phone Breaker, a 40-times performance boost in its CPU-only implementation over a faster GPU cracker.

Using an Intel i5 CPU, it is able to run a password recovery at a rate of six million passwords per second whereas in iOS 9, with a GPU, it was only able to run 150,000 passwords a second.

Afonin said the tool, combined with dictionary-based password guesses, would give about an 80 to 90 percent chance of successful recovery within two days.

Apple told Motherboard that it will fix the bug in an upcoming security update, but added it did not affect iCloud backups. Elcomsoft’s Phone Breaker was suspected of having have been used by the ‘celebgate’ hacker, in combination with correct login details, to pilfer nude pics and video from celebrities’ iCloud backups.

“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption,” Apple said in the statement.

MORE ON APPLE