A recent revelation by professional hackers has revealed that there is a loophole in iOS 10 that can allow hackers to crack the password of protected iPhone backups, and that too 40 times faster than before. According to a report by Forbes, Russian forensics company – Elcomsoft have found a flaw in iOS 10 that uses a weaker password protection for the manual backups users take of their devices via iTunes.
“We discovered a major security flaw in the iOS 10 backup protection mechanism. This security flaw allows us developing a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) backup made by iOS 10 devices,” said Oleg Afonin in an Elcomsoft blog post. “The impact of this security weakness is severe,” he added.
Elcomsoft is the company whose kit was allegedly used by hackers to expose nude celebrity pictures back in 2014. The security weakness in the new system gives a 40 times boost to hack the system as compared to iOS 9 backups. According to Elcomsoft, the new method of attack is limited to password-protected backups that are made by iOS 10 devices.
The blog added that ‘Apple smartphones are secure’ and that iOS gets more secure with every new generation (iOS 10 has no jailbreak). Cloud acquisition of backups is not possible unless the user’s Apple ID and password are known. The best method to acquire information is through forcing an iPad or an iPhone to produce an offline backup, which can then be then used to retrieve information.
Using their existing i5 CPU’s to crack the password, the software was able to guess six million passwords a second – compared to just 2400 passwords per second when using the the same computer to hack iOS 9 backups.
Elcomsoft’s Phone Breaker 6.10 kit is available for purchase to anyone who wants to buy it. The phone breaker software can access password protected backups for smartphones made by Blackberry and Apple, and includes ‘iPhone 7 Plus and iOS 10’.
Apple confirmed the issue to Forbes, with a spokesperson saying, “We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups.”