Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Confirms Weakened Security in Local iOS 10 Backups

iOS 10 Allows for Brute Force Attacks of 6,000,000 Passwords Per Second to be Attempted on Local Backups

iOS 10 Allows for Brute Force Attacks of 6,000,000 Passwords Per Second to be Attempted on Local Backups

Apple admitted recently to an issue affecting the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC and said a fix would be included in an upcoming update.

Released mid-September, iOS 10 addressed a total of seven vulnerabilities, the most severe of which could be exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates. Because iOS 10 rendered some devices useless, Apple was quick to release iOS 10.0.1, which also included a new fix for one of the “Trident” security flaws patched last month.

The security weakness of local backups was discovered in iOS 10 backups by ElcomSoft, a company that specializes in password recovery tools. According to them, the bug introduced by Apple in iOS 10 makes local backups significantly more susceptible to brute-force attacks than those for previous operating system versions.  

According to ElcomSoft, they were able to recover passwords from iOS 10 backups at speeds several thousand times faster when compared to recovering from password-protected iOS 9 backups. The changes that Apple introduced in iOS 10 for offline (iTunes) backups appear to be the root cause of the problem.

ElcomSoft’s Oleg Afonin explains in a blog post that an alternative password verification mechanism was added to iOS 10 backups, but that it skips certain security checks, thus allowing for a brute-force attacker to try passwords 2,500 times faster than what the old mechanism would allow for. The attack, he says, was executed against a local backup on a machine powered by an Intel i5 processor.

ElcomSoft hasn’t provided specific details on the security vulnerability, but revealed that it has added an exploit for it to its Elcomsoft Phone Breaker 6.10. On the same machine, the company reveals, the tool could try only 2,400 passwords per second for iOS 9 backups, but iOS 10 allows for a total of 6,000,000 passwords per second to be attempted.

Only the password-protected local backups produced by iOS 10 devices allow an attacker to leverage this new vector. The old protection mechanism, Afonin notes, continues to be available for iOS 10 backups and delivers the same level of protection as it did for previous platform versions.

Advertisement. Scroll to continue reading.

“All versions of iOS prior to iOS 10 used to use extremely robust protection. Chances of recovering a long, complex password were slim, and even then a high-end GPU would be needed to accelerate the recovery. As a result of our discovery, we can now break iOS 10 backup passwords much faster even without GPU acceleration,” Vladimir Katalov, ElcomSoft CEO, says.

Apple has already confirmed that the issue exists, and even told Forbes that it was considering a patch in an upcoming security update. The company revealed that the issue indeed affects the encryption strength for iOS 10 backups performed using iTunes on the Mac or PC, but underlined that iCloud backups are not affected by it.

The good news, of course, is that the attack can be performed only if the attacker can access or create a local iOS 10 backup to work with. Because the backup contains all of the content on the iOS device, including contacts, calls, messages, media files, and even passwords, a successful attack would result in full device compromise and even the compromise of other user accounts.

After security researchers discovered a series of zero-day iOS vulnerabilities leveraged in targeted attacks against human rights activists, journalists, and other persons of interest, Apple in early September released updates for Mac OS X and Safari too to address the same issues.

 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.