Normally upgrading the operating system on your iPhone doesn’t just bring you a few new funky features, you also get to benefit from some security enhancements and fixes too.
However, with iOS 10 it seems things might have taken something of a backward step – in at least the case of the security of any local iTunes backups you might be making.
That’s according to Russian firm ElcomSoft which makes software to help users gain access to password-protected data:
When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.
2500 times faster? My guess is that is not the kind of speed boost you were hoping to get when you upgraded to iOS 10.
The silver lining on the cloud is that ElcomSoft’s discovery affects the local iTunes backups you might make of your iPhone or iPad. That means that any hacker wanting to exploit the weakness would have to target the computer you have made the backup onto, rather than something more chilling like trying to access the phone itself remotely.
Nonetheless, considering that Apple has been making such an impressive stand recently on security, fighting attempts to force it to weaken the security of its mobile devices, it’s disappointing to see this apparent backward step.
Hat-tip: Thanks to password guru Per Thorsheim for bringing the research to my attention.