UPDATE A computer forensics firm says Apple weakened backup security protection with the Sept. 13 release of iOS 10, making it simple work for hackers to crack password protection used for backups of iOS devices stored on Macs and PCs.
Elcomsoft, which explained the security hole in a blog post Friday, said the “major security flaw” opens the door for a new type of iOS brute-force password attack.
“We looked into it, and found out that the new mechanism (in iOS 10) skips certain security checks, allowing us to try passwords approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older,” wrote Elcomsoft’s Oleg Afonin in the post.
Researchers said Apple weakened password protection with iOS 10, and that iOS 9 stored passwords with a stronger encryption algorithm. iOS backup images are an attractive target to hackers and typically hold saved passwords and authentication tokens for mail and social media accounts, said Per Thorsheim, CEO of security firm God Praksis.
Thorsheim called the change in the way Apple handles password protection in iOS 10 a “massive weakening of security and privacy.”
In a statement sent to Threatpost late Friday, Apple acknowledged the weakening of the password protection and said it would address the issue in an upcoming update. Apple’s said:
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”
In one attack scenario, if an iOS device owner performs a backup of their iOS 10 iPhone locally to a PC or Mac using iTunes, that backup image is vulnerable to a password attack. An attacker who has local or remote access to that PC or Mac can run brute-force password cracking software on the backup image and more easily crack the password than with previous backups performed with iOS 9 devices.
Unclear is what, if any, specific version of iTunes creates conditions optimal for the password vulnerability with iOS 10 backups.
“This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups,” Afonin wrote.
According to Elcomsoft, with a password attack against iOS backup images using an Intel i5-class system, an attacker can perform a brute-force password attack at a rate of 2,400 passwords per second versus 6 million passwords per second for an iOS 10 backup.
“I can’t see any reasonable logical explanation why Apple would have done this. This must be a bug on Apple’s part,” Thorsheim told Threatpost.
Making matters worse, he said, are weaker password requirements for Apple iOS image backups compared to Apple iTunes accounts. “There is a perception that because local backups aren’t in the cloud they don’t need as stringent passwords,” he said. With backups, Thorsheim said, passwords can be as rudimentary as “1 3 3 4.”
The flaw, Thorsheim notes, is tied to a new Apple password hashing method used in iOS 10 that includes plain SHA-256 hashes with a single iteration. iOS 9, he notes, used a more secure PBKDF2 SHA-1 algorithm with 10,000 iterations.
Elcomsoft said the password flaw gives hackers access to Apple’s Keychain, the company’s password management component which is encrypted and securely stored.
“Even if you can jailbreak a 64-bit iOS device (iPhone 5s and newer), you would still be unable to extract decryption keys for the Keychain,” Afonin wrote. However, iOS 10 backups allow a hacker to extract and decrypt Keychain data out of an iOS 10 device. “Keychain contains information such as saved passwords or authentication tokens to applications requesting secure storage for authentication credentials, Safari logins and passwords, credit card information, Wi-Fi network information, and any data that third-party app developer consider worthy of extra protection.”