Apple to crunch iOS 10 local backup password brute force hole

Research finds faster cracking flaw

Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups.

Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains.

The latest iOS released earlier this month allows six million passwords to be attempted each second compared to 2400 a second against iOS 9, using an Intel i5 processor.

Afonin conducted his research using a commercial tool.

Apple says in a statement it will address the flaws in an upcoming security update, adding that it did not affect iCloud backups.

Afonin says Apple devices are highly secure and his work is one of the last avenues available to attackers should they be able to obtain a local device backup.

"Apple smartphones are secure. iOS is also secure, and gets tougher with each subsequent generation," Afonin says.

"Forcing an iPhone or iPad to produce an offline backup and analysing resulting data is one of the very few acquisition options available for devices running iOS 10.

"At this time, logical acquisition remains the only acquisition option available for iPhone 5s [and newer] running iOS 10 that offers access to device keychain."

Image: Thorsheim.

PasswordsCon and security boffin Per Thorsheim (@thorsheim) says Apple moved to a weaker algorithm.

"Apple have moved from pbkdf2 (sha1) with 10,000 iterations to a plain sha256 hash with a single iteration only," Thorsheim says.

Afonin is now working on an attack optimised for much more efficient GPU systems. ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021