Apple is actively fixing iOS 10 security backup vulnerability

[[173336]]

Apple is about to release a security update to fix a security flaw in iOS 10 that could allow hackers to steal passwords and other secure data. The vulnerability was first discovered by controversial Russian computer forensics firm Elcomsoft, which develops and sells iPhone detection software. "Apple added an alternative password verification mechanism to iOS 10, which inadvertently weakened the security of local backups," the company said, claiming to have discovered a major security flaw in iOS 10's backup protection mechanism. According to security researcher Per Thorsheim, the mechanism uses a relatively simple algorithm, which previously used the Secure Hash Algorithm - set to 10,000 iterations to obfuscate credentials and use Password-Based Key Derivation Function 2 (PBKDF2). The new password verification method under iOS 10 uses a single-iteration password protection function containing 256-bit SHA2, which makes brute-force certificate cracking extremely easy to break.

Elcomsoft said it has designed an attack to bypass security checks when cracking the password protecting local iTunes backups of devices running iOS 10. "This security vulnerability has serious implications. If iOS 9 backups required a fully optimized GPU-assisted attack, then early CPU attacks were more than enough to crack iOS 10 backups," wrote Oleg Afonin of Elcomsoft in a blog post. Elcomsoft's brute force attack allows it to crack passwords 2,500 times faster than iOS 9 passwords under the same conditions of CPU-only attacks. As the security of Apple phones and iOS systems increases, the difficulty of cracking them also increases. For hackers, the method of overcoming the security of mobile phones by cracking local backups is relatively feasible.

The main reason is that iOS 10 does not support jailbreaking, so even for old devices with the new system and the user's password is known, physical acquisition is impossible. On the other hand, cloud acquisition is only possible when the user's Apple account and password are known or when there is access to the user's computer iCloud control panel (to extract the authentication token), but cloud acquisition does not yet have the ability to decrypt the keychain. Forcing an iPhone or iPad to generate an offline backup and parsing the resulting data is one of the few ways to crack a device with iOS 10. Afonin emphasized that it is easy to generate a local backup when the iPhone is unlocked, and even if the iPhone is locked, hackers can generate a local backup by extracting the pairing record on a trusted computer.

"If you have the ability to crack the password, you can decrypt all backups, including the keychain," he wrote in his blog. "Currently, logical acquisition is still the only option for cracking the keychain on devices such as the iPhone 5s, 6/6Plus, 6s/6sPlus, and 7/7Plus running iOS 10." The keychain is stored in a special encrypted space on the device, with a level of confidentiality that exceeds full disk encryption. But the key to unlock the keychain is generally encrypted and hidden deep in the "Secure Enclave." According to Afonin, logical acquisition, which starts with a password-protected iTunes backup, is currently the only way to extract and crack the keychain data on the iOS 10 system. If a hacker can successfully crack the keychain data, they can not only obtain existing application storage passwords or authentication, Safari usernames and passwords, credit card information and wireless network information, but also any data that third-party application developers consider worthy of special protection.

Apple issued a statement saying that the company is aware of the above vulnerability that affects the encryption strength of iTunes backups to Mac or personal computers in iOS 10, and said that it will resolve the problem through security updates.