Forensics firm says backups easier to crack in iOS 10, Apple promises fix

By Roger Fingas

Apple appears to have unintentionally weakened the security of local backups in iOS 10, as a result of offering an "alternative password verification mechanism," according to a Russian forensics company.

With iOS 10, it's possible to brute-force a backup password 40 times faster using CPU acceleration when compared with GPU-powered cracking of iOS 9, Elcomsoft explained in a blog post quoted by Forbes. Applying the same Intel Core i5 CPU in both cases, iOS 10 is 2,500 times faster to break.

The new mechanism "skips certain security checks," said Elcomsoft's Oleg Afonin. A password security expert cited by Forbes, Per Thorsheim, specified that the alternate mechanism uses a different algorithm -- SHA256 -- which a password attempt passes through just once. iOS 4 through iOS 9, by contrast, use PBKDF2, and run passwords through it 10,000 times.

The old mechanism is actually still present in iOS 10, but someone attempting to hack a backup can choose the weaker option.

Elcomsoft's CEO, Vladimir Katalov, suggested that the only way Apple can fix the situation is by updating both iOS and iTunes. Apple told Forbes it's aware of the problem, and planning to address it in "an upcoming security update." iCloud backups are allegedly secure.

Elcomsoft is a controversial firm, as it sells tools to anyone wanting to break into iOS devices. Its tools are believed to have been used during the "Celebgate" scandal in 2014, which resulted in many nude celebrity photos being stolen from iCloud and posted online.