Russian security firm Elcomsoft discovered the flaw, which makes brute force password cracking far easier than in iOS 9. All iPhone and iPad users need to be aware of what's at stake.
iOS 10 has only been out for two weeks and a major security flaw has already been discovered: locally stored encrypted backups can be hacked with relative ease.
The discovery was made by Russian cybersecurity firm Elcomsoft when updating its Phone Breaker software for iOS 10. The flaw is contained in Apple's chosen password verification method and makes it possible to bypass several important security checks.
"2,500 times faster compared to the old mechanism"
Elcomsoft has been creating tools to crack iOS encryption for years, and in previous versions Apple's encryption has limited the amount of password attempts that could be made: Even with GPU acceleration iOS 9 could only be hammered 150,000 times a second.
Here's where things get shocking: the iOS 10 flaw allows 6 million attempts to be made per second—without GPU acceleration. At that speed, Elcomsoft says, hackers would only need to leave their software running for two days until the odds of success approached 90 percent.
The particular risk
There's just one particular kind of backup that's at risk: a local encrypted one done through iTunes. When users opt to do a full backup their keychain data is stored as well, which is what hackers truly want access to.
Keychain is Apple's storage system for passwords, credit card numbers, and other personal information. It gets encrypted along with the backup, but if the password can be guessed the entire thing can be decrypted—including the keychain.
SEE: An insider's look at iOS security (TechRepublic)
Elcomsoft said that the only way to acquire a local encrypted backup is by gaining access to the computer it's stored on. That means laptops and desktops are the weak links.
How to stay secure
IT professionals should take this opportunity to review both company and BYOD device policies, as well as auditing them for compliance. Be sure that hard drives are encrypted with FileVault or other software and that the ability to remotely wipe missing computers is enabled.
Apple is aware of the flaw and has said it's working on a fix. Users should be directed to update their devices as soon as a newer version of iOS is available, and they should also replace their old encrypted backup.
The 3 big takeaways for TechRepublic readers
- Security firm Elcomsoft discovered a serious flaw in iOS 10's backup encryption. The flaw makes cracking secured backups 2,500 times easier.
- If a locally stored encrypted backup is cracked the keychain can be decrypted as well, giving a hacker access to credit card information, passwords, and authentication tokens.
- The only way for hackers to gain access to vulnerable backups is to access the machine they are stored on. Now is the time to audit Apple computers for encryption compliance and other security measures.
- Apps every iOS 10 and iPhone 7/7+ user should check out today (TechRepublic)
- Senators want to revive 'dead' anti-encryption bill, leak shows (ZDNet)
- Malware downloaded every 81 seconds, says new Check Point security report (TechRepublic)
- We're told data breaches cost millions on average - but this security study disagrees (ZDNet)
- This tech giant is giving Apple a run for its money (CBS News)