Apple seems to have made a curious security choice in iOS 10, one that enables attackers to brute force the password for a user’s local backup 2,500 times faster than was possible on iOS 9.
Researchers at Elcomsoft, a Russian security company, discovered the issue, which is related to the choice of hashing algorithm in iOS 10. In the newest version of the iPhone operating system, Apple uses SHA256 to hash the password for the user’s local backup, which is stored on a computer paired with the phone. In previous versions, Apple used PBKDF2 for this job and ran the password through the algorithm 10,000 times, making password cracking quite difficult.
But iOS 10 uses just one iteration of SHA256 to hash the local backup password, something that the Elcomsoft researchers said made brute-forcing the password far easier. They found that using just a CPU rather than an optimized GPU implementation, they could try as many as six million passwords per second in iOS 10. By comparison, the same setup could try just 2,400 passwords per second against iOS 9. Elcomsoft has a custom tool it sells for this task.
“When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older,” Oleg Afonin of Elcomsoft said in a post on the issue.
“This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.”
“The attack itself is only available for iOS 10 backups.”
The key limitation for this attack, as Afonin said, is that it requires access to the local backup of a target iPhone. Many, if not most, iPhone users eschew local backups on their computers in favor of iCloud storage, and an attacker would need either physical access to the local backup or to compromise the machine in some other way in order to execute this attack.
Per Thorsheim, a security advisor who runs the PasswordsCon conference, said the attack on iOS 10 works and brings up some questions about why Apple made the choice it did.
“The implementation works. Apple has taken us through many betas of iOS 10, so it is easy to say that this didn’t happen by pure error.,” Thorsheim wrote in an analysis of the password issue.
Afonin said that once an attacker has cracked the victim’s local backup password, he would have access to the most sensitive data on the device, including the keychain, which is the protected storage built into iOS.
“If you are able to break the password, you’ll be able to decrypt the entire content of the backup including the keychain,” Afonin said.