Elcomsoft, a company that creates and sells password cracking software, says Apple added an alternative password verification mechanism for iTunes backups in iOS 10 that’s 2,500 times weaker than the one used in iOS 9.
The new iTunes backup password verification system didn’t replace the original system that uses a much stronger algorithm, but exists in parallel.
The company says this new system allows a password cracking application to try more passwords per second than the older system used for iOS 9 devices and earlier.
What this means is that an attacker that can get his hands on a password-protected iTunes backup file created in iOS 10 can brute-force the password using this “new” alternative system and crack the file much faster.
“We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older,” said Oleg Afonin of Elcomsoft.
Elcomsoft says they were able to try 6 million passwords per second using only CPU processing power against an iOS 10 backup file. Previously, for backups created with iOS 9 they were able to test only 2,400 passwords per second, 2,500 times fewer passwords.
Researchers said they’re working on a password cracking attack for iOS 10 backup files that will use GPU (graphic card) processing power. For iOS 9 devices, this allowed researchers to try out 150,000 passwords per second.
If the same 62.5 amplification factor is preserved (not likely, though), an attacker would be able to try out around 375 million passwords per second on iOS 10 backups.
Combining the attacks with dictionaries of commonly used passwords would speed up the brute-forcing operations even more by trying out the most common passwords first.
Gaining access to an iTunes backup allows an attacker to compromise the user’s entire data, including Keychain content, which includes passwords for online accounts, credit card information, Wi-Fi network information, and more.