Sergey Nivens - Fotolia

How did iOS 10 security checks open brute force risk on local backups?

A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks led to this vulnerability.

Researchers at the cyber forensics firm ElcomSoft Ltd. found a password-verification flaw in Apple's iOS 10 that allows attackers to decrypt local backups and obtain passwords and authentication tokens. ElcomSoft's report said the password-verification flaw was made possible by the removal of certain security checks in iOS 10 from earlier versions of the mobile OS. How does this exploit work, and what security checks within iOS 10 would have prevented it?

Mobile device security is a key product differentiator at the enterprise level, and major vendors will trumpet the new or improved security measures incorporated into their products and software.

It seems odd, therefore, that the Russian computer forensics company ElcomSoft found the password-verification process protecting local backups in iOS 10 far less robust than that of earlier versions. While updating its iOS Forensic Toolkit, ElcomSoft researchers found that they could easily brute force the password protecting a local iTunes backup made by an iOS 10 device, something that was almost impossible to do on local backups made by earlier versions of iOS.

In iOS versions 4 through 9, the Password-Based Key Derivation Function (PBKDF2) was used to verify the password for a backup, with SHA-1 as the underlying hash function. Password hashing algorithms like PBKDF2, bcrypt and scrypt are purposely computationally intense to make dictionary and brute force attacks much harder.

In Apple's implementation, PBKDF2 hashed the password 10,000 times -- a process known as key stretching. This dramatically increased the time it took an attacker to test each password guess. According to ElcomSoft, the best rate achieved on iOS 9 local backups was slightly more than 150,000 passwords per second using a single PC equipped with an NVIDIA GTX 1080 accelerator.

For some reason, Apple moved from using this robust design to just using SHA-256, a regular cryptographic hash with a single iteration. This is not a good option security wise, as there is no key stretching algorithm to slow down a dictionary or brute-force attack. This is why ElcomSoft's Phone Breaker tool managed six million password guesses per second using just a standard desktop CPU, without the help of a graphics processing unit. At that rate, a single-case, six-character, alphanumerical password would only take a few minutes to break.

While a seven-character password would still take several hours to brute force, prior to iOS 10, it would have taken almost a week to break, a huge downgrade in password protection for iOS 10 local backups. Once an attacker breaks this password, they can then decrypt the entire contents of the backup, including the password for Keychain, a password management system that stores sensitive data, such as credit card and Wi-Fi network information.

To pull off this attack, a hacker needs to have local or remote access to the machine where the Apple backup is stored -- the issue doesn't affect iCloud backups. It may also be possible to force an iTunes backup by using a pairing record extracted from a trusted computer.

Apple has addressed the issue in iOS updates 10.1 and 10.2 -- the entire backup database is now encrypted, and possible password cracking has been made significantly slower than it was originally in earlier iOSes. Apple also recommends that users have strong passwords -- in this case, that means at least a combination of ten alphanumeric and special characters.

Next Steps

Find out the best practices for keeping Apple iOS devices and data secure

Learn about the challenges faced when attempting mobile device backups

Discover the differences between symmetric and asymmetric encryption algorithms

This was last published in February 2017

Dig Deeper on Network security