iOS 10 Allows for Brute Force Attacks of 6,000,000 Passwords Per Second to be Attempted on Local Backups
Apple
admitted recently to an issue affecting the encryption strength for
backups of devices on iOS 10 when backing up to iTunes on the Mac or PC
and said a fix would be included in an upcoming update.
Released mid-September, iOS 10 addressed a total of seven vulnerabilities,
the most severe of which could be exploited by a man-in-the-middle
(MitM) attacker to prevent a device from receiving updates. Because iOS
10 rendered some devices useless, Apple was quick to release iOS 10.0.1,
which also included a new fix for one of the “Trident” security flaws patched last month.
The
security weakness of local backups was discovered in iOS 10 backups by
ElcomSoft, a company that specializes in password recovery tools.
According to them, the bug introduced by Apple in iOS 10 makes local
backups significantly more susceptible to brute-force attacks than those
for previous operating system versions.
According
to ElcomSoft, they were able to recover passwords from iOS 10 backups
at speeds several thousand times faster when compared to recovering from
password-protected iOS 9 backups. The changes that Apple introduced in
iOS 10 for offline (iTunes) backups appear to be the root cause of the
problem.
ElcomSoft’s Oleg Afonin explains
in a blog post that an alternative password verification mechanism was
added to iOS 10 backups, but that it skips certain security checks, thus
allowing for a brute-force attacker to try passwords 2,500 times faster
than what the old mechanism would allow for. The attack, he says, was
executed against a local backup on a machine powered by an Intel i5
processor.
ElcomSoft
hasn’t provided specific details on the security vulnerability, but
revealed that it has added an exploit for it to its Elcomsoft Phone
Breaker 6.10. On the same machine, the company reveals, the tool could
try only 2,400 passwords per second for iOS 9 backups, but iOS 10 allows
for a total of 6,000,000 passwords per second to be attempted.
Only
the password-protected local backups produced by iOS 10 devices allow
an attacker to leverage this new vector. The old protection mechanism,
Afonin notes, continues to be available for iOS 10 backups and delivers
the same level of protection as it did for previous platform versions.
“All
versions of iOS prior to iOS 10 used to use extremely robust
protection. Chances of recovering a long, complex password were slim,
and even then a high-end GPU would be needed to accelerate the recovery.
As a result of our discovery, we can now break iOS 10 backup passwords
much faster even without GPU acceleration,” Vladimir Katalov, ElcomSoft
CEO, says.
Apple has already confirmed that the issue exists, and even told Forbes
that it was considering a patch in an upcoming security update. The
company revealed that the issue indeed affects the encryption strength
for iOS 10 backups performed using iTunes on the Mac or PC, but
underlined that iCloud backups are not affected by it.
The
good news, of course, is that the attack can be performed only if the
attacker can access or create a local iOS 10 backup to work with.
Because the backup contains all of the content on the iOS device,
including contacts, calls, messages, media files, and even passwords, a
successful attack would result in full device compromise and even the
compromise of other user accounts.
After security researchers discovered a series of zero-day iOS vulnerabilities
leveraged in targeted attacks against human rights activists,
journalists, and other persons of interest, Apple in early September
released updates for Mac OS X and Safari too to address the same issues.
No comments:
Post a Comment