Apple‘s new iOS 10 has one tweak that isn’t in the press release: a “severe” security flaw.
Developers at Elcomsoft—a Russian company that builds tools to help police access people’s devices—uncovered changes to the way Apple protects backup data stored on your computer through iTunes.
The “alternative password verification mechanism” in iOS 10, as Elcomsoft Oleg Afonin describes it in a company blog post, lets someone trying to access a person’s iOS backup data test potential “passwords approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older.”
This process of using a computer to try to “guess” the password of a device or account is known as a brute-force attack, or just brute-forcing. With the change in iOS 10, brute-forcing backups is far easier than it was with earlier versions of the mobile operating system.
In other words, Afonin explains, iOS 9 let hackers test as few as 2,400 passwords per second and upwards of 150,000 passwords per second, depending on the type of chip running the computer on which the backup was stored. That number jumps to 6,000,000 passwords for backups produced by iOS 10.
Elcomsoft CEO Vladimir Katalov tells Motherboard that Apple is aware of the issue and appears eager to fix it. However, it may require fixing both iOS 10 and iTunes, along with other potential conversations.
News of a weakness in iOS 10 comes amid an ongoing debate over encryption, which rocketed into the national consciousness last year after the FBI demanded Apple help it crack into the iPhone of one of the deceased San Bernardino shooters.
Contact the author: Andrew Couts, [email protected]