Recently iPhone and FBI has a battle over iPhone’s security, and after the incident, Apple was inspired to work and make iPhones unhackable in future.
To achieve the goal Apple managed to hire key developers of Signal – one of the world’s most secure, encrypted messaging apps.
But it doesn’t look like Apple moved forward.
Apple Weakens the Encryption of iOS 10
After the latest update of iPhone iOS 10, the company might have to make a big mistake in iOS 10 which directly affects its users’ security and privacy.
“Apple has downgraded the hashing algorithm for iOS 10 from “PBKDF2 SHA-1 with 10,000 iterations” to “plain SHA256 with a single iteration,” potentially allowing attackers to brute-force the password via a standard desktop computer processor.
PBKDF2 stands for Password-Based Key Derivation Function, is a key stretching algorithm which uses a SHA-1 hash with thousands of password iterations, which makes password cracking quite difficult.” reported by The Hacker News
In iOS 9 and prior versions back to iOS 4, PBKDF2 function generates the final crypto key using a pseudorandom function (PRF) 10,000 times (password iterations), which dramatically increases authentication process time and makes dictionary or brute-force attacks less effective.
Now Bruteforce 2,500 times Faster than earlier iOS Versions
Moscow-based Russian firm ElcomSoft, who discovered this weakness that is centered around local password-protected iTunes backups, pointed out that Apple has betrayed its users by deliberately downgrading its 6 years old effective encryption to SHA256 with just one iteration.
Therefore, a hacker only requires to try a single password once and brute force to find a match and crack the account login, making the entire process substantially less time consuming.
“We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older,” Oleg Afonin from Elcomsoft wrote in a blog post today.
Yes, that’s right. With iOS 10, it’s possible for an attacker to brute force the password for a user’s local backup 2,500 faster than was possible on iOS 9, using a computer with an Intel Core i5 CPU (with 6 million passwords per second).
However, an obvious limitation to this attack is that it can’t be performed remotely.
Since the weakness is specific to the password protected local bakcups on the iOS 10, a hacker will only require access to your iOS 10 based device’s local backup, where the iPhone files are stored.