Did Apple truly not know about the recently found flaws in iOS 10? It just seems too hard to comprehend.
Professional iPhone hackers are accusing Apple of dropping the ball on measures involving password security in its latest released iPhone operating system. This has made the task of cracking login authority for backups saved on a Mac or PC quite easier.
Elcomsoft, the renowned Russian forensics company has raised these claims. A kit of this company was apparently used by hackers to expose improper images of celebrities that made a lot of noise back in 2014. Similar to market leader Cellebrite, this company makes its income by selling kits that are able to break into iPhones for the very purpose of bypassing a target’s device. With the release of iOS 10, Elcomsoft began probing its security characteristics, only to find that Apple was actually using a much weaker password protection mechanism in comparison to the past for manual backups through iTunes.
As a result of Apple’s mistakes, Elcomsoft announced it could most probably predict backup passwords at a speed 40 times faster, especially by using CPU acceleration in comparison to the speedier GPU-powered cracking method used against iOS 9. By putting the same Intel i5 CPU into use for its cracking tasks, a whopping 2,500 times faster rate was the result, pumping out 6 million password predictions per second. This is a significant difference in comparison to a mere 2,400. Elcomsoft believes it will enjoy an 80 to 90 percent higher chance of obtaining the correct password using its tools. The irony is these tools can be purchased by any individual and it is not exclusive to the authorities.
Recent discovery by Elcomsoft shows the use of an alternative mechanism for password verification added to backups of the iOS 10. The company researched into this issue, only to find that the newly installed mechanism actually bypasses specific security checks, allowing hackers to check passwords at a much faster speed in comparison to previous mechanisms.
And the weakness is…
The interesting part is that the more secure storing password version actually goes way back to iOS 4, according to some experts.
So the question is what has Apple exactly done? The company has employed a weaker algorithm for hashing in regards to local backups of iPhone files that are stored on PCs. These algorithms are used to transform plaintext passwords into what is called a hash, being a series of letters and numbers. Those involved in cracking passwords focus their efforts to predict the output, or the hash of the algorithm and attempt to compare and mirror it with plaintest. Therefore, the more complex the algorithm and password, the more difficult it will be to discover a match.
Apple employed what is known as a PBKDF2 algorithm in iOS 9 and versions going back to iOS 4, having the password pass through it exactly 10,000 times over. This would force a hacker run a plaintext prediction across the algorithm 10,000 times, and be left with no choice but to repeat the process to find a particular match. In the alternative version of iOS 10, an alternate algorithm going by the name of SHA256 has been used with only one repetition. Therefore, a hacker would only be forced to attempt a single password once, and then repeat it to discover a match and crack into the login. This would make the entire process significantly shorter in timing.
Experts believe the algorithms chosen by Apple have not been good decisions. In fact, the decisions made by Apple seem quite strange and even more mind-boggling considering the fact that the more enhanced password protection system remains alongside the newer version. A hacker can attempt to hack into the system using two password hashes, while one is actually weaker than the other. This can even be described as a giant leap backwards for mankind in the struggle for more cyber-security. Even if the user sets up stronger logins, it nonetheless makes above-eight character passwords unsecure.
Significant backup format changes will be needed if Apple seeks to update both iTunes and the newer version of iOS.
Apple has since acknowledged the issue and confirmed it is looking into it, and reassuring its users that this dilemma doesn’t affect the iCloud backups. The company goes on to suggest all users to make certain their computers enjoy protection through the use of strong passwords and that only authorized users are able to access the devices. Apple has also reminded the option of additional security through conducting FileVault on the entire disk encryption.
Real limitations in attacks
Any cyberattack has one very obvious limitation: in this case the vulnerability lies specifically in password–protected local iOS 10 backups. This means a hacker would need access to the particular computer in which the iPhone files have been actually stored, and hope the user had activated the local backup option in the first place instead of simply employing iCloud as most users do under default circumstances. They can get access to the linked computer either through the physical extraction of data or making the machine vulnerable using other methods, including a remote hack.
However, there is still one trick up the hackers’ sleeves which they can resort to if they enjoy physical access to a laptop and a phone. It may even be possible to create a local backup despite the phone being locked. This is done by using a pairing record that is extracted from a trusted computer.
Anyone having such level of access may actually have the ability to extract and take with them anything they wish from a target’s iPhone. You will be able to decrypt all the backup content, including the keychain, all after breaking the password.
A backup consists of nearly the exact copy of a certain device – including an address book, call log, media files, messages and a whole series of other choices. This includes saved passwords and authentication tokens, and all the way to mail and social network accounts.
Elomcost has joined the ranks of those who have so far found weaknesses in the latest iPhones version. Just recently a 19-year-hacker by the name of Luca Todesco, known by his hacker colleagues under the pseudonym of qwertyoruiop, became the first person to jailbreak into iPhone 7. Jailbreaks are known to remove Apple’s controls on what software can actually use the iPhone as a base, require very low-level exploits of the vulnerabilities known to exist in iOS. This young hacker has yet to reveal exactly how he carried out the iPhone jailbreak.
The question remains to be answered about why Apple left such an obvious vulnerability intact, as if it was meant to be exploited in the first place. Of course, such a “mistake” would never be expected from the most powerful company on earth. This remains an unsolved mystery, and expect to most definitely hear more about this issue in the not so distant future.