IOS 10 password protection system can be hacked 40 times faster than iOS 9

Elcomsoft can restore various data from iPhone "Elcomsoft Phone BreakerIt is a security software company that sells. As a result of Elcomsoft's investigation of iOS 10 that began offering updates, it has been found that the password protection mechanism used for manual backup via iTunes has been changed to be more vulnerable than before.

IOS 10: Security Weakness Discovered, Backup Passwords Much Easier to Break «Advanced Password Cracking - Insight
http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-passwords-much-easier-to-break/


IPhone Hackers Say Apple Weakened Backup Security With iOS 10
http://www.forbes.com/sites/thomasbrewster/2016/09/23/apple-iphone-7-ios-10-vulnerabilities-in-passwords-jailbreaks/

When backing up the password stored in the iPhone to the PC, Apple uses an algorithm that hashes the plaintext password hashed and stores it, and from iOS 4 to iOS 9 is "PBKDF 2"Password protection algorithm called" was used. Since PBKDF 2 applies a hash function to the password for thousands of times to ten thousand times, the hacker's brute force attack requires the same number of attacks until it finds the correct answer, and it is considered relatively robust security.

From iOS 10 "SHA-256Since the algorithm of hashing passwords is done only once, hackers can handle password attacks only once, hacking time is very little It is said that it is done.

In response to this change, CPU acceleration function is supported from "version 6.10" of Elcomsoft Phone Breaker which can recover various data from iPhone. Although a faster GPU acceleration function has not yet been implemented, it seems that the time to break through iOS 10 is 40 times faster than the time to break through the previous version of iOS 9 with the GPU acceleration function. Even if you use the same CPU (Intel i5), iOS 9 can extract 2400 passwords per second, while iOS 10 can extract 6 million passwords per second, 2500 times It will be quick.


Security expert Per Thorsheim told Forbes, "Apple's new algorithm is not a good choice." According to Mr. Thorsheim, the strange thing about this change is that old algorithms are still intact. Even if hashing passwords with two algorithms, it is obvious that hackers should choose the one that requires less effort, "Apple may be able to win the year's stupid prize" I will.

Apple spokesperson said, "It does not affect iCloud backups," Apple is already investigating this issue and is planning to respond with security updates.