iOS 10 security flaw allows hackers to crack passwords 2,500 times faster, Russian firm Elcomsoft says

A "severe" security flaw has been uncovered in Apple's newly-released iOS 10, which according to security researchers, can allow hackers to crack the passwords for backups stored on a Mac or PC 2,500 faster than before.

A latest report says as compared to iOS 9 or previous iPhone OS (operating system) versions' protection technique the backup data mechanism in iOS 10 is vulnerable to password-cracking tools commonly used by hackers.

Russia-headquartered Elcomsoft researcher Oleg Afonin said in a company blog, "This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the 'new' password verification method exists in parallel with the 'old' method, which continues to work with the same slow speeds as before. The new security check is approximately 2,500 times weaker compared to the old one that was used in iOS 9 backups."

Elcomsoft researchers discovered that when iOS 10 backups that are saved to a PC or Mac via iTunes, password-cracking tools can be used to conduct brute-force attacks at the alarming rate of 6,000,000 per second. Additionally, the researchers said that if hackers are successful in cracking the password, they would then be able to "decrypt the entire content of the backup including the keychain".

Apple working on security update to fix the issue

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update," an Apple spokesperson said in a statement. "This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."

Elcomsoft CEO Vladimir Katalov told Motherboard that they had not alerted Apple about the vulnerability prior to publishing it. However, he claimed that the firm has responded to a request from Apple's security team, which asked for further information about the vulnerability. "Apple is definitely aware they have implemented [the flaw] themselves :)," Katalov said.

Are there other vulnerabilities for iOS 10?

According to security experts, contrary to popular belief, iOS, like other mobile OS is not immune to threats from malware. Check Point mobile security researcher Daniel Padon told IB Times UK, "Unlike the common belief, iOS is far from being immune to malware, and they manage to find their way into iPhones worldwide. For example, in the first half of 2016, two iOS malware even made it to the top 10 most common mobile malware worldwide. The malware, XcodeGhost and AceDeceiver infected thousands of iOS devices."

Security researcher Will Strafach told IBTimes UK, that in the case of the above mentioned malware, "iOS10 cannot really prevent this type of malware. Both instances are related to apps being submitted to the App Store and approved by Apple. Because Apple has such a fast review period, they seem to often miss apps that use private APIs and accept them into the App Store."

He added that Apple has since modified its OS to restrict private APIs, which he said "is a pretty smart move as it allows for fast approvals and can kill the effectiveness of a certain type of private API abuse at a system level instead of trying to go app by app, but on the other hand, it means that you may need to wait some time for a fix to ship."

However, he added, that there are ways to circumvent Apple's restriction. Strafach said, "For example, Apple has tried to ensure that apps cannot check what other apps are installed on a device, but there is a private API called LSApplicationWorkspace which presently still works to allow access to this information even in iOS 10 (and gives a nice amount of information about each app as well). This is abused by some apps which are live in the store now, and it is very difficult to 'restrict' this API on Apple's side as it would actually cause unrelated issues related to legitimate use cases for the MCS framework that the private API is found within.

"Situations like this are difficult cases, and surely will give opportunists some time to abuse what they can while it is available, but Apple's long term strategy for handling this type of thing will eventually make it very difficult to do anything nefarious regardless of what you can sneak into the store."

iOS 10 security flaw may not be fixed with just a regular update

Although Apple may be eager to fix the vulnerability, given the complex and varied software systems involved, it may take more than just a regular security update to comprehensively address the issue. It is still unclear as to how long it may take the tech giant to come up with a patch which will fix the vulnerabilities.

"The fix itself is probably not so easy, because that hash might be used for some other purposes we are not aware of," Katalov added. "So I guess that not just iOS update is needed, but also iTunes update as well, and probably some changes to the backup format."