Apple Deliberately Weakens iOS 10 Password Encryption

The huge encryption battle between FBI and Apple gained momentum last year. Apple, suddenly had an inspiration to work harder toward their new unhackable future iPhones. This is allegedly done by implementing a much stronger security measure where the Apple company themselves, is unable to hack the technology – even if the company wanted or needed to.

The corporate giant even went to the extremes of hiring a key developer of Signal, one of the top 10 most secured current encrypted messaging applications. However, in recent months, Apple appears to have taken a step backwards instead of moving forward, deliberately weakening their own backup encryption in their iOS 10 release.

With their latest update for their mobile devices, the iPhone’s operating system is lacking in the respective user’s security, as well as privacy.

How is this possible? Simple. Apple has traded their hashing algorithm for the iOS 10 release from PBKDF2 SHA-1 with 10,000 iterations, and instead, is now utilizing the very plain, and extremely vulnerable, SHA256 with a single iteration, thus potentially allowing several hackers and attackers alike, to perform brute-force attacks to bypass the password(s), with nothing more than a simple standard desktop.

For those who are a little lost with security encryption, the PBKDF2 stands for Password-Based Key Derivation Function. This is a special key in which starches the algorithm by utilizing a SHA-1 – which consists of thousands of different password iterations – thus, making it just that much more difficult in cracking secured passwords.

The security encryptions bestowed in iOS 9, and previous builds dating back to the iOS 4, utilize the PBKDF2 function in order to securely generate the final crypto key using a type of PRF (Pseudorandom Function) of 10,000 times (the password iterations). This will dramatically increase the standard authentication process time, and ultimately makes the dictionary, or brute-force attacks a lot less effective.

However, with the increase of security measures, the brute-force attacks are also now 2,500 times much faster than our traditional values of the iOS previews.

In Moscow, Russia, lies a firm known as ElcomSoft. This company discovered the Apple weakness, which is centered around a local password-protected iTunes backup service that connects to iCloud. Apple was informed of this weakness, and how, in fact they are  betraying their customers by deliberately downgrading their 6 year old encryption to the SHA256, and only utilizing just 1 (one) iteration.

With that being said, a hacker will only be required to attempt a single password, in order to properly find a specific match to allow the hacker to log into their target’s account, taking this entire process substantially less time than what is needed.

Oleg Afonin, an ElcomSoft employee, wrote in an article that is hosted on the companies Blog, saying:

“We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.”

Yes, your eyes read that correctly. With the new updated iOS 10, it appears possible to brute-force your way past the respective user’s password in order to gain access to that user’s local backup – 2,500 times faster than previously. This was tested out using an Intel Core i5 CPU, capable of handling 6 million passwords per second.

Saying all this, there is a major, yet obvious, limitation to this type of attack on the iOS 10 upgrade – the fact that the attacker must be local.

Since the exploit of Apple’s weakness to being more specific to password-protection of local backups, and only being on the upgraded iOS 10, our typical hacker would only require direct access to your device’s local backup. This is also the same spot in which your favorite iPhones files are stored, as well.

This firm, popularly known all over Russian territory, is much like the market leader Cellebrite. They make their finances by providing the public with kits that are able to hack into iPhone, only for the sole purpose of being able to root a targeted device.

The kit from Elcomsoft is reported to have been in direct use with the attack the Fappening, otherwise popularly known as “Celebgate” hack. This hack is where hacktivists would expose several nude pictures of famous celebrities back in 2014.  This was done by accessing the Apple iCloud, as well as Gmail accounts of more than 300 victims.

Sources: IBTimes, CNBC, The Intercept, Security Stack Exchange, ElcomSoft, iCloud, Blog.ElcomSoft, Cellebrite, MyFappening.Org, The Hacker News.

This article (Apple Deliberately Weakens iOS 10 Password Encryption) is a free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.