back to article Apple to crunch iOS 10 local backup password brute force hole

Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups. Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains. …

  1. Your alien overlord - fear me

    Who is this Afonin bloke? IOS 10 is secure even after he himself found that the backups were easier to break into for finding passwords than in previous IOS releases. To me, that make it insecure.

    1. Dave 126 Silver badge

      >Who is this Afonin bloke? IOS 10 is secure even after he himself found that the backups were easier to break into for finding passwords than in previous IOS releases. To me, that make it [iOS 10] insecure.

      The attack wasn't against iOS - it was against the user's local (iTunes) backup.

      Apple smartphones are secure. iOS is also secure, and gets tougher with each subsequent generation. ...

      This leaves us to logical acquisition. Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10. Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer.

      - http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-passwords-much-easier-to-break/

  2. MacroRodent
    Black Helicopters

    Weakening

    "Apple have moved from pbkdf2 (sha1) with 10,000 iterations to a plain sha256 hash with a single iteration only,"

    I wonder why. A friendly suggestion from FBI?

    1. monty75

      Re: Weakening

      Hopefully it's a cock-up rather than a conspiracy.

      1. Anonymous Coward
        Anonymous Coward

        Re: Weakening

        Probably they had on their list of things to do "replace outdated SHA1 algorithm" for backups and it was poorly implemented. Hopefully a bug and not someone who didn't realize a single iteration is not nearly good enough.

        Moving to SHA256, if it was as overall complex as the old SHA1 implementation, it should be quite a bit slower to crack than the iOS 9 backups were....once they fix it!

    2. The Man Who Fell To Earth Silver badge
      WTF?

      Re: Weakening

      10,000 -> 1. Very odd indeed. Very odd.

    3. Crazy Operations Guy

      Re: Weakening

      Not weakening. SHA-256 is far more resistant to collisions than every thousands of rounds of SHA-1. Each round of SHA-1 after the first only adds the tiniest amount of additional security (Hence 10,000 iterations). SHA-256, on the other hand, performs 64 iterations by default and is 96-bits longer. No matter how many iterations you are doing of SHA-1, it'll still produce hash collisions at a significantly higher rate than a single round of SHA-256.

      SHA-1 has also been proven to be mathematically broken in that a collision can be generated in under 2^56 rounds. Pretty much every security organization has declared that SHA-1 is obsolete and should no longer be used. A lot of Certificate Authorities have dropped it as a valid signature algorithm since ~2011. (See https://www.schneier.com/blog/archives/2015/10/sha-1_freestart.html)

      By the way, the SHA series of algorithms were created and designed by the NSA, so I don't think They would mind either way.

      1. Adam 1

        Re: Weakening

        Collisions are only one part of the overall threat model. An important part, but in this case an irrelevant part because the attack described didn't rely on any collision.

        Password attacks (brute force and dictionary) defences rely on making it computationally infeasible to your adversary. That doesn't mean impossible, only that the compute resources required would be better employed (from the adversaries perspective) on other goals.

        The main goal of running so many iterations is simply to make each guess more costly whilst still leaving it practical for a modest machine to derive the encryption key from the correct password. The change made here means that each guess is a much lower investment in compute than before. Although sha256 is more expensive than sha1 for a single iteration, it isn't 4 orders of magnitude more expensive (which is what would be needed to maintain the same resilience to brute force or dictionary based attacks).

        My guess at what was wrong? The iterations argument/property value wasn't set so it picked the default value.

  3. JeffyPoooh
    Pint

    Apple hubris "...one of the last avenues available to attackers..."

    Apple "...one of the last avenues available to attackers..."

    LOL.

    This conclusion can only ever be inferred, and doing so requires about a decade of no further reports combined with a great deal of faith.

  4. Adam 1

    > "Apple have moved from pbkdf2 (sha1) with 10,000 iterations to a plain sha256 hash with a single iteration only," Thorsheim says.

    They're hashing it wrong!

  5. Anonymous Coward
    Anonymous Coward

    Afonin says Apple devices are highly secure

    Really? I think the BBC report today suggests otherwise. "Meeting Israel's master phone crackers"

    They can crack iPhone7, and REALLY old Android phones basically. Interesting the phone they used for their demo suggests Google have made massive advances in the last couple of years, and Apple have been plastering over the cracks.

    1. The Man Who Fell To Earth Silver badge
      Go

      Re: Afonin says Apple devices are highly secure

      Here's the link: http://www.bbc.com/news/technology-37441109

      FTFY

    2. cambsukguy

      Re: Afonin says Apple devices are highly secure

      I too noted the ancient phone used and then the words used, we can crack iPhone 7 and Android Nougat.

      Hmm, perhaps it takes longer and is harder because obviously they would have used an S7 or i7 to demonstrate, it would have looked much cooler and garnered them far more attention.

      I would still like it if they tried Win10 and or WP10, not least because showing that they too can be cracked would either cause MS to try to fix it or at least find another way to help out Law enforcement.

      1. Anonymous Coward
        Anonymous Coward

        Re: Afonin says Apple devices are highly secure

        It didn't mention android N (nouget) at all, just Ancient Android 4.2 and iphone7.... Go figure...

        1. Anonymous Coward
          Anonymous Coward

          They didn't say they could get everything from an iPhone 7

          They said "We can definitely extract data from an iPhone 7 as well - the question is what data." If they could get everything off it, they'd have said that.

          Or are the Apple haters here going to assume that because they didn't use a newer Android for their demonstration that means they couldn't crack it, but because they mentioned they could get "data" off an iPhone 7, that they can get everything?

          Obviously these guys are going to try to present themselves in the best light possible - the article was provided free advertising for their services for all the police forces in the UK. So use an old phone that can be cracked instantly for a demonstration, and let people make their own assumptions about how much they can actually get off an iPhone 7 or latest Android.

  6. Crazy Operations Guy
    Boffin

    Using old phones

    I'm assuming the phones they used were new when they started their research. Research like this can take a substantial amount of time to perform and you aren't going to want to change variables right in the middle and invalidate any previous data.

    1. Planty Bronze badge

      Re: Using old phones

      Changing variables like OS updates you mean? The Samsung Galaxy S5 (used in the demo) was cracked using Android 4.2, the latest version of Android for the S5 is Android 6.01 with March 2016 security update.

      This whole story is bogus, much like most security researchers "research", they intentionally mislead with select devices and select (and pretty much universally out of date) software versions.

      Why is nobody calling these "experts" out on this? If I were to do a security article on Windows ME edition, it would be laughed off, how is this any more credible?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like