iOS 10 now uses a new verification method for its iTunes backup passwords which, according to Elcomsoft, allows someone to develop an attack that bypasses certain security checks for local iTunes backups created from iOS 10 devices.
Elcomsoft claim that this weakness is so dangerous that “early CPU-only implementation of this attack gives a 40-times performance boost compared to a fully optimized GPU-assisted attack on iOS 9 backups.” This essentially means that normally, they would need to use up much less resources and only using the CPU, instead of combining any power with the GPU as well. This is known as GPU acceleration.
This new verification mechanism allows the right piece of software, to try passwords 2500x faster compared to back in iOS 9. This would greatly reduce the amount of time it requires a person to gain unwanted access to all your personal data.
So what’s the danger of this?
It’s more severe than you might think. Apple love to brag about their iCloud keychain being secure, saying even they can’t access it. Which is true. Within the iCloud, your data is as safe as can be. However, when creating an offline backup and storing it on your PC, the keychain of all your website passwords, credit cards and anything else, is stored there as well.
All is needed to gain access to all this important data, is the 1 password for the iTunes backup. Shown below are some figures which shows that actually, your data really wouldn’t be very safe at all!
- iOS 9 (CPU): 2,400 passwords per second (Intel i5)
- iOS 9 (GPU): 150,000 passwords per second (NVIDIA GTX 1080)
- iOS 10 (CPU): 6,000,000 passwords per second (Intel i5)
This tool is available right now for anyone so my advice, is keep all your data in the iCloud! Despite what the news may say, at the moment it’s probably the safest place for it.
If it’s any reassurance, Apple are aware of this and are currently working on a patch, with their main advice being to make sure that your computer itself, whether it be Windows or Mac, has a strong password.
Leave a comment below if you’re going to stick with local backups or whether you’ve been an iCloud supporter from the start. As always, don’t forget to subscribe via Facebook to keep up-to-date on the latest news.