iOS 10 security glitch makes it easier for hackers to steal your data

An algorithm in the software makes it 2,500 times easier for hackers to access passwords and sensitive information compared to iOS 9
Apple's iPhone 7 and 7 Plus smartphones were made available to customers with iOS 10 pre-installedLeszek Kobusinski/iStock

A significant security glitch in Apple’s latest operating system, iOS 10, makes it 2,500 times easier for hackers to access sensitive data, according to a Russian digital security company.

iOS 10 was released on September 13, but has already been hit with security issues. The software includes a new way to encrypt iPhone backups through iTunes, which gives hackers a greater chance of obtaining a user’s passwords than previous versions of iOS, according to Elcomsoft.

Elcomsoft, based in Moscow, has said that the issue is caused by Apple’s decision to change the way it encrypts back-ups. The flaw relates only to manual iPhone and iPad backups that take place through iTunes, and not Apple’s iCloud.

Hackers can use a brute force attack, automatically trying different password combinations, to crack the passwords iPhone users have in place for their iOS 10 backups. Through this, the criminals can infiltrate credit card data and Apple’s Keychain password manager, a digital vault that stores user passwords and other authentication data.

If a hacker used password-cracking software such as Elcomsoft’s Phone Breaker, they could send six million passwords per second at the iOS 10 backup in order to try to access the data. By comparison, in iOS 9 encryption was capped at 150,000 passwords a second, meaning iOS 10 makes it 2,500 times easier for hackers to successfully access a password.

This is the result of a new algorithm called PBKDF2sha256 in iOS 10. The different algorithm skips certain security checks, allowing hackers to try passwords faster compared to iOS 9, which used an updated algorithm, called sha1, according to Per Thorseim, a security adviser at firm God Praksis.

As the PBKDF2sha256 algorithm is older, it allows for password-cracking software to attack it faster.

According to Elcomsoft: “If you are able to break the password, you’ll be able to decrypt the entire content[s] of the backup including the keychain.”

Apple told Fortune magazine that it is aware of the problem and is planning to fix it.

“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups,” said the spokesperson.

“We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorised users. Additional security is also available with FileVault whole disk encryption.”

This article has been updated to reflect that it is the PBKDF2sha256 algorithm used in iOS10, whereas the sha1 algorithm was used in iOS9.

This article was originally published by WIRED UK