Obviously no true Apple fanboy would rely on their password now that the fruity tax dodger has given them fingerprint identification, but the feature allows brute-force data backed up to iTunes, including credentials stored in Keychain.
Apple claims that its iOS 10 is the “secure version of Apple's mobile OS” which is not a particularly high bar, but this password blunder is a little serious.
Russian forensics outfit Elcomsoft said that iOS 10's password security checks for backups are now 2,500 times weaker to password-crackers than previous versions of iOS.
If the cracker gets into the backup, the attacker to recover credentials from Apple's Keychain password manager, where passwords and authentication tokens are stored for Safari, credit-card data, and third-party apps.
Elcomsoft's Oleg Afonin said that if the coppers wanted to gain access to data on one of these models where a passcode is not known, the best option available is to force a backup to a trusted instance of iTunes on the desktop.
"Forcing an iPhone or iPad to produce an offline backup and analyzing resulting data is one of the very few acquisition options available for devices running iOS 10. Local backups are easy to produce if the iPhone is unlocked. However, you may be able to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer," Afonin wrote.
"If you are able to break the password, you'll be able to decrypt the entire content of the backup including the Keychain. At this time, logical acquisition remains the only acquisition option available for iPhone 5s, 6/6 Plus, 6s/6s Plus and 7/7 Plus running iOS 10 that offers access to device Keychain."
Another password expert Per Thorsheim wrote in his blog that the weakness was caused by Apple changing password-hashing algorithms from PBKDF2 with 10,000 iterations in iOS 9, to a SHA256 with a single iteration in iOS 10. This change permits many more guesses at a password to be made per second than before.
According to Afonin, the weaker algorithm has handed Elcomsoft's password-recovery product, Phone Breaker, a 40-times performance boost in its CPU-only implementation over a faster GPU cracker.
Afonin said the tool, combined with dictionary-based password guesses, would give about an 80 to 90 percent chance of successful recovery within two days.