We discovered a major security flaw in the iOS 10 backup protection mechanism. This security flaw allowed us developing a new attack that is able to bypass certain security checks when enumerating passwords protecting local (iTunes) backups made by iOS 10 devices.
The impact of this security weakness is severe. An early CPU-only implementation of this attack (available in Elcomsoft Phone Breaker 6.10) gives a 40-times performance boost compared to a fully optimized GPU-assisted attack on iOS 9 backups.
What’s It All About?
When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it, and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.
This new vector of attack is specific to password-protected local backups produced by iOS 10 devices. The attack itself is only available for iOS 10 backups. Interestingly, the ‘new’ password verification method exists in parallel with the ‘old’ method, which continues to work with the same slow speeds as before.
By exploiting the new password verification mechanism, we were able to support it in our latest update, Elcomsoft Phone Breaker 6.10. Since this is all too new, there is no GPU acceleration support for the new attack. However, even without GPU acceleration the new method works 40 times faster compared to the old method *with* GPU acceleration. (more…)