Traditionally every new version of Apple’s iOS gets more secure with the company’s focus on privacy and security having become a matter of public relations after its recent spar with the FBI. However with iOS 10, security researchers and professional iPhone hackers are claiming the company actually took a big step backwards.
The issue, which has now been admitted to by Apple, relates to the way the company’s software hashes your phone's backup password. Security researchers have explained that the company seems to have added an extra password hashing system to iOS, one which actually uses much weaker standards than the previous system. What’s very peculiar is that the previous system is still in place as well, so an attacker actually has a choice between trying to crack a strongly encrypted password, or a barely encrypted one.
To be a bit more specific on the technicalities, the issue stems from Apple implementing a secondary hashing mechanism which relies on the SHA256 algorithm and only goes through one iteration. Its original implementation used PBKDF2 with 10.000 iterations since iOS 4. Researchers claim the new hashing method is so weak, even a regular desktop computer can break the hash in a matter of hours.
The good news here is this vulnerability obviously doesn’t apply to iCloud, and only affects locally-stored backups. As such, an attacker would need access to the PC or Mac where a user has backed up his iPhone.
For its part, Apple has acknowledged the issue and has announced it would issue a fix in an upcoming patch. The company said:
We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.
As usual we recommend using safe practices, relying on strong passwords and not giving anyone access to your devices unless you trust the party. Of course, updating to the latest version of iOS is also recommended, though you might want to wait until after Apple releases the security patch.