In late September, when Apple released iOS 10, it also took a dramatic step back in at least one aspect of iPhone and iPad security. Russian firm Elcomsoft discovered that local password-protected iTunes backups made of iPhones and iPads running iOS 10 were an astonishing 2500 times faster to crack than iOS 9.
What does 2500 times faster mean? It means the difference between taking a year to brute-force your backup's password... and taking three hours. Of course it's important to stress that these were local backups of your iOS device, which meant that any malicious attacker wanting to exploit the weaker security would be forced to target your computer storing the backup, rather than attempting to remotely access your smartphone. Nonetheless, the rise of sophisticated attacks and state-sponsored digital espionage means that any step backwards by Apple in terms of security was likely to be viewed negatively. So it was comforting to see Apple address the issue in iOS 10.1, and even better to hear from DigiDNA, the team behind the iMazing iOS backup tool, that iOS 10.2 (which is currently in beta) will make password cracking of iTunes backups 1000 times slower still:
Now in the first iOS 10.2 beta, things changed yet again, and Apple packed a little surprise for would-be attackers: not only is the entire backup database now encrypted, but validating a user password is now much more demanding in terms of processing power, requiring many more iterations to generate the derived key. Our user's password is safer than ever, taking the better part of a 1,000 years for our hypothetical hacker to crack.
We shouldn't be in any doubt - this is an arm's race. Apple is constantly looking to harden their technology's security and privacy, and fraudsters and data thieves are continually hunting for new methods to steal information. With the upcoming iOS 10.2 it sounds as if Apple has upped the ante again, at least in terms of local iTunes backups. We should all be grateful that the slip it made when upgrading users to iOS 10 was a temporary one, and that privacy is continuing to be treated as a priority for the firm. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc