Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Status
Not open for further replies.

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
Thank you Apple for deliberately making users vulnerable.

Developers at Elcomsoft—a Russian company that builds tools to help police access people's devices—uncovered changes to the way Apple protects backup data stored on your computer through iTunes.

iOS 9 let hackers test as few as 2,400 passwords per second and upwards of 150,000 passwords per second, depending on the type of chip running the computer on which the backup was stored. That number jumps to 6,000,000 passwords for backups produced by iOS 10.

[...] approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older.”

Source: http://www.dailydot.com/layer8/ios-10-backup-security-encryption/


Obviously NSA and FBI pressure, getting access to backups is exactly what they complained about.

.
 
Last edited:

Tubamajuba

macrumors 68020
Jun 8, 2011
2,186
2,444
here
This is certainly a newsworthy story, but there is absolutely zero evidence that this is "deliberate", especially if Apple "appears eager to fix it", as your source states.
 

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
This is certainly a newsworthy story, but there is absolutely zero evidence that this is "deliberate"

They change the whole mechanism for NO REASON at all, put in all that work, for NO REASON at all AND just by coincidence it turns out to be 2500 times easer to access.

Yeah right.
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,392
19,459
They change the whole mechanism for NO REASON at all, put in all that work, for NO REASON at all AND just by coincidence it turns out to be 2500 times easer to access.

Yeah right.
How do we know the "NO REASON at all" part?
 
  • Like
Reactions: chrfr

C5.4

macrumors member
Sep 22, 2016
41
27
You are jumping ahead here. It clearly says Apple is eager to fix the issue. Can't say it's deliberate if there is zero evidence to support. It would be one thing if this was a 9.x.x update but Apple completely rebuilt iOS 10 from the ground up. Security wise, many parts of the system have been left unencrypted for the first time ever. It is completely possible that Apple screwed up somewhere. And I do not disagree with the fact it is a security flaw that should be fixed asap.

And I am not trying to stick up for apple. I am just trying to think logically
 
  • Like
Reactions: simonsi

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
How do we know the "NO REASON at all" part?

Well "the reason" is clear. What I meant is there is no legitimate reason to all of a sudden change the backup mechanism after their FBI ordeal.

Apple is eager to fix the issue

What else are they gonna say in public?

"Oh that thing, yeah we did that on purpose...oh well you got us...darn it"
 

Tubamajuba

macrumors 68020
Jun 8, 2011
2,186
2,444
here
They change the whole mechanism for NO REASON at all, put in all that work, for NO REASON at all AND just by coincidence it turns out to be 2500 times easer to access.

Yeah right.
Are you well versed in programming? If so, can you explain to me how they changed this mechanism?
 

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
can you explain to me how they changed this mechanism?


That's what the researches say...
Forbes.com said:
As soon as iOS 10 was out, [Elcomsoft] started probing [iOS 10] security, and found Apple was using a weaker password protection mechanism for manual backups via iTunes than it had done previously.

[Elcomsoft] discovered an alternative password verification mechanism added to iOS 10 backups [which allows] to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older

[...] the more secure version [...] goes back to iOS 4.


And here is the exact technical explanation
Forbes.com said:
In iOS 9 and prior versions back to iOS 4, Apple used what’s known as a PBKDF2 algorithm and had the password run through it 10,000 times , so a hacker would have to run their plaintext guess through the algorithm 10,000 times too and repeat the process until a match was found. In the iOS 10 alternative version, a different algorithm known as SHA256 was used but with just one iteration. A hacker therefore only need try a single password once and repeat to find a match and crack the login, making the whole process considerably less time consuming.


The password encryption algorithm is THE ONLY THING Apple changed in iOS 10.
So the one thing they did is to make it weaker, nothing else was done.
 
Last edited:

Gathomblipoob

macrumors 603
Mar 18, 2009
5,859
6,211
You are jumping ahead here. It clearly says Apple is eager to fix the issue. Can't say it's deliberate if there is zero evidence to support. It would be one thing if this was a 9.x.x update but Apple completely rebuilt iOS 10 from the ground up. Security wise, many parts of the system have been left unencrypted for the first time ever. It is completely possible that Apple screwed up somewhere. And I do not disagree with the fact it is a security flaw that should be fixed asap.

And I am not trying to stick up for apple. I am just trying to think logically

Conspiracy theories are much more fun, though.
 

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
Interesting software that ElcomSoft has on their website

ElcomSoft.com said:
Elcomsoft Phone Breaker can extract FileVault 2 recovery keys from the user’s iCloud account, and use these keys to decrypt encrypted disk images. Valid authentication credentials (Apple ID/password or iCloud authentication token) as well as volume identification information extracted from the FileVault-encrypted disk image are required.

https://www.elcomsoft.com/eppb.html


Apple also removed Kernel encryption in iOS 10

https://www.macrumors.com/2016/06/22/apple-unencrypted-kernel-ios-10-intentional/
 
Last edited:

CTHarrryH

macrumors 68030
Jul 4, 2012
2,938
1,432
you do realize that someone has to steal your mac or windows machine also to implement this and it doesn't effect iCloud security.
 
  • Like
Reactions: stulaw11

simonsi

Contributor
Jan 3, 2014
4,851
735
Auckland
This barely qualifies as a security flaw as the device isnt being attacked (and this forum is testament to the huge numbers of users that dont take backups of any kind).

Security is an arms race so probably good reason to change the algorithm, the real test is whether, once the iterations is fixed, the new mechanism is stronger than the old.
 

X--X

Suspended
Original poster
Jun 11, 2015
367
1,213
the real test is whether [...] the new mechanism is stronger than the old.

It's not, that's the whole point.

PBKDF2 is an intentionally slow algorithm, meant to make brute force guessing of passwords difficult.

SHA256
is a very fast algorithm, meant to produce hashes for dictionaries and sets and whatnot - basically, it helps make all your programs run quickly.
 
Last edited:
Status
Not open for further replies.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.