Technology Blog »

Apple iOS 10 Update Exposes Encryption Weakness

Apple iOS 10 Update Exposes Encryption Weakness

It seems as though Apple, in its attempt to create devices immune to security breaches, has done just the opposite with its latest operating system.  Hackers claim that iOS 10 has made users more vulnerable to attacks due to the implementation of a new hashing algorithm.  Read on to find out how this could affect iPhone users.

The problem: According to the Russian firm known as ElcomSoft, Apple has intentionally downgraded its encryption software from PBKDF2 SHA-1 to the six-year-old SHA256.  The former is an algorithm Apple has used since iOS 4 that forces hackers to guess passwords in plaintext 10,000 times and repeat the process until a match is identified.  The latter uses just one iteration allowing an attacker to try a single password and repeat until they find a match.  The huge difference in time consumption makes it significantly easier for hackers to crack logins.  Furthermore, the new algorithm allows hackers to input passwords a staggering 2500 times faster than the system used in previous operating systems. 

What's even more perplexing is that the beefier security system is being used in tandem with the new one, allowing attackers to crack the weaker password hash.  Vladimir Katalov, CEO of ElcomSoft, claims that in order to resolve the issue, Apple has to release a very extensive update altering both iOS 10 and iTunes. 


There is good news, however.  An Apple spokesperson stated that “we're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC.  We are addressing this issue in an upcoming security update. This does not affect iCloud backups.”  In the meantime, Apple recommends that users protect their computers and other devices with strong passwords and ensure that they can only be accessed by authorized personnel.  The company has not yet provided an arrival time for the update, so keep your ears to the ground!  Or the Internet... whichever you prefer.