Apple working to improve the security of the iTunes backups in iOS 10
The security weakness discovered in iOS 10 by Elcomsoft is connected with the new password verification method Apple has included in the new version of its operating system. It seems that the system skips some security checks and the result is that the iTunes backup is 2500 times more at risk of brute force attacks compared with iOS 9.
Elcomsoft has explored iOS 10’s new security check and the conclusion is that even without GPU acceleration the new mechanism for verification is amazingly fast because of these skipped steps. A test of GPU-only recovery in iOS 10 allows 6,000,000 passwords per second, compared with just 2,400 entries in iOS 10 using the same Intel i5 processor.
Apple is aware of this security issue and a fix will be coming soon. Fortunately, a low number of backups are prone to high risk. At this time only backups created using iTunes on PC and Mac are affected.
While the fix is coming soon via an update, you may protect the iTunes backups with stronger passwords.
You can read more about this issue in the Elcomsoft’s blog.