It turns out that the local encrypted backups on iOS 10, the ones that are created in iTunes, are not as secure as they should be. According to researchers at Moscow based software developer Elcomsoft, iOS 10 uses an older password protection algorithm. The Russian software firm was working on an iOS 10 update to its password cracking PhoneBreaker software, when it discovered that Apple uses a different password verification system for iOS 10 that skips certain security checks. That allows a hacker to try out passwords 2,500 times faster compared to the old system used on iOS 9. This type of brute force attack is much more apt to work on iOS 10.
At risk here are users' passwords, and some data like the figures created by using the Health app. Apple is aware of the situation and is planning on disseminating a software update that will strengthen the security of the iOS 10 backups.
Elcomsoft's PhoneBreaker can attempt 6 million passwords per second on iOS 10 (CPU-only) compared to the 2,400 passwords per second that the encryption and security measures limited PhoneBreaker users to on iOS 9. Keep in mind that none of this affects backups created on iCloud.
The PBKDF2 password protection algorithm on iOS 10 is older, as we pointed out in the beginning of this article. The algorithm employed in iOS 9 is called SHA256. According to Elcomsoft, the same 10,000 passwords are used for 30% of accounts. That allows its PhoneBreaker to successfully use a brute force attack to crack a user's backup password and obtain data in 80% to 90% of attempts. That high percentage is based on the software running for two days against the weaker PBKDF2 algorithm.
Apple suggests that those who have iOS backup data stored on their Mac, use Apple’s FileVault disk-encryption software to add another layer of protection.
"We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC. We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption."-Apple spokesman
source: Elcomsoft via Fortune