Beware: Hackers Can More Easily Steal Your Passwords With Apple’s iOS 10

Apple's new iOS 10 operating system comes with a potential security hole that could help hackers get access to passwords and other sensitive information, a security company said on Friday.

The software includes a new way to encrypt iPhone backups created through iTunes that gives hackers a far greater chance of obtaining a target's passwords than the previous version of iOS, Russian password-retrieval company Elcomsoft said on Friday. Hackers could use a brute force attack—a technique that involves automatically trying different password combinations—to crack the passwords users choose for their iOS 10 backups, steal credit card data, and infiltrate Apple's Keychain password manager, a digital vault where user store passwords and other authentication data.

According to Elcomsoft, hackers who use its password-cracking software, Phone Breaker, can send six million passwords per second at the iOS 10 backup to try to unlock the data. In Apple's iOS 9, which launched last year, encryption capped those attempts at 150,000 passwords a second.

The difference makes it 2,500 times easier for hackers to obtain a password with iOS 10, according to Elcomsoft.

The flaw relates only to manual iPhone and iPad backups that users start via iTunes and not through Apple's cloud-based repository iCloud.

Finding ways to access an iPhone and steal user data can be nearly impossible without knowing a user's password, as shown by the FBI effort to enlist Apple's help in opening San Bernardino shooter Syed Farook's iPhone earlier this year. Until iOS 10, Apple had made iOS tougher for hackers to break into devices in each successive version.

In its statement about the security flaw, Elcomsoft said that the best way for hackers to get into an iOS device is by accessing the computer on which the iPhone or iPad backup is stored, a method it calls "logical acquisition." Then, users can employ brute-force attack software that tries millions of password combinations each second.

"If you are able to break the password, you’ll be able to decrypt the entire content[s] of the backup including the keychain," Elcomsoft said of the hack

At the root of the problem—and arguably the biggest question mark in this scenario—is Apple's decision to change how it encrypts backups made through iTunes. Apple used a password-protection algorithm in iOS 10 known as PBKDF2 instead of the alternative known as SHA256 that it employed in iOS 9. According to Per Thorsheim, a security adviser at security firm God Praksis, PBKDF2 is older and allows for password-cracking software to attack it more rapidly. And since the same 10,000 passwords are used for about 30% of accounts, brute-force password-crackers like Elcomsoft Phone Breaker can obtain a user's backup password and get access to data in 80% to 90% of cases if the software runs for just two days and is up against the PBKDF2 encryption algorithm.

Now, security experts and those worried about privacy are wondering why Apple made the change. Thorsheim, for instance, wondered whether "this massive weakening of your security and privacy is intentional, if it is a stupid glitch," or if Apple's developers made a mistake.

For its part, Apple told Fortune in a statement that it planned to fix the problem. The company added that Mac users who have iTunes backups stored on their devices can use Apple's FileVault disk-encryption software to add another layer of protection to their iPhone and iPad backups.

"We're aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC," the spokesman said. "We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”