Apple’s new iOS 10 operating system makes it easier for hackers to steal users’ passwords, according to a report from Fortune.
In fact, it makes it about 2,500 times easier due to a security hole, according to Elcomsoft, a Moscow-based security company.
According to Elcomsoft, iOS 10 is very susceptible to a “brute force attack,” where hackers automatically try a continuous number of password combinations until they unlock the right one. This security hole could allow hackers to steal credit card data, infiltrate backups and access Apple’s Keychain password manager, where passwords and other authentication data is stored.
“When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older,” according to an Elcomsoft blog post on the subject.
Elcomsoft said that its password-cracking software program, Phone Breaker, was able to send 6 million passwords per second at iOS 10’s backup in an effort to try and unlock access, compared to 150,000 passwords per second through iOS 9.
“If you are able to break the password, you’ll be able to decrypt the entire content[s] of the backup, including the Keychain,” according to Elcomsoft.
Apple told Fortune in a statement that it was aware of the security hole and actively working to fix it.
“We’re aware of an issue that affects the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC,” according to Apple. “We are addressing this issue in an upcoming security update. This does not affect iCloud backups. We recommend users ensure their Mac or PC are protected with strong passwords and can only be accessed by authorized users. Additional security is also available with FileVault whole disk encryption.”