If you’re using the backup encryption method introduced in iPhone OS 3.0 and your password is something like “cat”, “sex”, or “tetherball”, you should probably change it to something a bit more complicated. There be hackers wantin’ your goods!
Password recovery software company ElcomSoft has just released an iPhone backup cracking tool called iPhone Password Breaker.
Now, now – don’t panic. Unlike yesterday’s exploit, this isn’t some new security hole to worry about. In fact, it’s a tale as old as hacking itself: good ol’ fashion bruteforce.
The iPhone Password Breaker application is dictionary-based, meaning it gains access by cycling through a massive dictionary of words and common passwords (like the aforementioned “cat”, “sex”, and “tetherball”) and their variations (such as “c4t”, “s3x”, and “t3th3rb4ll”) until it finds the right one.
As I mentioned, this method is by no means anything new – dictionary attacks are the oldest and most rudimentary form of hacking. Ever try to guess your friends password by typing in random things you’d associate with them? That’s a dictionary attack – just with a much smaller dictionary.
However, this is the first time to our knowledge that someone has built a dictionary application specifically targeting the iPhone’s backup manifest file. As long as you play it safe (use good passwords, keep your backups secure), you should be fine – just know that such tools exist now.