A weakness in how Apple's new iOS 10 mobile operating system protects backups leaves them vulnerable to brute-force password guessing, according to a Russian computer forensics firm.
Elcomsoft developer Oleg Afonin said his company had discovered an alternative password verification mechanism added to backups that skips certain security checks in Apple's new mobile operating system.
Security researcher Per Thorsheim suggested Apple had swapped out the prior password-based key derivation function 2 (PBKDF2) with SHA1 - which uses 10,000 iterations to obfuscate credentials - for a simpler algorithm.
iOS 10 now uses a single-iteration password protection function with 256-bit SHA256. This has made brute-force credentials cracking significantly easier, the researcher said.
Afonin said Elcomsoft exploited the weakeness to test passwords much faster than it could with iOS 9.
"The impact of this security weakness is severe. An early CPU-only implementation of this attack gives a 40-times performance boost compared to a fully optimised graphics processing unit-assisted attack on iOS 9 backups," Afonin wrote.
By acquiring backups stored on target computers in iTunes, it is possible to crack the password and extract and decrypt Apple's Keychain credentials storage data for access to authentication details kept in the system.
Apple said it was aware of the issue and would release an update for the problem.
The company pointed out that the flaw does not affect iOS backups stored in the iCloud storage service, and recommended users apply additional security with the FileVault whole-disk encryption feature.