Apple is to issue an update for a security vulnerability in iOS 10 that could give hackers access to passwords and other security data.
The company said they added an alternative password verification mechanism to iOS 10, inadvertently weakening the security of local backups.Elcomsoft, a company which produces iPhone probing tools, claims to have discovered a “major security flaw” in the iOS 10 backup protection mechanism.
Security researcher Per Thorsheim said the mechanism uses a simpler algorithm than the previous password-based key derivation 2 (PBKDF2) with SHA1 (secure hash algorithm), which uses 10,000 iterations to obscure credentials.
Elcomsoft claims to have exploited the weakness to develop an attack that is able to bypass certain security checks when enumerating passwords protecting local iTunes backups made by iOS 10 devices.
Elcomsoft’s Oleg Afonin wrote in a blog post: “The impact of this security weakness is severe. An early CPU-only implementation of this attack gives a 40-times performance boost compared with a fully optimised GPU-assisted attack on iOS 9 backups.”
View Internet News Archive