Researchers hack iOS passwords in under six minutes

By on February 10, 2011, 3:51 PM
German researchers at Fraunhofer SIT have managed to compromise and reveal passwords stored in a locked iPhone in under six minutes, without having to crack the phone's passcode. The 256-bit encryption to get the passwords stored in the devices' keychain was not broken; the encryption is independent from the personal password, which is actually supposed to protect access to the device. The attack, which also works on iPads, is worrying for those who utilize a passcode to lock their iPhone devices.

While the attack requires possession of the device since it targets the individual keychain, it could still be particularly problematic if an attacker stole an iPhone or iPad that was tied to a corporate network. Companies should educate their staff accordingly and introduce appropriate emergency procedures: not only should employees who have lost their iPhone change all their passwords, but the company should change the respective network identifications as quickly as possible as well. Fraunhofer SIT summarized their researchers' work in a video:

The researchers removed the device's SIM card, used existing exploits to jailbreak the device, installed an SSH server on the device that allows them to run queries, and then executed third-party software on the phone to copy a script to the phone that would access the keychain on the device. The method can reveal passwords from Exchange, Gmail, LDAP acounts, voicemail, VPN Wi-Fi, and even for some third-party apps. Once control of an e-mail account has been gained, the attacker can acquire additional passwords because many web services simply require a password reset request. Any iOS device using the operating system can be attacked in this way, regardless of what password the user chooses.

Many believe that smartphone device encryption provides sufficient security. "This opinion we encountered even in companies' security departments," Jens Heider, technical manager of the Fraunhofer SIT security test lab, said in a statement. "Our demonstration proves that this is a false assumption. We were able to crack devices with high security settings within a very short time. This reveals how well the security concept has been adapted to the mobile challenge."





User Comments: 20

Got something to say? Post a comment
TorturedChaos, TechSpot Chancellor, said:

Wow thats kinda sad.

Ahmed90 Ahmed90 said:

there is bugs, flows and weakness in everything especially technology

Guest said:

I'm an apple fanboy.

iOS is truly popular. Popular than global warming. Thanks for these researchers now apple can close the holes and claim iOS is more secured. Just read toms, iOS is more secured than Android.

I'm an apple fanboy.

aj_the_kidd said:

Guest said:

iOS is truly popular. Popular than global warming.

Truly words of wisdom

I do agree iOS is more secure though

emzdhr said:

Guest said:

I'm an apple fanboy.

iOS is truly popular. Popular than global warming. Thanks for these researchers now apple can close the holes and claim iOS is more secured. Just read toms, iOS is more secured than Android.

I'm an apple fanboy.

that is sad.. that you think iOS is more secured than Android..!!

Apple sucks, and the drain your money.. try other products.. and you'll know what a dark world you were living in..!!

princeton princeton said:

You guys are aware that the comment he made was obviously sarcastic and satire of apple fanboys.

aj_the_kidd said:

Ignoring the comments about popularity, Guest comments true aren't they? When Apple fixes these security flaws Apple will be more secure and also more importantly isn't iOS more secure then Android ATM?

princeton princeton said:

Ignoring the comments about popularity, Guest comments true aren't they? When Apple fixes these security flaws Apple will be more secure and also more importantly isn't iOS more secure then Android ATM?

iOS itself isn't more secure. Everything in android runs sandboxed so you can't really deem it as insecure. Also the sheer amount of exploits used to jailbreak should show how poor the iOS security really is. It's the app approval process that keeps away malicious software.

aj_the_kidd said:

Good to know. Not that i am arguing but considering the large number of iPhone users most developers/hackers would concentrate their attentions on iOS rather than Android, thus be able to find flaws more easily through sheer numbers.

Guest said:

Whether it be IOS, Android, Windows, OSX, Linux, etc., there are vulnerabilites in all.

The only secure OS is the one that isn't booted.

The more we rely on mobile devices the more we have to assume that someone will be able

to get info from our devices and act accordingly when it comess to the kind of data we have on our devices.

-****

Guest said:

....but its an iphone......

matrix86 matrix86 said:

aj_the_kidd said:

Good to know. Not that i am arguing but considering the large number of iPhone users most developers/hackers would concentrate their attentions on iOS rather than Android, thus be able to find flaws more easily through sheer numbers.

Hackers do actually think about what they are doing. iOS may have more users, but the app market is VERY strict. Hackers would rather go for an mobile OS that has a loose app store because it makes their job that much easier. That's part of the reason you see more hackers for Windows OS. It has a bigger user base, but it's also more loose than the Mac OS. The good thing about Windows is how customizable it is, but that's also it's downfall. People download themes and apps that aren't strictly monitored. And yes, this is coming from a Windows guy.

So what i'm really getting at here (before we start a Windows vs Mac war, lol) is that Apple doesn't get hacked as often because of how strict they are. People hate it, but it's really a good thing. So it has its ups and downs. Although, if you use your device like someone who has even half a brain, you'd never get infected because you wouldn't be putting random crap on from random websites anyway

Archean Archean, TechSpot Paladin, said:

aj_the_kidd said:

I do agree iOS is more secure though

I can't call these as 'words of wisdom' because I don't think it is any better secured then others, however, I will give you one thing, it is much more 'polished' solution when compared to all the competition around.

aj_the_kidd said:

Archean said:

aj_the_kidd said:

I do agree iOS is more secure though

I can't call these as 'words of wisdom' because I don't think it is any better secured then others, however, I will give you one thing, it is much more 'polished' solution when compared to all the competition around.

We will have to agree to disagree

Guest said:

Ha! I did it in 35 seconds without jailbreaking it. I had to threaten the owner with imminent demise though.

Same technique took only 28 seconds with an android phone.

Guest said:

What ever happened to Apple devices don't get viruses? Before all the mac fanboys would say it was immune to viruses and unhackable, now that apple has sold alot more products, exploits, hacks, viruses has become alot more common.

Guest said:

I'm an Apple Fanboy.

Just read this to those who think Android is more secure than iOS.

http://www.tomsguide.com/us/ios-android-security,review-1623
html

iOS pawned Android! But I think it's just user's preference If you like iOS then hate Android. If you own an Android phone, you'll hate iOS.

I'm an Apple Fanboy.

Archean Archean, TechSpot Paladin, said:

Interesting read, though it only reinforced my earlier assertion that iOS is more polished solution. But if someone is not careful well, security is just a pip dream.

Guest said:

Hence RIM will win for people who [know] ... Muahahahahaha.

*all these [fanbois]*

olibenu said:

Guest said:

Whether it be IOS, Android, Windows, OSX, Linux, etc., there are vulnerabilites in all.

The only secure OS is the one that isn't booted./quote]

even that might soon change!

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.