Simple Hack Makes iPhone Passwords Useless
Even with an encrypted password that only you know, a hacker could access your iPhone password. In six minutes.
Security researchers at the Fraunhofer Institute for Secure Information Technology (SIT) have developed a technique to access passwords on any device running Apple's iOS software, including iPhones and iPads.
Only people who lose or misplace their iPhone or iPad are vulnerable, as the hack can be carried out only with the device in hand, and not remotely over a Wi-Fi network.
The hack involves jailbreaking the device using existing software tools and then copying a specially crafted script to the phone that exploits Apple's keychain password management system to reveal user passwords. The technique circumvents the need to enter the phone's protected passcode.
Researchers Jens Heider and Matthias Boll outlined their attack method in a paper yesterday (Feb. 9) titled Lost iPhone? Lost Passwords! Practical Consideration of iOS Device Encryption Security. They also staged a YouTube video demonstration of how it's done.
Next time you think about leaving your phone in a public place for a few minutes, consider what could happen if it fell into the wrong hands.
An attacker would not need to know the user's passcode, nor would he need to exploit new vulnerabilities to reveal these secrets, Heider and Boll wrote. The results were taken from a passcode- protected and locked iPhone 4 with current firmware 4.2.1. The overall approach takes six minutes, which might provide an additional opportunity for an attacker to return the device to the owner to cover the revealing of passwords.
Although the researchers were able to easily obtain the iPhone's password, certain passwords stored in the phone remained protected, including ones for Google Mail, Safari, Yahoo and AOL Email.