Lost your iPhone but think you are safe, and pretty smart, because you safeguarded it with password protection? Think again. Researchers in Germany report they’ve been able to reveal passwords stored in a locked iPhone in just six minutes, and without cracking the phone’s passcode.
In a new report and video, Jens Heider and Matthias Boll of the Fraunhofer Institute for Secure Information Technology show how a stolen iPhone can be quickly hacked, and the attacker given access to keychain, Apple’s password management system, and a huge cache of sensitive information.
The good news is this is not a remote maneuver, so the attacker must have the actual iPhone in hand. The bad news? It can all happen so fast.
First, the attacker has to jailbreak the iPhone and, from there, install an SSH server to be able to run unrestricted programs. The researchers then created a “keychain access script” that they copied to the iPhone to decrypt and see the passwords saved in the keychain.
“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well,” the researchers said in a statement. “Control of an e-mail account allows the attacker to acquire even more additional passwords: For many web services such as social networks the attacker only has to request a password reset. Once the respective service returns the new password to the user’s e-mail account, the attacker has it as well.”
The attack works, the researchers found, because the cryptographic key on current iOS devices is independent of the passcode, giving attackers the ability to create the key without having to hack the phone’s encrypted and secret passcode.
Among passwords that could be revealed were those for Google Mail, MS Exchange accounts, LDAP accounts, voicemail, VPN passwords, WiFi passwords and some App passwords. The researchers also published a paper with full details of the attack’s results.
News of the privacy breach comes on the heels of a report from security firm McAfee that mobile malware threats were up 46 percent in 2010. The company said that it expects “cybercriminal activity” in the mobile market to surge this year.
And, as PC World reports, “The attack has particular significance for companies that allow employees to use iPhones on corporate networks, because it can reveal network access passwords.”
So what can you do to protect yourself, or your job, if your iPhone is lost or stolen?
Unfortunately, not much, except for one, simple step, straight from the researchers: change all of your stored passwords immediately. And, make sure to change your passwords for even those accounts not stored on your phone, but that may include similar, or the same, passcodes.