Security Flaw Reveals Passwords on Locked iPhones

| News

Security researchers in Germany have discovered a security flaw that could potentially give hackers access to passwords stored on iPhones even if the devices are protected with a password lock. The exploit requires physical access to the iPhone, and took the researchers only six minutes to execute, according to PCWorld.

The security flaw was discovered by the Fraunhofer Institute Secure Information Technology.

Exploit exposes passwords on locked iPhones

“As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well,” the research team said.

According to the research team, they were able to access passwords for GMail accounts, Microsoft Exchange accounts, LDAP, VPN logins, voicemail, applications and Wi-Fi networks.

The hack involves jailbreaking the iPhone, then installing an SSH server — tasks that aren’t beyond experienced user’s skill set, but average users may not be interested in undertaking.

Since the attack works on iPhones that are protected with passcodes, this isn’t something that a hacker is likely to try with the victim around. Instead, this is an attack that will more likely happen after an iPhone has been lost or stolen.

The security team is advising “Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords” to protect against this potential attack.

Apple hasn’t commented on the exploit or said if a patch is in the works.

Comments

Joshua

Lets see if I understood. One steals an iPhone from someone. This iPhone is full of data the person wants to steal. The iPhone is not jailbroken. Then, the thieve, jailbreaks the iPhone and installs SSH. But wait, if I am not wrong, jailbreak the iPhone will erase the data the thief wants to crack. So, unless the phone is already jailbroken, this security hack is bull. One more reason to keep the device as shipped by Apple.

iVoid

I believe some of the jailbreaks today can jailbreak without erasing the phone.

daemon

Jailbreaking doesn’t erase data.

paikinho

Whoops, Apple has more work to do.

Lee Dronick

Soon you will need a pentalobe driver to remove the SIM card.

The Skeptic

Interesting stuff. Good work from the researchers.  Work like this is a great benefit to all iPhone users.

It should be noted that this does not affect all passwords - only those that are stored in the keychain class.

Actions for Apple:

1) (Temporary) Correct the security hole that allows the jailbreak
2) (Permanent) Correct the encryption for the keychain class to be keyed from the password in addition to the stored key on the device.

RonMacGuy

Sir Harry, you are truly a Smart a$$!!  LMAO.

hughster
hughster

Whoops, Apple has more work to do.

There is no such thing as perfect security. What work do you think Apple should do? Increase protection against jailbreaking (because that’s the weak link in this particular chain)?

2) (Permanent) Correct the encryption for the keychain class to be keyed from the password in addition to the stored key on the device.

Sounds sensible, but I doubt if the encryption is that strong to start with.

Lee Dronick

Sir Harry, you are truly a Smart a$$!!? LMAO.

“And thus I clothe my naked villainy
With old odd ends, stol’n forth of holy writ;
And seem a saint, when most I play the devil.”

RonMacGuy

Sir Harry,

“This above all: to thine own self be true”

Me thinks you are true to thine own self!!

Lee Dronick

Me thinks you are true to thine own self!!

“Well said, that was laid on with a trowel”

Getting late and need to be abed “our little life
Is rounded with a sleep.”

RonMacGuy

“To sleep, perchance to dream.”

Goodnight, Sir Harry.  Sweet dreams.  Cuddle up with your pentalobe driver…

paikinho

There is no such thing as perfect security. What work do you think Apple should do? Increase protection against jailbreaking (because that?s the weak link in this particular chain)?
————
You are correct, there is no perfect security. Not sure what Apple should do about it. But it is bad PR when an article comes out about your device titled “Security Flaw Reveals Passwords on Locked iPhones”

Bad for business, they are going to have to do something or perpetually be known as the company which produces devices with a security flaw that reveals passwords. They will have to put in place some other sort of barrier to rooting their phones.
I am not a security expert, but I do understand that people will want to stay away from a device that has a security flaw that can lead to mining their personal info and passwords. People are funny that way.

RonMacGuy

I am not a security expert, but I do understand that people will want to stay away from a device that has a security flaw that can lead to mining their personal info and passwords.

Funny paikinho, that hasn’t stopped people from using Microsoft Windows, Microsoft Office, Internet Explorer, android phones, or Adobe Flash…

Slam!!

hughster

It’s perception rather than reality. In the case of Windows, I think that the low standards displayed by Microsoft over the years have resigned users to the belief that “it’s a computer, therefore it can be infected by viruses”. If security had been a prime design concern from the start, things might have been otherwise. Smartphones are a relatively new concept, and the idea of hacking phones is a strange one to many people. Apple is probably the most visible single brand out there in the smartphone market and therefore attracts the most attention.

As a PS, remember that it’s possible to wipe your phone remotely with the Find my iPhone service. If you can wipe it before the bad guys get to it,  then your data’s safe.

paikinho

Funny paikinho, that hasn?t stopped people from using Microsoft Windows, Microsoft Office, Internet Explorer, android phones, or Adobe Flash?
————
But Apple doesn’t want to be like any of those items you mention. Nor do they have to be. They can provide better security for people. Thats why I was saying above that they need to do some more work. I think they haven’t made a serious effort to quash all jailbreaking. It hasn’t been a priority.

Their closed system helps them immensely with security efforts. They have more control over both their hardware and software than most of the free range cows out there.

rwahrens

Interesting.

However, the story fails to explain how they get access to the phone to be able to jailbreak it in the first place if it is password protected.

IF that means that the password protection on the phone is compromised, that is a bigger story than the one they are breaking.

After all, if they can access it to jailbreak it, then they’ve got access to whatever info on the phone they wish anyway, right?  And of course, if it ISN’T password protected, then they’e got full access in the first place.

Not enough information to know what is really taking place here.

Lee Dronick

Cuddle up with your pentalobe driver

I would rather cuddle with Minnie Driver, but alas no such luck. smile

And of course, if it ISN?T password protected, then they?e got full access in the first place.

How many of us iPhone users password protect? I don’t, my wife doesn’t, but we are not using them in the “enterprise.” I occasionally use my bank’s app to check the account, but I don’t store the password, same with the AT&T app. Pretty much the thieves would just be getting email passwords.

RonMacGuy

Since I now have my Verizon iPhone, it is pretty much in my hand or in my pocket during waking hours. If it is ever stolen, I will immediately log into MobileMe and wipe the iPhone clean remotely. May not be in time, of course, or they may power it down, but I think MobileMe would wipe it clean once they turn it back on.  In any event, I would do my best to clear the data off, and also to start changing passwords in systems that they may steal.  I don’t think it would be a huge deal.

RonMacGuy

But Apple doesn?t want to be like any of those items you mention. Nor do they have to be. They can provide better security for people.

“Nor do they have to be?”  Actually, they kind of have to be.  Nature of the beast.  Does their closed system help?  Maybe.  Can they do more to provide better security?  Maybe.  But like it or not, it’s all microprocessors and memory and data.  Like it or not, someone out there is smart enough to break into anything.  No prison is inescapable.  No bank is unrobbable.  No security system is infallible.  No computer is unhackable.  Question is, how smart is the guy who steals your iPhone?

paikinho

True.

But by controlling more of their system they can make it harder. People tend to pick the low hanging fruit first.

I am aware of that total security is impossible because people are creative.

My original point is simply that if there is some sort of gaping security hole and with it being broadly announced to the world, they need to do something to remediate the problem as stated in the article.

Nothing is perpetual or permanent. But part of the aura of Apple for good or bad is that it has an edge in security. To maintain such a thing they have to address issues that become widely advertised.

As to how smart is the guy who steals your iPhone, I don’t think the average person would be very smart in hacking a phone which is password protected, but by jailbreaking it a thief what can a thief get at?

Another question would be will there be groups of people who would target the devices to get at user data? Seems unlikely, but people are creative and who knows why people will or won’t do something.

Anyhow I think password protecting ones devices is about all one can do at this point. Trying to remote kill your data would be another thing. Or maybe not keeping really sensitive data on a phone would be best.

Lee Dronick

Anyhow I think password protecting ones devices is about all one can do at this point. Trying to remote kill your data would be another thing. Or maybe not keeping really sensitive data on a phone would be best.

I suppose that it is possible to use the email account on a jailbroken iPhone to request a new password for say a bank or credit account. Then they could transfer funds or make credit card purchases.

I have to make a judgmental statement. A responsible security researcher, one who acts like an adult, would not go public with this info. You notify Apple, or whomever, and let them take care of it. I have seen in the release notes where Apple thanks someone for discovering and reporting a flaw that was fixed, that is your reward. That is my opinion, yours may vary.

Log-in to comment