iPhone theft is a subject that concerns all of us, and now a group of German researchers have managed to increase our concerns. Researchers at the he Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) recently published a YouTube video showing that they can reveal passwords stored in a locked iPhone in just six minutes – without cracking the phone’s pass-code.
According to the video all you need to do this, once you have the iPhone, is to start attacking the key-chain – the password-management system.
So how do they do it?
Using already available tools, they first start with a jailbreak – so you just need to download the ‘proper’ tools and you are ready – then install an SSH server on the iPhone that allows software to be run on the phone.
‘PC World’ reports that then it is possible to write a script that uses the system functions already in the phone to access the key-chain entries and then finally output all the discovered account details to the attacker.
The hacker can access all this information because the cryptographic key on iOS devices is based on material available within the device, and has nothing to do with the pass-code. The German researchers were able to reveal passwords for Google Mail, MS Exchange account, LDAP accounts, voice-mail, VPN passwords and some App passwords.
The researchers stated:
As soon as attackers are in the possession of an iPhone or iPad and have removed the device’s SIM card, they can get a hold of e-mail passwords and access codes to corporate VPNs and WLANs as well. Control of an e-mail account allows the attacker to get even more additional passwords. For many web services such as social networks the attacker only has to request a password reset.
To say that this information is frightening is an understatement. The information they have published and revealed in their video is credible – but we must not forget that Fraunhofer SIT have a Java phone application on sale – and guess what – the application just happens to store passwords securely. Whatever their motives, the best advice is to make sure your iDevice does not go out of your sight for a single second – and definitely not six minutes!