Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 11th, 2011

Locked iPhone Allows Passwords Theft And Decryption

German security researchers have demonstrated that passwords stored on a stolen or lost iPhone can be retrieved in around six minutes even if the device is locked.

Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology (SIT) have published a paper and a video demonstration of their findings.

In order to get access to the phone and unlock access to the file system., the hackers used publicly available jailbreaking tools. They then uploaded a specially designed script able to scrape passwords stored in the device’s keychain. Their decryption was done using OS functions.

The extracted passwords corresponded to website accounts from Safari, Yahoo! Mail, Google Mail, WiFi, voicemail, MS Exchange, IMAP, LDAP, VPN and other services.

The purpose of the research was to demonstrate that stolen or lost iPhones can pose security risks not only to data stored on the devices itself, but also on external services. Furthermore, the iOS device encryption feature gives users a false sense of security, because in reality this protection mechanism can be easily bypassed.

“Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” the researchers advise. “Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts,” they add.

As far as companies are concerned, when loosing an iOS device they should consider immediately revoking VPN and wireless passwords. The remote wipe functionality might also be used.

The two researchers judge their attack’s complexity as low, because they used tools freely available on the Internet and creating the script only required moderate programming skills.

Credit: News

Share this item with others:

More on CyberInsecure:
  • SpyPhone iPhone App Can Silently Harvest And Email Personal Data
  • iPhone 2.0 Unlocked Before The Release
  • Tweeter Support Compromised By Hackers, 33 Accounts Hijacked And Temporarily Suspended
  • Updated Blackmailer Virus Gpcode Encrypts User Data And Demands Payment For Decryption
  • iPhone Feature Discovered By Hacker Allows Apple To Remotely Disable Unwanted Apps

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Locked iPhone Allows Passwords Theft And Decryption

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.