The German Fraunhofer Institute has made the demonstration of the (relative) simplicity with which it is possible to retrieve passwords stored on an iPhone that has been lost or stolen. Data, figures, supposedly inaccessible to anyone other than the owner of the unit. Alone with the password unlocking the device.
The manipulation was done in less than ten minutes on an iPhone, initially non-jailbroken, protected by a password and user features iOS 4.2.1. Blocked before the application password, the thief will start by jailbreak the device. Then access the file system and drop off a script can open access to the keychain containing the password. These can then be displayed in clear: those of mail accounts, access Wi-Fi, VPN, Exchange accounts, etc..
The researchers arrived at their ends when they realized that the encryption key keychain containing the password was not connected to the secret code to unlock the iPhone.
This is the operating system that manages the key, and so he was attacked after the iPhone has been restarted, but bypassing the stage of PIN. The script developed (not detailed) is a direct appeal to the standard system commands to open the keychain iOS and spared an arduous, if not futile, attempt to decipher its contents. The whole can be completed in six minutes when the procedure is well settled.
Some passwords, like those sites, however require to know the secret code of the user. However, since his email accounts are wide open, it will be easy to ask for new passwords to the sites concerned and get hacked via email.
The institute aims to highlight the fact that a function of data encryption is not a comprehensive insurance. The fact also that some technical choices are a compromise between a desire to make the system reliable, and the user is not harassed by requests for password all the time. It is also to educate businesses on procedures when equipment is reported stolen. Such as changing passwords potential targets as soon as possible. Finally, the Institute says that this behavior is perhaps not specific to iOS.[via BGR]
For more coverage on iHelplounge:
- Follow us on twitter
- Become a Fan on Facebook
- Subscribe to our Feed
Subscribe to our YouTube Channel