Researchers expose locked iPhone passwords in six minutes
Amrit Naresh · 11 Feb 2011, 17:03
Published: 11 Feb 2011 17:03 GMT+01:00
Jens Heider, one of the authors of a research paper published this week, said Apple’s iPhone and iPad are not as secure as commonly thought.
“We want to point this out because these devices are advertised as having full encryption,” Heider told The Local on Friday.
“If you have a device where no encryption is advertised, you know what to expect. But with the iPhone, the user expects all data to be secure – and we want to show that in certain circumstances, this is not the case.”
The researchers exposed the vulnerability of iOS (the operating system used by the iPhone and iPad) using a method they said any person with moderate programming skills could exploit.
The target of the attack was Apple’s “keychain,” a database which contains all passwords entered on the device, using three basic steps the researchers demonstrated in a video (below).
The researchers first gained access to the file system using a jailbreaking tool, which allows the user to bypass restrictions originally installed by Apple – providing access to all files, including the keychain database.
“We did not need to know the device’s passcode,” Heider said. “The passcode does not encrypt the data contained on the device, so the jailbreaking tool gave us direct access to the keychain.”
Then the researchers copied a keychain access script to the device. The script uses information already available on the device to access the keychain entries, making it unnecessary to crack the encryption mechanism protecting it.
The last step was to execute the script, which outputs a database of all information found on the device.
The entire process took the researchers six minutes to complete.
“All someone needs to steal your information is your iPhone, a USB cable, a jailbreaking tool and some technical understanding of how the device works,” Heider said.
The test results revealed what information is available to potential hackers.
Passwords contained in the keychain, such as those of Google Mail as an MS Exchange account, LDAP accounts, voicemail, WiFi passwords and VPN passwords were found to be vulnerable, while passwords in higher protection classes (such as passwords for websites) were not.
The corporate world is especially susceptible to an attack, Heider said, because everything from sensitive e-mail passwords to corporate network access codes is at risk.
No technology exists yet to prevent this sort of attack.
“The bad news is the only way to defend against it is to respond quickly and diligently once an iPhone is reported lost or stolen,” he said. “All sensitive passwords must be changed immediately to minimize potential damage.”
Heider added that the iPhone’s vulnerability is less the result of a design flaw than it is an issue of Apple’s attempt to exchange security for convenience of use.
“The designers want the convenience that when you boot the device up, it already contains all your information, so it can automatically connect to email and network servers, even before the user has entered the passcode," he said.
“If certain network codes were put in a higher security class, they would be safe, but the user would thereby sacrifice the convenience of an immediate connection. There remains the possibility of letting the user decide if he wants security or convenience, but for most devices this is not yet available.”