• Germany's news in English

Researchers expose locked iPhone passwords in six minutes

Amrit Naresh · 11 Feb 2011, 17:03

Published: 11 Feb 2011 17:03 GMT+01:00

Facebook Twitter Google+ reddit

Jens Heider, one of the authors of a research paper published this week, said Apple’s iPhone and iPad are not as secure as commonly thought.

“We want to point this out because these devices are advertised as having full encryption,” Heider told The Local on Friday.

“If you have a device where no encryption is advertised, you know what to expect. But with the iPhone, the user expects all data to be secure – and we want to show that in certain circumstances, this is not the case.”

The researchers exposed the vulnerability of iOS (the operating system used by the iPhone and iPad) using a method they said any person with moderate programming skills could exploit.

The target of the attack was Apple’s “keychain,” a database which contains all passwords entered on the device, using three basic steps the researchers demonstrated in a video (below).

The researchers first gained access to the file system using a jailbreaking tool, which allows the user to bypass restrictions originally installed by Apple – providing access to all files, including the keychain database.

“We did not need to know the device’s passcode,” Heider said. “The passcode does not encrypt the data contained on the device, so the jailbreaking tool gave us direct access to the keychain.”

Then the researchers copied a keychain access script to the device. The script uses information already available on the device to access the keychain entries, making it unnecessary to crack the encryption mechanism protecting it.

The last step was to execute the script, which outputs a database of all information found on the device.

The entire process took the researchers six minutes to complete.

“All someone needs to steal your information is your iPhone, a USB cable, a jailbreaking tool and some technical understanding of how the device works,” Heider said.

The test results revealed what information is available to potential hackers.

Passwords contained in the keychain, such as those of Google Mail as an MS Exchange account, LDAP accounts, voicemail, WiFi passwords and VPN passwords were found to be vulnerable, while passwords in higher protection classes (such as passwords for websites) were not.

The corporate world is especially susceptible to an attack, Heider said, because everything from sensitive e-mail passwords to corporate network access codes is at risk.

No technology exists yet to prevent this sort of attack.

Story continues below…

“The bad news is the only way to defend against it is to respond quickly and diligently once an iPhone is reported lost or stolen,” he said. “All sensitive passwords must be changed immediately to minimize potential damage.”

Heider added that the iPhone’s vulnerability is less the result of a design flaw than it is an issue of Apple’s attempt to exchange security for convenience of use.

“The designers want the convenience that when you boot the device up, it already contains all your information, so it can automatically connect to email and network servers, even before the user has entered the passcode," he said.

“If certain network codes were put in a higher security class, they would be safe, but the user would thereby sacrifice the convenience of an immediate connection. There remains the possibility of letting the user decide if he wants security or convenience, but for most devices this is not yet available.”

Related links:

Amrit Naresh (news@thelocal.de)

Facebook Twitter Google+ reddit

Your comments about this article

19:07 February 11, 2011 by moreanon
Hackers expose locked iPhone passwords in six minutes
20:32 February 11, 2011 by aldus
So has anyone actually READ the article and watched the video?

1. You MUST have physical possession of the phone.

2. They MUST jailbreak the phone

...keep track of your sh*t folks, and it won't be an issue.
03:39 March 5, 2011 by toshisan
i have a app i can track the exact location and wipe the whole phone remotely.
Today's headlines
These are Germany's top ten universities
The new library of Freiburg University. Photo: Jörgens.mi / Wikimedia Commons

These are the best universities in all of Germany - at least according to one ranking.

Introducing Swabians - 'the Scots of Germany'
Photo: DPA

These Southern Germans have quite a reputation in the rest of the country.

Woman sues dentist over job rejection for headscarf
Photo: DPA

A dentist in Stuttgart is being taken to court by a woman whom he rejected for a job as his assistant on the basis that she wears a Muslim headscarf.

Isis suspect charged with scouting Berlin attack sites
Photo: DPA

German federal prosecutors said Thursday they had brought charges against a 19-year-old Syrian man accused of having scouted targets in Berlin for a potential attack by the Isis terror group.

Berlin Holocaust memorial could not be built now: creator
The Memorial to the Murdered Jews of Europe, in Berlin. Photo: DPA.

The architect of the Berlin Holocaust memorial has said that, if he tried to build the monument again today, it would not be possible due to rising xenophobia and anti-Semitism in Germany and the United States.

'Liberal' Germany stopping Europe's 'slide into barbarism'
Ian Kershaw. Photo: DPA

Europe is not slipping into the same dark tunnel of hate and nationalism that it did in the 1930s - mainly thanks to Germany - one of the continent's leading historians has said.

Eurowings strike to hit 40,000 passengers
Travelers impacted by the strike on Thursday wait at Cologne Bonn airport. Photo: DPA.

The day-long strike by a Eurowings cabin crew union is expected to impact some 40,000 passengers on Thursday as hundreds of flights have been cancelled.

Deutsche Bank reports surprise quarter billion profit
Photo: DPA

Troubled German lender Deutsche Bank reported Thursday a surprise €256-million profit in the third quarter, compared with a loss of more than six billion in the same period last year.

US 'warned Merkel' against Chinese takeover of tech firm
Aixtron HQ. Photo: DPA

The German government withdrew its approval for a Chinese firm to purchase Aixtron, which makes semiconductor equipment, after the US secret services raised security concerns, a German media report said Wednesday.

Long-vanished German car brand joins electric race
Photo: DPA

Cars bearing the stamp of once-defunct manufacturer Borgward will once again roll off an assembly line in north Germany from 2018, the firm said Wednesday.

10 German clichés that foreigners get very wrong
Sponsored Article
Last chance to vote absentee in the US elections
10 ways German completely messes up your English
Germany's 10 most weird and wonderful landmarks
10 things you never knew about socialist East Germany
How Germans fell in love with America's favourite squash
How I ditched London for Berlin and became a published author
12 clever German idioms that'll make you sound like a pro
23 fascinating facts you never knew about Berlin
9 unmissable events to check out in Germany this October
10 things you never knew about German reunification
10 things you're sure to notice after an Oktoberfest visit
Germany's 10 most Instagram-able places
15 pics that prove Germany is absolutely enchanting in autumn
10 German films you have to watch before you die
6 things about Munich that’ll stay with you forever
10 pieces of German slang you'll never learn in class
Ouch! Naked swimmer hospitalized after angler hooks his penis
Six reasons why Berlin is now known as 'the failed city'
15 tell-tale signs you’ll never quite master German
7 American habits that make Germans very, very uncomfortable
Story of a fugitive cow who outwitted police for weeks before capture
jobs available
Toytown Germany
Germany's English-speaking crowd