iPhone Hacked and Passwords Stolen in Six Minutes

Saturday, February 12, 2011

Dan Dieterle


Apparently iPhone passwords may not be as secure as one might believe. According to German security researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT), if you have physical access to the phone, passwords can be recovered from a locked Apple iPhone in six minutes.

But how is this possible? According to documentation on Fraunhofer’s site

When an iOS device with hardware encryption capabilities is lost or stolen, many users believe that there is no way for a new owner to access the stored data — at least if a strong passcode1 is in place. This estimation is comprehensible, since in theory the cryptographic strength of the AES256 algorithm used for iOS device encryption should prevent even well equipped attackers. However, it was already shown2 that it is possible to access great portions of the stored data without knowing the passcode.

Tools are available for this tasks that require only small effort. This is done by tricking the operating system to decrypt the file system on behalf of the attacker. This decryption is possible, since on current3 iOS devices the required cryptographic key does not depend on the user’s secret passcode. Instead the required key material is completely created from data available within the device and therefore is also in the possession of a possible attacker.

From the video (HERE) you can see the jailbreaking tool and script that Fraunhofer uses in action to access the secrets stored on the iPhone.  

Big deal, one might say, they can read my text messages. Well, with smart phones becoming a standard enterprise network client, theoretically one could retrieve the passwords used to access corporate networks with this utility.

According to the researchers site, all current iPhones and iPads are vulnerable to this attack.

It would seem that the dangers of leaving your laptop lying around now pertain to your smart phone too.

Cross-posted from Cyber Arms

Possibly Related Articles:
PDAs/Smart Phones
Apple Hacks iPhone Passwords Smart Phone jai
Post Rating I Like this!
Katie Weaver-Johnson Thanks for sharing this Dan. Just another example of why it is critical for organizations to have comprehensive policies in place regarding mobile devices, acceptable use and how to protect sensitive information ongoing. This is a great lesson learned to share with employees (and third-parties) to ensure they are implementing best practices for protecting mobile devices.
Dan Dieterle You are dead on Katie.

Many employees are in a rush to get mobile devices connected to the company network, but they do not understand the inherent risk.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.